Correct last commit

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Delete deprecated actions during install
2017-03-14 13:58:59 -07:00 · 2017-03-14 13:46:24 -07:00 · 2017-03-14 12:44:33 -07:00 · 2017-03-13 16:55:45 -07:00 · 2017-03-13 14:18:23 -07:00 · 2017-03-13 11:21:13 -07:00
184 changed files with 3311 additions and 2992 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -22,64 +22,20 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-VERSION=xxx #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-core
 Product="Shorewall Core"
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ] "
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "       $ME -v"
+    echo "where <option> is one of"
-    echo "       $ME -h"
+    echo "  -h"
    echo "  -v"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    echo $dir/$1
 	    return 0
 	fi
    done
    return 2
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
 }
 delete_file() # $1 = file to delete
 {
    rm -f $1
 }
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -98,16 +54,16 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }
 require()
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
 # Source common functions
 #
 . ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
 #
 # Parse the run line
 #
@@ -126,7 +82,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "Shorewall Firewall Installer Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
@@ -148,14 +104,14 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
 	file=./shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
 	file=/usr/share/shorewall/shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -169,7 +125,7 @@ elif [ $# -eq 1 ]; then
 	    ;;
    esac
-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -285,13 +241,12 @@ case "$HOST" in
    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
    *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	fatal_error "Unknown HOST \"$HOST\""
 	exit 1;
 	;;
 esac
 if [ -z "$file" ]; then
-    if $HOST = linux; then
+    if [ $HOST = linux ]; then
 	file=shorewallrc.default
    else
 	file=shorewallrc.${HOST}
@@ -304,7 +259,8 @@ if [ -z "$file" ]; then
    echo "" >&2
    echo "Example:" >&2
    echo "" >&2
-    echo "   ./install.sh $file" &>2
+    echo "   ./install.sh $file" >&2
    exit 1
 fi
 if [ -n "$DESTDIR" ]; then
@@ -315,45 +271,31 @@ if [ -n "$DESTDIR" ]; then
    fi
 fi
-echo "Installing Shorewall Core Version $VERSION"
+echo "Installing $Product Version $VERSION"
 #
 # Create directories
 #
-mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
+make_parent_directory ${DESTDIR}${LIBEXECDIR}/shorewall 0755
 chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall
-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
+make_parent_directory ${DESTDIR}${SHAREDIR}/shorewall 0755
 chmod 755 ${DESTDIR}${SHAREDIR}/shorewall
-mkdir -p ${DESTDIR}${CONFDIR}
+make_parent_directory ${DESTDIR}${CONFDIR} 0755
 chmod 755 ${DESTDIR}${CONFDIR}
-if [ -n "${SYSCONFDIR}" ]; then
+[ -n "${SYSCONFDIR}" ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
    mkdir -p ${DESTDIR}${SYSCONFDIR}
    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi
 if [ -z "${SERVICEDIR}" ]; then
    SERVICEDIR="$SYSTEMD"
 fi
-if [ -n "${SERVICEDIR}" ]; then
+[ -n "${SERVICEDIR}" ] && make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
    mkdir -p ${DESTDIR}${SERVICEDIR}
    chmod 755 ${DESTDIR}${SERVICEDIR}
 fi
-mkdir -p ${DESTDIR}${SBINDIR}
+make_parent_directory ${DESTDIR}${SBINDIR} 0755
 chmod 755 ${DESTDIR}${SBINDIR}
-if [ -n "${MANDIR}" ]; then
+[ -n "${MANDIR}" ] && make_parent_directory ${DESTDIR}${MANDIR} 0755
    mkdir -p ${DESTDIR}${MANDIR}
    chmod 755 ${DESTDIR}${MANDIR}
 fi
 if [ -n "${INITFILE}" ]; then
-    mkdir -p ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
    chmod 755 ${DESTDIR}${INITDIR}
    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
@@ -369,7 +311,7 @@ fi
 #
 install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
 #
 # Install wait4ifup
 #
@@ -382,8 +324,14 @@ echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 # Install the libraries
 #
 for f in lib.* ; do
-    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
+    case $f in
-    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
+        *installer)
            ;;
        *)
            install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
            echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
            ;;
    esac
 done
 if [ $SHAREDIR != /usr/share ]; then
@@ -398,11 +346,11 @@ fi
 if [ -n "$MANDIR" ]; then
    cd manpages
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
+    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
    for f in *.8; do
 	gzip -9c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
@@ -419,7 +367,7 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 if [ -z "${DESTDIR}" ]; then
    if [ $update -ne 0 ]; then
@@ -444,14 +392,20 @@ fi
 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
-	if [ $BUILD != apple ]; then
+        case $f in
-	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+            *installer)
-	else
+                ;;
-	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+            *)
-	fi
+                if [ $BUILD != apple ]; then
                    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
                else
                    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
                fi
                ;;
        esac
    done
 fi
 #
-#  Report Success
+# Report Success
 #
-echo "Shorewall Core Version $VERSION Installed"
+echo "$Product Version $VERSION Installed"
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -78,29 +78,6 @@ showchain() # $1 = name of chain
    fi
 }
 #
 # The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
 #
 iptablesbug()
 {
    if [ $g_family -eq 4 ]; then
 	if qt mywhich awk ; then
 	    awk 'BEGIN           { sline=""; };\
             /^-[jg]/            { print sline $0; next };\
             /-m policy.*-[jg] / { print $0; next };\
             /-m policy/         { sline=$0; next };\
             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
                                 { print ; sline="" }'
        else
 	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
 	    cat
 	fi
    else
 	cat
    fi
 }
 #
 # Validate the value of RESTOREFILE
 #
@@ -391,13 +368,13 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
-	    $g_ring_bell
+	    printf '\a'
 	    packet_log 40
 	    if [ "$pause" = "Yes" ]; then
 		echo
-		echo $g_echo_n 'Enter any character to continue: '
+		printf 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@@ -1007,13 +984,6 @@ show_raw() {
    $g_tool -t raw -L $g_ipt_options | $output_filter
 }
 show_rawpost() {
    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 }
 show_mangle() {
    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
    echo
@@ -1157,10 +1127,47 @@ show_macros() {
    done
 }
 show_an_action() {
    echo "Shorewall $SHOREWALL_VERSION Action $1 at $g_hostname - $(date)"
    cat ${directory}/action.$1
 }
 show_a_macro() {
    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
    cat ${directory}/macro.$1
 }
 #
 # Don't dump empty SPD entries
 #
 spd_filter()
 {
    awk \
    'BEGIN            { skip=0; }; \
    /^src/            { skip=0; }; \
    /^src 0.0.0.0\/0/ { skip=1; }; \
    /^src ::\/0/      { skip=1; }; \
                      { if ( skip == 0 ) print; };'
 }
 #
 # Print a heading with leading and trailing black lines
 #
 heading() {
    echo
    echo "$@"
    echo
 }
 show_ipsec() {
    heading "PFKEY SPD"
    $IP -s xfrm policy | spd_filter
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
 show_ipsec_command() {
    echo "$g_product $SHOREWALL_VERSION IPSEC at $g_hostname - $(date)"
    show_ipsec
 }
 #
 # Show Command Executor
@@ -1182,10 +1189,10 @@ show_command() {
 	if [ -n "$foo" ]; then
 	    macro=${macro#*.}
 	    foo=${foo%.*}
-	    if [ ${#macro} -gt 10 ]; then
+	    if [ ${#macro} -gt 5 ]; then
-		echo "   $macro  ${foo#\#}"
+		printf "  $macro\t${foo#\#}\n"
 	    else
-		$g_echo_e "   $macro  \t${foo#\#}"
+		printf "  $macro\t\t${foo#\#}\n"
 	    fi
 	fi
    }
@@ -1232,7 +1239,7 @@ show_command() {
 			    [ $# -eq 1 ] && missing_option_value -t
 			    case $2 in
-				mangle|nat|filter|raw|rawpost)
+				mangle|nat|filter|raw)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -1286,10 +1293,6 @@ show_command() {
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_rawpost $g_pager
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
@@ -1427,18 +1430,37 @@ show_command() {
 		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
 	    fi
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipsec_command $g_pager
 	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
 		    ;;
 	    	*)
 		    case $1 in
 			action)
 			    [ $# -lt 2 ] && fatal_error 'Missing <action>'
 			    [ $# -gt 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/action.$2 ]; then
 				    eval show_an_action $2 $g_pager
 				    return
 				fi
 			    done
 			    echo "   WARNING: Action $2 not found" >&2
 			    return
 			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
 			    [ $# -lt 2 ] && fatal_error 'Missing <macro>'
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
@@ -1579,19 +1601,6 @@ show_status() {
 }
 #
 # Don't dump empty SPD entries
 #
 spd_filter()
 {
    awk \
    'BEGIN            { skip=0; }; \
    /^src/            { skip=0; }; \
    /^src 0.0.0.0\/0/ { skip=1; }; \
    /^src ::\/0/      { skip=1; }; \
                      { if ( skip == 0 ) print; };'
 }
 #
 # Dump Command Executor
 #
@@ -1687,11 +1696,6 @@ do_dump_command() {
 	$g_tool -t raw -L $g_ipt_options
    fi
    if qt $g_tool -t rawpost -L -n; then
 	heading "Rawpost Table"
 	$g_tool -t rawpost -L $g_ipt_options
    fi
    local count
    local max
@@ -1742,10 +1746,7 @@ do_dump_command() {
    heading "Events"
    show_events
-    heading "PFKEY SPD"
+    show_ipsec
    $IP -s xfrm policy | spd_filter
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
    heading "/proc"
    show_proc /proc/version
@@ -1945,15 +1946,6 @@ read_yesno_with_timeout() {
    fi
 }
 #
 # Print a heading with leading and trailing black lines
 #
 heading() {
    echo
    echo "$@"
    echo
 }
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2754,7 +2746,6 @@ determine_capabilities() {
    CONNMARK_MATCH=
    XCONNMARK_MATCH=
    RAW_TABLE=
    RAWPOST_TABLE=
    IPP2P_MATCH=
    OLD_IPP2P_MATCH=
    LENGTH_MATCH=
@@ -2811,6 +2802,7 @@ determine_capabilities() {
    TCPMSS_TARGET=
    WAIT_OPTION=
    CPU_FANOUT=
    NETMAP_TARGET=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -2845,8 +2837,10 @@ determine_capabilities() {
 	if qt $g_tool -t nat -N $chain; then
 	    if [ $g_family -eq 4 ]; then
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
 		qt $g_tool -t nat -A $chain -j NETMAP --to 1.2.3.0/24 && NETMAP_TARGET=Yes
 	    else
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
 		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
@@ -3006,7 +3000,6 @@ determine_capabilities() {
    fi
    qt $g_tool -t raw	  -L -n && RAW_TABLE=Yes
    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
    if [ -n "$RAW_TABLE" ]; then
 	qt $g_tool -t raw -F $chain
@@ -3232,7 +3225,6 @@ report_capabilities_unsorted() {
    report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
    [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
    report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
    report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
    report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
    [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
    report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
@@ -3312,6 +3304,7 @@ report_capabilities_unsorted() {
    report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3361,7 +3354,6 @@ report_capabilities_unsorted1() {
    report_capability1 CONNMARK_MATCH
    report_capability1 XCONNMARK_MATCH
    report_capability1 RAW_TABLE
    report_capability1 RAWPOST_TABLE
    report_capability1 IPP2P_MATCH
    report_capability1 OLD_IPP2P_MATCH
    report_capability1 CLASSIFY_TARGET
@@ -3418,6 +3410,7 @@ report_capabilities_unsorted1() {
    report_capability1 TCPMSS_TARGET
    report_capability1 WAIT_OPTION
    report_capability1 CPU_FANOUT
    report_capability1 NETMAP_TARGET
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -4271,12 +4264,17 @@ usage() # $1 = exit status
    echo "   reenable <interface>"
    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
-    ecko "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
+
    if [ -n "$g_lite" ]; then
 	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
    else
 	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
    fi
    if [ -z "$g_lite" ]; then
-	echo "   remote-reload [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-restart [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-start [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
    fi
    echo "   reset [ <chain> ... ]"
@@ -4295,6 +4293,7 @@ usage() # $1 = exit status
    echo "   savesets"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    ecko "   [ show | list | ls ] actions"
    ecko "   [ show | list | ls ] action <action>"
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -4310,8 +4309,9 @@ usage() # $1 = exit status
 	echo "   [ show | list | ls ] ipa"
    fi
    echo "   [ show | list | ls ] ipsec"
    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
-    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw"
    ecko "   [ show | list | ls ] macro <macro>"
    ecko "   [ show | list | ls ] macros"
    echo "   [ show | list | ls ] nfacct"
@@ -4385,7 +4385,6 @@ shorewall_cli() {
    g_nopager=
    g_blacklistipset=
    g_disconnect=
    g_options=
    VERBOSE=
    VERBOSITY=1
@@ -4397,7 +4396,10 @@ shorewall_cli() {
    finished=0
    while [ $finished -eq 0 ]; do
-	[ $# -eq 0 ] && usage 1
+	if [ $# -eq 0 ]; then
 	    setup_product_environment 1
 	    usage 1
 	fi
 	option=$1
 	case $option in
 	    -)
@@ -4527,10 +4529,6 @@ shorewall_cli() {
 	esac
    done
    if [ $# -eq 0 ]; then
 	usage 1
    fi
    setup_product_environment 1
   [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std
@@ -4555,26 +4553,6 @@ shorewall_cli() {
    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
    case $(echo -e) in
 	-e*)
 	    g_ring_bell="echo \a"
 	    g_echo_e="echo"
 	    ;;
 	*)
 	    g_ring_bell="echo -e \a"
 	    g_echo_e="echo -e"
 	    ;;
    esac
    case $(echo -n "Testing") in
 	-n*)
 	    g_echo_n=
 	    ;;
 	*)
 	    g_echo_n=-n
 	    ;;
    esac
    COMMAND=$1
    case "$COMMAND" in
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -47,14 +47,12 @@ setup_product_environment() { # $1 = if non-empty, source shorewallrc again now
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=
 	    g_options=-l
 	    ;;
 	shorewall6)
 	    g_product="Shorewall6"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=
 	    g_options=-6l
 	    ;;
 	shorewall-lite)
 	    g_product="Shorewall Lite"
@@ -378,25 +376,6 @@ resolve_file() # $1 = file name
    esac
 }
 #
 # Determine how to do "echo -e"
 #
 find_echo() {
    local result
    result=$(echo "a\tb")
    [ ${#result} -eq 3 ] && { echo echo; return; }
    result=$(echo -e "a\tb")
    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
    result=$(which echo)
    [ -n "$result" ] && { echo "$result -e"; return; }
    echo echo
 }
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 #
 #     None - No mktemp
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -0,0 +1,89 @@
 #
 #
 # Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # The purpose of this library is to hold those functions used by the products installer.
 #
 #########################################################################################
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 delete_file() # $1 = file to delete
 {
    rm -f $1
 }
 require()
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 make_directory() # $1 = directory , $2 = mode
 {
    mkdir $1
    chmod $2 $1
    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
 }
 make_parent_directory() # $1 = directory , $2 = mode
 {
    mkdir -p $1
    chmod $2 $1
    [ -n "$OWNERSHIP" ] && chown $OWNER:$GROUP $1
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
 }
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -0,0 +1,106 @@
 #
 #
 # Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # The purpose of this library is to hold those functions used by the products uninstaller.
 #
 #########################################################################################
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to remove
 {
    if [ -n "$1" ] ; then
        if [ -f $1 -o -L $1 ] ; then
            rm -f $1
            echo "$1 Removed"
        fi
    fi
 }
 remove_directory() # $1 = directory to remove
 {
    if [ -n "$1" ] ; then
        if [ -d $1 ] ; then
            rm -rf $1
            echo "$1 Removed"
        fi
    fi
 }
 remove_file_with_wildcard() # $1 = file with wildcard to remove
 {
    if [ -n "$1" ] ; then
        for f in $1; do
            if [ -d $f ] ; then
                rm -rf $f
                echo "$f Removed"
            elif [ -f $f -o -L $f ] ; then
                rm -f $f
                echo "$f Removed"
            fi
        done
    fi
 }
 restore_file() # $1 = file to restore
 {
    if [ -f ${1}-shorewall.bkout ]; then
 	if (mv -f ${1}-shorewall.bkout $1); then
 	    echo
 	    echo "$1 restored"
        else
 	    exit 1
        fi
    fi
 }
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -432,6 +432,33 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>options</arg>
      <arg choice="plain"><option>reload</option></arg>
      <arg><option>-n</option></arg>
      <arg><option>-p</option><arg><option>-d</option></arg></arg>
      <arg><option>-f</option></arg>
      <arg><option>-c</option></arg>
      <arg><option>-T</option></arg>
      <arg><option>-i</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
@@ -665,7 +692,7 @@
      <arg><option>-l</option></arg>
      <arg><option>-t</option>
-      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
+      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
      <arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
@@ -685,6 +712,31 @@
      <arg choice="plain"><option>capabilities</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg>options</arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-f</option></arg>
      <arg choice="plain"><option>{actions|macros}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>options</arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>action</option><arg
      choice="plain"><replaceable>action</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>
@@ -695,7 +747,7 @@
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg
-      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|macros|zones|policies|marks</option></arg>
+      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -749,7 +801,7 @@
      <arg><option>-x</option></arg>
-      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
+      <arg choice="req"><option>mangle|nat|raw</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -882,10 +934,11 @@
  <refsect1>
    <title>Description</title>
-    <para>The shorewall utility is used to control the Shoreline Firewall
+    <para>Beginning with Shorewall 5.1.0, the <command>shorewall</command>
-    (Shorewall), Shorewall Firewall 6 (Shorewall6), Shorewall Firewall Lite
+    utility is used to control the Shoreline Firewall (Shorewall), Shorewall
-    (Shorewall-lite) and Shorewall Firewall 6 Lite (Shorewall6-lite). The
+    Firewall 6 (Shorewall6), Shorewall Firewall Lite (Shorewall-lite) and
-    utility may be accessed under four different names:</para>
+    Shorewall Firewall 6 Lite (Shorewall6-lite). The utility may be accessed
    under four different names:</para>
    <variablelist>
      <varlistentry>
@@ -928,6 +981,11 @@
        </listitem>
      </varlistentry>
    </variablelist>
    <para>Prior to Shorewall 5.1.0, these four commands were implemented as
    four separate program, each of which controlled only a single firewall
    package. This manpage serves to document both the Shorewall 5.1 and
    Shorewall 5.0 CLI.</para>
  </refsect1>
  <refsect1>
@@ -949,10 +1007,10 @@
        <term><option>-4</option></term>
        <listitem>
-          <para>Causes the command to operate on the Shorewall configuration
+          <para>Added in Shorewall 5.1.0. Causes the command to operate on the
-          or the Shorewall-lite configuration. It is the default when either
+          Shorewall configuration or the Shorewall-lite configuration. It is
-          of those products is installed and when the command is
+          the default when either of those products is installed and when the
-          <command>shorewall</command> or
+          command is <command>shorewall</command> or
          <command>shorewall-lite</command>.</para>
        </listitem>
      </varlistentry>
@@ -961,9 +1019,9 @@
        <term><option>-6</option></term>
        <listitem>
-          <para>Causes the command to operate on the Shorewall6 or
+          <para>Added in Shorewall 5.1.0. Causes the command to operate on the
-          Shorewall6-lite configuration. It is the default when only
+          Shorewall6 or Shorewall6-lite configuration. It is the default when
-          Shorewall6-lite is installed and when the command is
+          only Shorewall6-lite is installed and when the command is
          <command>shorewall6</command> or
          <command>shorewall6-lite</command>.</para>
        </listitem>
@@ -973,10 +1031,69 @@
        <term><option>-l</option></term>
        <listitem>
-          <para>Causes the command to operate on either Shorewall-lite or
+          <para>Added in Shorewall 5.1.0. Causes the command to operate on
-          Shorewall-6 lite and is the default when Shorewall is not installed
+          either Shorewall-lite or Shorewall-6 lite and is the default when
-          or when the command is <command>shorewall-lite</command> or
+          Shorewall is not installed or when the command is
          <command>shorewall-lite</command> or
          <command>shorewall6-lite</command>.</para>
          <para>With all four firewall products (Shorewall, Shorewall6,
          Shorewall-lite and Shorewall6-lite) installed, the following table
          shows the correspondence between the name used to invoke the command
          and the <command>shorewall</command> command with the above three
          options.</para>
          <table border="1">
            <caption>All four products installed</caption>
            <tr>
              <td><command>shorewall</command></td>
              <td><command>shorewall</command> or <command>shorewall
              -4</command></td>
            </tr>
            <tr>
              <td><command>shorewall6</command></td>
              <td><command>shorewall -6</command></td>
            </tr>
            <tr>
              <td><command>shorewall-lite</command></td>
              <td><command>shorewall -l</command> or <command>shorewall
              -4l</command></td>
            </tr>
            <tr>
              <td><command>shorewall6-lite</command></td>
              <td><command>shorewall -6l</command></td>
            </tr>
          </table>
          <para>The next table shows the correspondence when only
          Shorewall-lite and Shorewall6-lite are installed.</para>
          <table border="1">
            <caption>Only Shorewall-lite and Shorewall6-lite
            installed</caption>
            <tr>
              <td><command>shorewall-lite</command></td>
              <td><command>shorewall</command>, <command>shorewall
              -4</command> or <command>shorewall -4l</command></td>
            </tr>
            <tr>
              <td><command>shorewall6-lite</command></td>
              <td><command>shorewall -6</command> or <command>shorewall
              -6l</command></td>
            </tr>
          </table>
        </listitem>
      </varlistentry>
@@ -1826,10 +1943,11 @@
      <varlistentry>
        <term><emphasis role="bold">remote-start</emphasis>
-        [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
+        [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
-        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
+        [-<option>r</option> <replaceable>root-user-name</replaceable>]
-        [-<option>i</option>] [ [ -D ] <replaceable>directory</replaceable> ]
+        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
-        [ <replaceable>system</replaceable> ]</term>
+        <replaceable>directory</replaceable> ] [
        <replaceable>system</replaceable> ]</term>
        <listitem>
          <para>This command was renamed from <command>load</command> in
@@ -1865,6 +1983,9 @@
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
          <para>The <option>-n</option> option causes Shorewall to avoid
          updating the routing table(s).</para>
          <para>If <emphasis role="bold">-s</emphasis> is specified and the
          <emphasis role="bold">start</emphasis> command succeeds, then the
          remote Shorewall-lite configuration is saved by executing <emphasis
@@ -2350,12 +2471,23 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">action
              <replaceable>action</replaceable></emphasis></term>
              <listitem>
                <para>Lists the named action file. Available on Shorewall and
                Shorewall6 only.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">actions</emphasis></term>
              <listitem>
                <para>Produces a report about the available actions (built-in,
-                standard and user-defined).</para>
+                standard and user-defined). Available on Shorewall and
                Shorewall6 only.</para>
              </listitem>
            </varlistentry>
@@ -2388,7 +2520,7 @@
            <varlistentry>
              <term>[-<option>b</option>] [-<option>x</option>]
              [-<option>l</option>] [-<option>t</option>
-              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
+              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}]
              [ <emphasis>chain</emphasis>... ]</term>
              <listitem>
@@ -2496,6 +2628,17 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">ipsec</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.1.0. Displays the contents of the
                IPSEC <firstterm>Security Policy Database</firstterm> (SPD)
                and <firstterm>Security Association Database</firstterm>
                (SAD). SAD keys are not displayed.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>m</option>] <emphasis
              role="bold">log</emphasis></term>
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 4.5 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
 ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 4.5 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian.sysvinit              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,8 +1,8 @@
 #
 # Default Shorewall 5.0 rc file
 #
 HOST=linux                              #Generic Linux
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,8 +1,8 @@
 #
-# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
+# OpenWRT Shorewall 5.0 rc file
 #
 # Input: host=openwrt
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Core Modules
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,63 +26,75 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=xxx #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version
-PRODUCT="shorewall-core"
+PRODUCT=shorewall-core
 Product="Shorewall Core"
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
    echo "where <option> is one of"
    echo "  -h"
    echo "  -v"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 restore_file() # $1 = file to restore
 {
    if [ -f ${1}-shorewall.bkout ]; then
 	if (mv -f ${1}-shorewall.bkout $1); then
 	    echo
 	    echo "$1 restored"
        else
 	    exit 1
        fi
    fi
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
 	rm -f $1
 	echo "$1 Removed"
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
 # Source common functions
 #
 . ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
 #
 # Parse the run line
 #
 finished=0
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Uninstaller Version $VERSION"
 			exit 0
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -92,11 +104,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac
-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -104,20 +116,26 @@ fi
 if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Core Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
    VERSION=""
 fi
-echo "Uninstalling Shorewall Core $VERSION"
+echo "Uninstalling $Product $VERSION"
-rm -rf ${SHAREDIR}/shorewall
+if [ -n "${MANDIR}" ]; then
-rm -f ~/.shorewallrc
+    remove_file_with_wildcard ${MANDIR}/man5/shorewall\*
-
+    remove_file_with_wildcard ${MANDIR}/man8/shorewall\*
-echo "Shorewall Core Uninstalled"
+fi
 remove_directory ${SHAREDIR}/shorewall
 remove_file ~/.shorewallrc
 #
 # Report Success
 #
 echo "$Product $VERSION Uninstalled"
--- a/Shorewall-init/default.debian.systemd
+++ b/Shorewall-init/default.debian.systemd
@@ -0,0 +1,21 @@
 # List the Shorewall products that Shorewall-init is to
 # initialize (space-separated list).
 #
 # Sample: PRODUCTS="shorewall shorewall6"
 #
 PRODUCTS=""
 #
 # Set this to 1 if you want Shorewall-init to react to
 # ifup/ifdown and NetworkManager events
 #
 IFUPDOWN=0
 #
 # Where Up/Down events get logged
 #
 LOGFILE=/var/log/shorewall-ifupdown.log
 # Startup options - set verbosity to 0 (minimal reporting)
 OPTIONS="-V0"
 # IOF
--- a/Shorewall-init/default.debian.sysvinit
+++ b/Shorewall-init/default.debian.sysvinit
@@ -0,0 +1,27 @@
 # List the Shorewall products that Shorewall-init is to
 # initialize (space-separated list).
 #
 # Sample: PRODUCTS="shorewall shorewall6"
 #
 PRODUCTS=""
 #
 # Set this to 1 if you want Shorewall-init to react to
 # ifup/ifdown and NetworkManager events
 #
 IFUPDOWN=0
 #
 # Set this to the name of the file that is to hold
 # ipset contents. Shorewall-init will load those ipsets
 # during 'start' and will save them there during 'stop'.
 #
 SAVE_IPSETS=""
 #
 # Where Up/Down events get logged
 #
 LOGFILE=/var/log/shorewall-ifupdown.log
 # Startup options - set verbosity to 0 (minimal reporting)
 OPTIONS="-V0"
 # IOF
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -104,7 +104,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
@@ -125,7 +125,7 @@ shorewall_start () {
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-      echo -n "Restoring ipsets: "
+      printf "Restoring ipsets: "
      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -142,7 +142,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -64,7 +64,7 @@ start () {
 	return 6 #Not configured
    fi
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -99,7 +99,7 @@ stop () {
    local PRODUCT
    local STATEDIR
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	setstatedir
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -89,7 +89,7 @@ start () {
    local PRODUCT
  local STATEDIR
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -114,7 +114,7 @@ stop () {
    local PRODUCT
    local STATEDIR
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -81,7 +81,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -93,7 +93,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR
-  echo -n "Initializing \"Shorewall-based firewalls\": "
+  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -114,7 +114,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR
-  echo -n "Clearing \"Shorewall-based firewalls\": "
+  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -27,58 +27,21 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=xxx #The Build script inserts the actual version.
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "       $ME -v"
+    echo "where <option> is one of"
-    echo "       $ME -h"
+    echo "  -h"
-    echo "       $ME -n"
+    echo "  -v"
    echo "  -n"
    exit $1
 }
 fatal_error() 
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -97,23 +60,16 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }
 make_directory() # $1 = directory , $2 = mode
 {
    mkdir -p $1
    chmod 0755 $1
    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
 }
 require() 
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
 # Source common functions
 #
 . ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
 #
 # Parse the run line
 #
@@ -134,7 +90,7 @@ while [ $finished -eq 0 ] ; do
 			usage 0
 			;;
 		    v)
-			echo "Shorewall-init Firewall Installer Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -159,17 +115,17 @@ done
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    #
    # Load packager's settings if any
    #
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
 	file=./shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
-     else
+        . $file || fatal_error "Can not load the RC file: $file"
-	fatal_error "No configuration file specified and ~/.shorewallrc not found"
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	file=/usr/share/shorewall/shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
@@ -177,11 +133,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac
-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -298,12 +254,10 @@ case "$HOST" in
 	echo "Installing Openwrt-specific configuration..."
 	;;
    linux)
-	echo "ERROR: Shorewall-init is not supported on this system" >&2
+	fatal_error "Shorewall-init is not supported on this system"
 	exit 1
 	;;
    *)
-	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
+	fatal_error "Unsupported HOST distribution: \"$HOST\""
 	exit 1;
 	;;
 esac
@@ -315,30 +269,27 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
-    make_directory ${DESTDIR}${INITDIR} 0755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
 fi
-echo "Installing Shorewall Init Version $VERSION"
+echo "Installing $Product Version $VERSION"
 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi
-if [ -n "$DESTDIR" ]; then
+[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
 fi
 #
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    mkdir -p ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
@@ -357,25 +308,21 @@ if [ -z "${SERVICEDIR}" ]; then
 fi
 if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
+    [ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
-	mkdir -p ${DESTDIR}${SBINDIR}
+    install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
-        chmod 0755 ${DESTDIR}${SBINDIR}
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
-    fi
+    echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
+make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
 chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init
 #
 # Install logrotate file
@@ -388,55 +335,53 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/shorewall-init/init
+    rm -f ${SHAREDIR}/$PRODUCT/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
+	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
-	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
+	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
-	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
+	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
    elif [ $configure -eq 0 ]; then
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
    fi
-    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
-	if [ -n "${DESTDIR}" ]; then
+	[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755
 	    mkdir -p ${DESTDIR}${ETC}/default
 	fi
-	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
+	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
-	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
+	install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
-	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi
    IFUPDOWN=ifupdown.debian.sh
 else
    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
+		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
+		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    elif [ $HOST = openwrt ]; then
-		# Not implemented on openwrt
+		# Not implemented on OpenWRT
 		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
+		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
    fi
@@ -458,13 +403,13 @@ if [ $HOST != openwrt ]; then
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
-    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
+    make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
-    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
 fi
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi
@@ -483,8 +428,8 @@ case $HOST in
    suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
+		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
+		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
 	    fi
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
@@ -518,17 +463,17 @@ if [ -z "$DESTDIR" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
-                    echo "Shorewall Init will start automatically at boot"
+                    echo "$Product will start automatically at boot"
 		fi
 	    elif mywhich insserv; then
-		if insserv ${INITDIR}/shorewall-init; then
+		if insserv ${INITDIR}/$PRODUCT; then
-		    echo "Shorewall Init will start automatically at boot"
+                    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif mywhich update-rc.d ; then
 		if update-rc.d $PRODUCT enable; then
-		    echo "$PRODUCT will start automatically at boot"
+                    echo "$Product will start automatically at boot"
 		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 		else
 		    cant_autostart
@@ -549,31 +494,31 @@ if [ -z "$DESTDIR" ]; then
 	    /bin/true
 	else
 	    if [ -n "$SERVICEDIR" ]; then
-		if systemctl enable shorewall-init.service; then
+		if systemctl enable ${PRODUCT}.service; then
-		    echo "Shorewall Init will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
-		if insserv ${INITDIR}/shorewall-init ; then
+		if insserv ${INITDIR}/$PRODUCT ; then
-		    echo "Shorewall Init will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
-		if chkconfig --add shorewall-init ; then
+		if chkconfig --add $PRODUCT ; then
-		    echo "Shorewall Init will start automatically in run levels as follows:"
+		    echo "$Product will start automatically at boot"
-		    chkconfig --list shorewall-init
+		    chkconfig --list $PRODUCT
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/rc-update ]; then
-		if rc-update add shorewall-init default; then
+		if rc-update add $PRODUCT default; then
-		    echo "Shorewall Init will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
 		/etc/init.d/$PRODUCT enable
-		if /etc/init.d/shorewall-init enabled; then
+		if /etc/init.d/$PRODUCT enabled; then
 		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
@@ -587,11 +532,11 @@ else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
-		mkdir -p ${DESTDIR}/etc/rcS.d
+		make_parent_directory ${DESTDIR}/etc/rcS.d 0755
 	    fi
-	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
+	    ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
-	    echo "Shorewall Init will start automatically at boot"
+	    echo "$Product will start automatically at boot"
 	fi
    fi
 fi
@@ -602,8 +547,8 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
+		make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
+		cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
 	    done
 	    ;;
 	redhat)
@@ -614,19 +559,19 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
 		    if grep -qF Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+			cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
 			break
 		    fi
 		else
-		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
 		fi
 	    done
 	    ;;
    esac
 fi
 #
-#  Report Success
+# Report Success
 #
 echo "shorewall Init Version $VERSION Installed"
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -64,7 +64,7 @@ shorewall_start () {
    local PRODUCT
    local STATEDIR
-    echo -n "Initializing \"Shorewall-based firewalls\": "
+    printf "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -92,7 +92,7 @@ shorewall_stop () {
    local PRODUCT
    local STATEDIR
-    echo -n "Clearing \"Shorewall-based firewalls\": "
+    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Init
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,62 +26,34 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=xxx  #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
    echo "where <option> is one of"
    echo "  -h"
    echo "  -v"
    echo "  -n"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
 	rm -f $1
 	echo "$1 Removed"
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
 # Source common functions
 #
 . ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
 #
 # Parse the run line
 #
 finished=0
 configure=1
@@ -118,16 +90,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -137,72 +110,72 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac
-    . $file || exit 1
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
-if [ -f ${SHAREDIR}/shorewall-init/version ]; then
+if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Init Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
    VERSION=""
 fi
-[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+echo "Uninstalling $Product $VERSION"
 echo "Uninstalling Shorewall Init $VERSION"
 [ -n "$SANDBOX" ] && configure=0
-INITSCRIPT=${CONFDIR}/init.d/shorewall-init
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]
-if [ -f "$INITSCRIPT" ]; then
+remove_file  ${SBINDIR}/$PRODUCT
 FIREWALL=${CONFDIR}/init.d/$PRODUCT
 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if [ $HOST = openwrt ]; then
+	if [ $HOST = openwrt ] ; then
-	    if /etc/init.d/shorewall-init enabled; then
+	    if /etc/init.d/$PRODUCT enabled; then
-		/etc/init.d/shorewall-init disable
+		/etc/init.d/$PRODUCT disable
 	    fi
 	elif mywhich updaterc.d ; then
 	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
-            insserv -r $INITSCRIPT
+            insserv -r $FIREWALL
 	elif mywhich update-rc.d ; then
 	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $INITSCRIPT)
+	    chkconfig --del $(basename $FIREWALL)
 	fi
    fi
-    remove_file $INITSCRIPT
+    remove_file $FIREWALL
 fi
-if [ -z "${SERVICEDIR}" ]; then
+[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
    SERVICEDIR="$SYSTEMD"
 fi
 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    rm -f $SERVICEDIR/shorewall-init.service
+    remove_file $SERVICEDIR/${PRODUCT}.service
 fi
 if [ $HOST = openwrt ]; then
-    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
 else
-    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
 fi
-remove_file ${CONFDIR}/default/shorewall-init
+remove_file ${CONFDIR}/default/$PRODUCT
-remove_file ${CONFDIR}/sysconfig/shorewall-init
+remove_file ${CONFDIR}/sysconfig/$PRODUCT
 remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
@@ -227,10 +200,11 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi
-rm -f  ${SBINDIR}/shorewall-init
+remove_directory ${SHAREDIR}/$PRODUCT
-rm -rf ${SHAREDIR}/shorewall-init
+remove_directory ${LIBEXECDIR}/$PRODUCT
-rm -rf ${LIBEXECDIR}/shorewall-init
+remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
 echo "Shorewall Init Uninstalled"
 #
 # Report Success
 #
 echo "$Product $VERSION Uninstalled"
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -1,18 +0,0 @@
 # Shorewall Lite Makefile to restart if firewall script is newer than last restart
 VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore
 all: $(VARDIR)/$(RESTOREFILE)
 $(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
 	then \
 	    /sbin/shorewall-lite -q save >/dev/null; \
 	else \
 	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
 	fi
 # EOF
--- a/Shorewall-lite/default.debian.systemd
+++ b/Shorewall-lite/default.debian.systemd
@@ -0,0 +1,26 @@
 #
 # Global start/restart/reload/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 # EOF
--- a/Shorewall-lite/default.debian.sysvinit
+++ b/Shorewall-lite/default.debian.sysvinit
@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following varible to 1 in order to allow Shorewall-lite to start
+# set the following variable to 1 in order to allow Shorewall-lite to start
 startup=0
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 #
-# Startup options
+# Global start/restart/reload/stop options
 #
 OPTIONS=""
@@ -30,6 +30,16 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -85,7 +85,7 @@ fi
 # start the firewall
 shorewall_start () {
-  echo -n "Starting \"Shorewall firewall\": "
+  printf "Starting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
@@ -93,10 +93,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  if [ "$SAFESTOP" = 1 ]; then
-      echo -n "Stopping \"Shorewall Lite firewall\": "
+      printf "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
-      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
+      printf "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -104,14 +104,14 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
-  echo -n "Restarting \"Shorewall firewall\": "
+  printf "Restarting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
 # refresh the firewall
 shorewall_refresh () {
-  echo -n "Refreshing \"Shorewall firewall\": "
+  printf "Refreshing \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 start() {
-    echo -n $"Starting Shorewall: "
+    printf $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 stop() {
-    echo -n $"Stopping Shorewall: "
+    printf $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    echo -n $"Restarting Shorewall: "
+    printf $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,62 +22,19 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-VERSION=xxx #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "       $ME -v"
+    echo "where <option> is one of"
-    echo "       $ME -h"
+    echo "  -h"
-    echo "       $ME -n"
+    echo "  -v"
    echo "  -n"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    echo $dir/$1
 	    return 0
 	fi
    done
    return 2
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
 }
 delete_file() # $1 = file to delete
 {
    rm -f $1
 }
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -96,19 +53,6 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }
 make_directory() # $1 = directory , $2 = mode
 {
    mkdir -p $1
    chmod 755 $1
    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
 }
 require()
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 #
 # Change to the directory containing this script
 #
@@ -122,6 +66,11 @@ else
    Product="Shorewall6 Lite"
 fi
 #
 # Source common functions
 #
 . ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
 #
 # Parse the run line
 #
@@ -168,12 +117,14 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
 	file=./shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc
+	file=~/.shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+	file=/usr/share/shorewall/shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -183,11 +134,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac
-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -318,8 +269,7 @@ case "$HOST" in
    linux)
 	;;
    *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	fatal_error "ERROR: Unknown HOST \"$HOST\""
 	exit 1;
 	;;
 esac
@@ -331,7 +281,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
-    make_directory ${DESTDIR}${INITDIR} 755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
 else
    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
@@ -371,25 +321,20 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
-[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
+[ -n "${INITFILE}" ] && make_parent_directory ${DESTDIR}${INITDIR} 0755
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
+make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
-mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
+make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
-mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
+make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
-mkdir -p ${DESTDIR}${SBINDIR}
+make_parent_directory ${DESTDIR}${SBINDIR} 0755
-mkdir -p ${DESTDIR}${VARDIR}
+make_parent_directory ${DESTDIR}${VARDIR} 0755
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
    mkdir -p ${DESTDIR}${INITDIR}
    chmod 755 ${DESTDIR}${INITDIR}
 fi
 if [ -n "$INITFILE" ]; then
@@ -410,9 +355,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi
 if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -430,15 +375,6 @@ elif [ $HOST = gentoo ]; then
    # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
    perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
 #
 # Install the  Makefile
 #
 install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
 [ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
 echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 #
 # Install the default config path file
 #
@@ -450,8 +386,14 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+        case $f in
-	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+            *installer)
                ;;
            *)
                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
                ;;
        esac
    fi
 done
@@ -479,12 +421,12 @@ if [ -f modules ]; then
 fi
 if [ -f helpers ]; then
-    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 0600
    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done
@@ -495,19 +437,19 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages
-    mkdir -p ${DESTDIR}${MANDIR}/man5/
+    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
    for f in *.5; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done
-    mkdir -p ${DESTDIR}${MANDIR}/man8/
+    make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
    for f in *.8; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
@@ -517,7 +459,7 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 fi
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi
@@ -525,7 +467,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -548,10 +490,7 @@ ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-    if [ ${DESTDIR} ]; then
+    [ ${DESTDIR} ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
 	mkdir -p ${DESTDIR}${SYSCONFDIR}
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
    fi
    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
@@ -619,6 +558,6 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 fi
 #
-#  Report Success
+# Report Success
 #
 echo "$Product Version $VERSION Installed"
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS clear
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
 [Install]
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Lite
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,9 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=xxx  #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-lite
 Product="Shorewall Lite"
 usage() # $1 = exit status
 {
@@ -41,46 +39,27 @@ usage() # $1 = exit status
    exit $1
 }
-fatal_error()
+#
-{
+# Change to the directory containing this script
-    echo "   ERROR: $@" >&2
+#
-    exit 1
+cd "$(dirname $0)"
 }
-qt()
+if [ -f shorewall-lite.service ]; then
-{
+    PRODUCT=shorewall-lite
-    "$@" >/dev/null 2>&1
+    Product="Shorewall Lite"
-}
+else
    PRODUCT=shorewall6-lite
    Product="Shorewall6 Lite"
 fi
-split() {
+#
-    local ifs
+# Source common functions
-    ifs=$IFS
+#
-    IFS=:
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
    set -- $1
    echo $*
    IFS=$ifs
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
 	rm -f $1
 	echo "$1 Removed"
    fi
 }
 #
 # Parse the run line
 #
 finished=0
 configure=1
@@ -97,7 +76,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "$Product Firewall Uninstaller Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -117,16 +96,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -136,46 +116,50 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac
-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
-if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
+if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
    VERSION=""
 fi
-echo "Uninstalling Shorewall Lite $VERSION"
+echo "Uninstalling $Product $VERSION"
 [ -n "$SANDBOX" ] && configure=0
 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-	shorewall-lite clear
+	${SBINDIR}/$PRODUCT clear
    elif qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
 	${SBINDIR}/$PRODUCT clear
    fi
 fi
-if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
+remove_file ${SBINDIR}/$PRODUCT
 if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
    if [ $HOST = openwrt ]; then
-	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
+	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
-	    /etc/init.d/shorewall-lite disable
+	    /etc/init.d/$PRODUCT disable
 	fi
-	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
+	FIREWALL=$(readlink ${SHAREDIR}/$PRODUCT/init)
    else
-	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
    fi
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
@@ -183,10 +167,10 @@ fi
 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if mywhich updaterc.d ; then
+	if mywhich insserv ; then
 	    updaterc.d shorewall-lite remove
 	elif mywhich insserv ; then
            insserv -r $FIREWALL
 	elif mywhich update-rc.d ; then
 	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
@@ -195,26 +179,29 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi
-[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    rm -f $SERVICEDIR/shorewall-lite.service
+    remove_file $SERVICEDIR/${PRODUCT}.service
 fi
-rm -f ${SBINDIR}/shorewall-lite
+remove_directory ${CONFDIR}/$PRODUCT
 remove_directory ${VARDIR}
 remove_directory ${SHAREDIR}/$PRODUCT
 remove_directory ${LIBEXECDIR}/$PRODUCT
 remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
-rm -rf ${CONFDIR}/shorewall-lite
+if [ -n "$SYSCONFDIR" ]; then
-rm -rf ${VARDIR}
+    [ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
-rm -rf ${SHAREDIR}/shorewall-lite
+fi
 rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
 rm -f  ${SYSCONFDIR}/shorewall-lite
 if [ -n "${MANDIR}" ]; then
-    rm -f ${MANDIR}/man5/shorewall-lite*
+    remove_file_with_wildcard ${MANDIR}/man5/${PRODUCT}\*
-    rm -f ${MANDIR}/man8/shorewall-lite*
+    remove_file_with_wildcard ${MANDIR}/man8/${PRODUCT}\*
 fi
-echo "Shorewall Lite Uninstalled"
+#
-
+# Report Success
 #
 echo "$Product $VERSION Uninstalled"
--- a/Shorewall/Actions/action.A_Drop.deprecated
+++ b/Shorewall/Actions/action.A_Drop.deprecated
@@ -12,6 +12,7 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ?require AUDIT_TARGET
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -30,9 +31,10 @@ Auth(A_DROP)
 #
 A_AllowICMPs	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts and multicasts
 #
 dropBcast(audit)
 dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
 ?require AUDIT_TARGET
 DEFAULTS -
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
 ?require AUDIT_TARGET
 DEFAULTS -
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
@@ -25,10 +25,11 @@ COUNT
 #
 A_AllowICMPs	-	-	icmp
 #
-# Drop Broadcasts so they don't clutter up the log
+# Drop Broadcasts and multicasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
+# (these must *not* be rejected).
 #
 dropBcast(audit)
 dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -0,0 +1,11 @@
 #
 # Shorewall -- /usr/share/shorewall/action.AllowICMPs
 #
 # This action ACCEPTs needed ICMP types.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 DEFAULTS ACCEPT
@1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
@1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
--- a/Shorewall/Actions/action.AutoBL
+++ b/Shorewall/Actions/action.AutoBL
--- a/Shorewall/Actions/action.AutoBLL
+++ b/Shorewall/Actions/action.AutoBLL
--- a/Shorewall/Actions/action.BLACKLIST
+++ b/Shorewall/Actions/action.BLACKLIST
@@ -0,0 +1,50 @@
 #
 # Shorewall - /usr/share/shorewall/action.BLACKLIST
 #
 # This action:
 #
 #   - Adds the sender to the dynamic blacklist ipset
 #   - Optionally acts on the packet (default is DROP)
 #
 # Parameters:
 #
 # 1 - Action to take after adding the packet. Default is DROP.
 #     Pass -- if you don't want to take any action.
 # 2 - Timeout for ipset entry. Default is the timeout specified in
 #     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
 #
 ###############################################################################
 # Note -- This action is defined with the 'section' option, so the first
 #         parameter is always the section name. That means that in the
 #         following text, the first parameter passed in the rule is actually
 #         @2.
 ###############################################################################
 ?if $1 eq 'BLACKLIST'
   ?if $BLACKLIST_LOG_LEVEL
       blacklog
   ?else
       $BLACKLIST_DISPOSITION
   ?endif
 ?else
   ?if ! "$SW_DBL_IPSET"
   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
   ?endif
   DEFAULTS -,DROP,-
   #
   # Add to the blacklist
   #
   ?if passed(@3)
       ADD($SW_DBL_IPSET:src:@3)
   ?elsif $SW_DBL_TIMEOUT
       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
   ?else
       ADD($SW_DBL_IPSET:src)
   ?endif
   #
   # Dispose of the packet if asked
   #
   ?if passed(@2)
      @2
   ?endif
 ?endif
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -30,7 +30,6 @@ DEFAULTS DROP,-
 ?if __ADDRTYPE
@1	-	-	-	;; -m addrtype --dst-type BROADCAST
@1	-	-	-	;; -m addrtype --dst-type MULTICAST
@1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
 ?begin perl;
@@ -50,9 +49,6 @@ add_jump $chainref, $action, 0, "-d \$address ";
 decr_cmd_level $chainref;
 add_commands $chainref, 'done';
 log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
 1;
 ?end perl;
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Drop
 #
-# The default DROP common rules
+# The former default DROP common rules. Use of this action is now deprecated
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
@@ -28,6 +28,7 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 ?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
 ?if passed(@1)
    ?if @1 eq 'audit'
@@ -58,9 +59,10 @@ Auth(@2)
 #
 AllowICMPs(@4)	-	-	icmp
 #
-# Don't log broadcasts
+# Don't log broadcasts or multicasts
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
--- a/Shorewall/Actions/action.DropDNSrep
+++ b/Shorewall/Actions/action.DropDNSrep
@@ -0,0 +1,10 @@
 #
 # Shorewall -- /usr/share/shorewall/action.DropDNSrep
 #
 # This macro silently drops DNS UDP replies that are in the New state
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 DEFAULTS DROP
@1	-	-	udp	-	53 { comment="Late DNS Replies" }
--- a/Shorewall/Actions/action.DropSmurfs
+++ b/Shorewall/Actions/action.DropSmurfs
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
--- a/Shorewall/Actions/action.GlusterFS
+++ b/Shorewall/Actions/action.GlusterFS
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
--- a/Shorewall/Actions/action.Limit
+++ b/Shorewall/Actions/action.Limit
@@ -0,0 +1,70 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Limit
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Limit(<recent-set>,<num-connections>,<timeout>)
 #
 ###############################################################################
 DEFAULTS -,-,-
 ?begin perl
 use strict;
 use Shorewall::Config;
 use Shorewall::Chains;
 my $chainref        = get_action_chain;
 my @param           = get_action_params(3);
 my ( $level, $tag ) = get_action_logging;
@param = split( ',', $tag ), $tag = $param[0] unless supplied( join '', @param );
 fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
 my $set   = $param[0];
 for ( @param[1,2] ) {
    fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
 }
 my $count = $param[1] + 1;
 require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
 warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
 add_irule $chainref, recent => "--name $set --set";
 if ( $level ne '' ) {
    my $xchainref = new_chain 'filter' , "$chainref->{name}%";
    log_irule_limit( $level, $xchainref, '', 'DROP', [], $tag, 'add' , '' );
    add_ijump $xchainref, j => 'DROP';
    add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
 } else {
    add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
 }
 add_ijump $chainref, j => 'ACCEPT';
 1;
 ?end perl
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -0,0 +1,50 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Multicast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Multicast[([<action>|-[,{audit|-}])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP,-
 ?if __ADDRTYPE
@1	-	-	-	;; -m addrtype --dst-type MULTICAST
 ?else
 ?begin perl;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 my ( $action )         = get_action_params( 1 );
 my $chainref           = get_action_chain;
 my ( $level, $tag )    = get_action_logging;
 log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
 1;
 ?end perl;
 ?endif
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Reject
 #
-# The default REJECT action common rules
+# The former default REJECT action common rules. Use of this action is deprecated.
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
@@ -20,13 +20,14 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 ?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
 ?if passed(@1)
    ?if @1 eq 'audit'
@@ -61,6 +62,7 @@ AllowICMPs(@4)	-	-	icmp
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
--- a/Shorewall/Actions/action.allowBcast
+++ b/Shorewall/Actions/action.allowBcast
@@ -0,0 +1,38 @@
 #
 # Shorewall -- /usr/share/shorewall/action.allowBcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # allowBcast[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
 	?require AUDIT_TARGET
 	Broadcast(A_ACCEPT)
    ?else
 	?error "Invalid argument (@1) to allowBcast"
    ?endif
 ?else
    Broadcast(ACCEPT)
 ?endif
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
--- a/Shorewall/Actions/action.allowMcast
+++ b/Shorewall/Actions/action.allowMcast
@@ -0,0 +1,38 @@
 #
 # Shorewall -- /usr/share/shorewall/action.allowMcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # allowMcast[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
 	?require AUDIT_TARGET
 	Multicast(A_ACCEPT)
    ?else
 	?error "Invalid argument (@1) to allowMcast"
    ?endif
 ?else
    Multicast(ACCEPT)
 ?endif
--- a/Shorewall/Actions/action.allowinUPnP
+++ b/Shorewall/Actions/action.allowinUPnP
@@ -0,0 +1,40 @@
 #
 # Shorewall -- /usr/share/shorewall/action.allowinUPnP
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # allowinUPnP[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
 	?require AUDIT_TARGET
 	A_ACCEPT - - 17 1900
 	A_ACCEPT - -  6 49152
    ?else
 	?error "Invalid argument (@1) to allowinUPnP"
    ?endif
 ?else
    ACCEPT - - 17 1900
    ACCEPT - -	6 49152
 ?endif
--- a/Shorewall/Actions/action.dropBcast
+++ b/Shorewall/Actions/action.dropBcast
@@ -0,0 +1,39 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropBcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropBcast[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
 	?require AUDIT_TARGET
 	Broadcast(A_DROP)
    ?else
 	?error "Invalid argument (@1) to dropBcast"
    ?endif
 ?else
    Broadcast(DROP)
 ?endif
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
--- a/Shorewall/Actions/action.dropMcast
+++ b/Shorewall/Actions/action.dropMcast
@@ -0,0 +1,38 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropMcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropMcast[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
 	?require AUDIT_TARGET
 	Multicast(A_DROP)
    ?else
 	?error "Invalid argument (@1) to dropMcast"
    ?endif
 ?else
    Multicast(DROP)
 ?endif
--- a/Shorewall/Actions/action.dropNotSyn
+++ b/Shorewall/Actions/action.dropNotSyn
@@ -0,0 +1,38 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropNotSyn
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropNotSyn[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
 	?require AUDIT_TARGET
 	A_DROP {proto=6:!syn}
    ?else
 	?error "Invalid argument (@1) to dropNotSyn"
    ?endif
 ?else
    DROP {proto=6:!syn}
 ?endif
--- a/Shorewall/Actions/action.forwardUPnP
+++ b/Shorewall/Actions/action.forwardUPnP
@@ -0,0 +1,43 @@
 #
 # Shorewall -- /usr/share/shorewall/action.forwardUPnP
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # forwardUPnP
 #
 ###############################################################################
 DEFAULTS -
 ?begin perl
 use strict;
 use Shorewall::Config;
 use Shorewall::Chains;
 my $chainref = get_action_chain;
 set_optflags( $chainref, DONT_OPTIMIZE );
 add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 1;
 ?end perl
--- a/Shorewall/Actions/action.mangletemplate
+++ b/Shorewall/Actions/action.mangletemplate
--- a/Shorewall/Actions/action.rejNotSyn
+++ b/Shorewall/Actions/action.rejNotSyn
@@ -0,0 +1,39 @@
 #
 # Shorewall -- /usr/share/shorewall/action.rejNotSyn
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # rejNotSyn[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
 	?require AUDIT_TARGET
 	A_REJECT {proto=6:!syn}
    ?else
 	?error "Invalid argument (@1) to rejNotSyn"
    ?endif
 ?else
    REJECT(tcp-reset) {proto=6:!syn}
 ?endif
--- a/Shorewall/Actions/action.template
+++ b/Shorewall/Actions/action.template
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -1,13 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.AllowICMPs
 #
 # This macro ACCEPTs needed ICMP types.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 ?COMMENT Needed ICMP types
 DEFAULT ACCEPT
 PARAM	-	-	icmp	fragmentation-needed
 PARAM	-	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -1,13 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.blacklist
 #
 # This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 ?if $BLACKLIST_LOGLEVEL
 blacklog
 ?else
 $BLACKLIST_DISPOSITION
 ?endif
--- a/Shorewall/Macros/macro.Drop
+++ b/Shorewall/Macros/macro.Drop
@@ -1,49 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Drop
 #
 # This macro generates the same rules as the Drop default action
 # It is used in place of action.Drop when USE_ACTIONS=No.
 #
 # Example:
 #
 #	Drop	net	all
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 #
 # Don't log 'auth' DROP
 #
 DROP	-	-	tcp	113
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 DROP	-	-	udp	135,445
 DROP	-	-	udp	137:139
 DROP	-	-	udp	1024:	137
 DROP	-	-	tcp	135,139,445
 DROP	-	-	udp	1900
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -1,12 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.DropDNSrep
 #
 # This macro silently drops DNS UDP replies
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 ?COMMENT Late DNS Replies
 DEFAULT DROP
 PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.Reject
+++ b/Shorewall/Macros/macro.Reject
@@ -1,49 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Reject
 #
 # This macro generates the same rules as the Reject default action
 # It is used in place of action.Reject when USE_ACTIONS=No.
 #
 # Example:
 #
 #	Reject	loc	fw
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 #
 # Don't log 'auth' REJECT
 #
 REJECT	-	-	tcp	113
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 REJECT	-	-	udp	135,445
 REJECT	-	-	udp	137:139
 REJECT	-	-	udp	1024:	137
 REJECT	-	-	tcp	135,139,445
 DROP	-	-	udp	1900
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DROP	-	-	udp	-	53
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -1,23 +0,0 @@
 #
 # Shorewall -- /etc/shorewall/Makefile
 #
 # Reload Shorewall if config files are updated.
 SWBIN	?= /sbin/shorewall -q
 CONFDIR	?= /etc/shorewall
 SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
 .PHONY: clean
 $(SWSTATE): $(CONFDIR)/*
 	@$(SWBIN) save >/dev/null; \
 	RESULT=$$($(SWBIN) reload 2>&1); \
 	if [ $$? -eq 0 ]; then \
 	    $(SWBIN) save >/dev/null; \
 	else \
 	    echo "$${RESULT}" >&2; \
 	    false; \
 	fi
 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -519,9 +519,9 @@ sub setup_accounting() {
 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 ( sort  keys %accountingjumps ) {
+		    for my $chain1 ( keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -120,7 +120,6 @@ our @EXPORT = ( qw(
 		    %chain_table
 		    %targets
 		    $raw_table
 		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
@@ -197,7 +196,6 @@ our %EXPORT_TAGS = (
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       ensure_raw_chain
 				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
@@ -418,7 +416,6 @@ our $VERSION = 'MODULEVERSION';
 #
 our %chain_table;
 our $raw_table;
 our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
@@ -759,13 +756,11 @@ sub initialize( $$$ ) {
    ( $family, my $hard, $export ) = @_;
    %chain_table = ( raw    =>  {},
 		     rawpost => {},
 		     mangle =>  {},
 		     nat    =>  {},
 		     filter =>  {} );
    $raw_table     = $chain_table{raw};
    $rawpost_table = $chain_table{rawpost};
    $nat_table     = $chain_table{nat};
    $mangle_table  = $chain_table{mangle};
    $filter_table  = $chain_table{filter};
@@ -1196,12 +1191,15 @@ sub compatible( $$ ) {
    }
    #
    # Don't combine chains where each specifies
-    #    '-m policy'
+    #    -m policy
-    #    ( --multiport and ( --dport or --sport or -m multiport ) )
+    # or when one specifies
    #    -m multiport
    # and the other specifies
    #    --dport or --sport or -m multiport
    #
    return ! ( $ref1->{policy} && $ref2->{policy} ||
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
-		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} || $ref1->{multiport} ) ) ) );
+		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
 #
@@ -1225,7 +1223,7 @@ sub merge_rules( $$$ ) {
 	}
    }
-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }
@@ -1241,7 +1239,7 @@ sub merge_rules( $$$ ) {
    set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};
-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }
@@ -2761,14 +2759,6 @@ sub ensure_raw_chain($) {
    $chainref;
 }
 sub ensure_rawpost_chain($) {
    my $chain = $_[0];
    my $chainref = ensure_chain 'rawpost', $chain;
    $chainref->{referenced} = 1;
    $chainref;
 }
 #
 # Add a builtin chain
 #
@@ -2967,8 +2957,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3031,8 +3019,6 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3336,7 +3322,7 @@ sub check_optimization( $ ) {
 # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
 #
 sub optimize_level0() {
-    for my $table ( qw/raw rawpost mangle nat filter/ ) {
+    for my $table ( qw/raw mangle nat filter/ ) {
 	my $tableref = $chain_table{$table};
 	next unless $tableref;
@@ -3705,7 +3691,7 @@ sub optimize_level8( $$$ ) {
 	}
 	if ( $progress ) {
-	    my @rename = sort keys %rename;
+	    my @rename = keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -4255,7 +4241,6 @@ sub valid_tables() {
    my @table_list;
    push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
    push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
    push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    push @table_list, 'filter'; #MUST BE LAST!!!
@@ -4571,7 +4556,8 @@ sub do_proto( $$$;$ )
    if ( $proto ne '' ) {
-	my $synonly  = ( $proto =~ s/:syn$//i );
+	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
 	my $notsyn   = $1;
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
@@ -4589,7 +4575,7 @@ sub do_proto( $$$;$ )
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
-		$output = "-p $proto --syn ";
+		$output = $notsyn ? "-p $proto ! --syn " : "-p $proto --syn ";
 	    }
 	    fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
@@ -6995,13 +6981,13 @@ sub set_global_variables( $$ ) {
    if ( $conditional ) {
 	my ( $interface, @interfaces );
-	@interfaces = sort keys %interfaceaddr;
+	@interfaces = keys %interfaceaddr;
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}
-	@interfaces = sort keys %interfacegateways;
+	@interfaces = keys %interfacegateways;
 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
@@ -7011,36 +6997,36 @@ sub set_global_variables( $$ ) {
 	    emit( qq(fi\n) );
 	}
-	@interfaces = sort keys %interfacemacs;
+	@interfaces = keys %interfacemacs;
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
    } else {
-	emit $_     for sort values %interfaceaddr;
+	emit $_     for values %interfaceaddr;
-	emit "$_\n" for sort values %interfacegateways;
+	emit "$_\n" for values %interfacegateways;
-	emit $_     for sort values %interfacemacs;
+	emit $_     for values %interfacemacs;
    }
    if ( $setall ) {
-	emit $_ for sort values %interfaceaddrs;
+	emit $_ for values %interfaceaddrs;
-	emit $_ for sort values %interfacenets;
+	emit $_ for values %interfacenets;
 	unless ( have_capability( 'ADDRTYPE' ) ) {
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for sort values %interfacebcasts;
+		emit $_ for values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for sort values %interfaceacasts;
+		emit $_ for values %interfaceacasts;
 	    }
 	}
    }
 }
 sub verify_address_variables() {
-    for my $variable ( sort keys %address_variables ) {
+    for my $variable ( keys %address_variables ) {
 	my $type = $address_variables{$variable};
 	my $address = "\$$variable";
@@ -7957,7 +7943,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
+	for my $chainref ( values %input_chains, values %forward_chains ) {
 	    my $digest = '';
 	    assert( $chainref );
@@ -7976,7 +7962,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 	    if ( @input_interfaces > 1 ) {
@@ -8062,7 +8048,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
+		my @interfaces = keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;
 		for my $interface ( @interfaces ) {
@@ -8468,7 +8454,7 @@ sub create_save_ipsets() {
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
-	    my @sets = sort keys %ipsets;
+	    my @sets = keys %ipsets;
 	    emit( '' ,
 		  '    rm -f $file' ,
@@ -8644,7 +8630,7 @@ sub create_load_ipsets() {
 #
 sub create_nfobjects() {
-    my @objects = ( sort keys %nfobjects );
+    my @objects = ( keys %nfobjects );
    if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8659,7 +8645,7 @@ sub create_nfobjects() {
 	}
    }
-    for ( sort keys %nfobjects ) {
+    for ( keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -8936,7 +8922,7 @@ sub create_chainlist_reload($) {
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
 	    $chains{$table} = {} unless $chains{$table};
@@ -8965,7 +8951,7 @@ sub create_chainlist_reload($) {
 	enter_cat_mode;
-	for $table ( qw(raw rawpost nat mangle filter) ) {
+	for $table ( qw(raw nat mangle filter) ) {
 	    my $tableref=$chains{$table};
 	    next unless $tableref;
@@ -9135,7 +9121,7 @@ sub initialize_switches() {
    if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	for my $switch ( sort keys %switches ) {
+	for my $switch ( keys %switches ) {
 	    my $setting = $switches{$switch};
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -93,11 +93,10 @@ sub generate_script_1( $ ) {
 	    my $date = compiletime;
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
 	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
 	}
 	copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
 	copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
    }
    my $lib = find_file 'lib.private';
@@ -945,7 +944,7 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
+	copy $globals{SHAREDIRPL} . 'prog.footer';
 	disable_script;
 	#
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -389,7 +389,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
 		 RAWPOST_TABLE   => 'Rawpost Table',
 		 CONDITION_MATCH => 'Condition Match',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
@@ -413,6 +412,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                 TCPMSS_TARGET   => 'TCPMSS Target',
                 WAIT_OPTION     => 'iptables --wait option',
                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                 NETMAP_TARGET   => 'NETMAP Target',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -748,7 +748,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.9-Beta2",
+		    VERSION                 => "5.1.3",
 		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -792,6 +792,7 @@ sub initialize( $;$$) {
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -816,6 +817,7 @@ sub initialize( $;$$) {
 	  ACCEPT_DEFAULT => undef,
 	  QUEUE_DEFAULT => undef,
 	  NFQUEUE_DEFAULT => undef,
 	  BLACKLIST_DEFAULT => undef,
 	  #
 	  # RSH/RCP Commands
 	  #
@@ -904,6 +906,7 @@ sub initialize( $;$$) {
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -980,7 +983,6 @@ sub initialize( $;$$) {
 	       CONNMARK_MATCH => undef,
 	       XCONNMARK_MATCH => undef,
 	       RAW_TABLE => undef,
 	       RAWPOST_TABLE => undef,
 	       IPP2P_MATCH => undef,
 	       OLD_IPP2P_MATCH => undef,
 	       CLASSIFY_TARGET => undef,
@@ -1037,6 +1039,7 @@ sub initialize( $;$$) {
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -2001,6 +2004,21 @@ sub find_writable_file($) {
    "$config_path[0]$filename";
 }
 #
 # Determine if a value has been supplied
 #
 sub supplied( $ ) {
    my $val = shift;
    defined $val && $val ne '';
 }
 sub passed( $ ) {
    my $val = shift;
    defined $val && $val ne '' && $val ne '-';
 }
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2059,7 +2077,7 @@ sub split_list1( $$;$ ) {
 sub split_list2( $$ ) {
    my ($list, $type ) = @_;
-    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
+    fatal_error "Invalid $type ($list)" if $list =~ /^:/;
    my @list1 = split /:/, $list;
    my @list2;
@@ -2096,6 +2114,7 @@ sub split_list2( $$ ) {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
 	    fatal_error "Invalid $type ($list)" unless supplied $_;
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
@@ -2261,21 +2280,6 @@ sub split_columns( $ ) {
    @list2;
 }
 #
 # Determine if a value has been supplied
 #
 sub supplied( $ ) {
    my $val = shift;
    defined $val && $val ne '';
 }
 sub passed( $ ) {
    my $val = shift;
    defined $val && $val ne '' && $val ne '-';
 }
 sub clear_comment();
 #
@@ -2709,13 +2713,13 @@ sub directive_info( $$$$ ) {
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
 #
-sub join_parts( $$$ ) {
+sub join_parts( $$$$ ) {
-    my ( $first, $val, $rest ) = @_;
+    my ( $first, $val, $rest, $just_expand ) = @_;
    $val = '' unless defined $val;
-    $val = "'$val'" unless ( $val =~ /^-?\d+$/               ||    # Value is numeric
+    $val = "'$val'" unless $just_expand || ( $val =~ /^-?\d+$/               ||    # Value is numeric
-			     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
+					     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
-			       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
+					       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
    join( '', $first, $val, $rest );
 }
@@ -2768,7 +2772,7 @@ sub evaluate_expression( $$$$ ) {
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
 	}
-	$expression = join_parts( $first, $val, $rest );
+	$expression = join_parts( $first, $val, $rest, $just_expand );
 	directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
    }
@@ -2779,7 +2783,7 @@ sub evaluate_expression( $$$$ ) {
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
-	    $expression = join_parts( $first, $val, $rest );
+	    $expression = join_parts( $first, $val, $rest , $just_expand );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
    }
@@ -2851,7 +2855,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -2991,52 +2995,70 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 	  ERROR => sub() {
-	      directive_error( evaluate_expression( $expression ,
+	      unless ( $omitting ) {
-						    $filename ,
+		  directive_error( evaluate_expression( $expression ,
-						    $linenumber ,
+							$filename ,
-						    1 ) ,
+							$linenumber ,
-			       $filename ,
+							1 ) ,
-			       $linenumber ) unless $omitting;
+				   $filename ,
 				   $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  WARNING => sub() {
-	      directive_warning( $config{VERBOSE_MESSAGES} ,
+	      unless ( $omitting ) {
-		                 evaluate_expression( $expression ,
+		  directive_warning( $config{VERBOSE_MESSAGES} ,
-						      $filename ,
+				     evaluate_expression( $expression ,
-						      $linenumber ,
+							  $filename ,
-						      1 ),
+							  $linenumber ,
-				 $filename ,
+							  1 ),
-				 $linenumber ) unless $omitting;
+				     $filename ,
 				     $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  INFO => sub() {
-	      directive_info( $config{VERBOSE_MESSAGES} ,
+	      unless ( $omitting ) {
-			      evaluate_expression( $expression ,
+		  directive_info( $config{VERBOSE_MESSAGES} ,
-						   $filename ,
+				  evaluate_expression( $expression ,
-						   $linenumber ,
+						       $filename ,
-						   1 ),
+						       $linenumber ,
-			      $filename ,
+						       1 ),
-			      $linenumber ) unless $omitting;
+				  $filename ,
 				  $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  'WARNING!' => sub() {
-	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
+	      unless ( $omitting ) {
-		                 evaluate_expression( $expression ,
+		  directive_warning( ! $config{VERBOSE_MESSAGES} ,
-						      $filename ,
+				     evaluate_expression( $expression ,
-						      $linenumber ,
+							  $filename ,
-						      1 ),
+							  $linenumber ,
-				 $filename ,
+							  1 ),
-				 $linenumber ) unless $omitting;
+				     $filename ,
 				     $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  'INFO!' => sub() {
-	      directive_info( ! $config{VERBOSE_MESSAGES} ,
+	      unless ( $omitting ) {
-			      evaluate_expression( $expression ,
+		  directive_info( ! $config{VERBOSE_MESSAGES} ,
-						   $filename ,
+				  evaluate_expression( $expression ,
-						   $linenumber ,
+						       $filename ,
-						   1 ),
+						       $linenumber ,
-			      $filename ,
+						       1 ),
-			      $linenumber ) unless $omitting;
+				  $filename ,
 				  $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  REQUIRE => sub() {
 	      unless ( $omitting ) {
 		  fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
 		  fatal_error "Unknown capability ($expression)" unless $capdesc{$expression};
 		  require_capability( $expression, "The $actparams{action} action", 's' );
 	      }
 	  } ,
 	);
@@ -3667,6 +3689,7 @@ sub expand_variables( \$ ) {
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
 	    $val = $config{$var};
 	}
 	$val = '' unless defined $val;
@@ -3752,7 +3775,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO|REQUIRE)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -4318,6 +4341,22 @@ sub Masquerade_Tgt() {
    $result;
 }
 sub Netmap_Target() {
    have_capability( 'NAT_ENABLED' ) || return '';
    my $result = '';
    my $address = $family == F_IPV4 ? '1.2.3.0/24' : '2001::/64';
    if ( qt1( "$iptables $iptablesw -t nat -N $sillyname" ) ) {
 	$result = qt1( "$iptables $iptablesw -t nat -A $sillyname -j NETMAP --to $address" );
 	qt1( "$iptables $iptablesw -t nat -F $sillyname" );
 	qt1( "$iptables $iptablesw -t nat -X $sillyname" );
    }
    $result;
 }
 sub Udpliteredirect() {
    have_capability( 'NAT_ENABLED' ) || return '';
@@ -4516,10 +4555,6 @@ sub Raw_Table() {
    qt1( "$iptables $iptablesw -t raw -L -n" );
 }
 sub Rawpost_Table() {
    qt1( "$iptables $iptablesw -t rawpost -L -n" );
 }
 sub Old_IPSet_Match() {
    my $ipset  = $config{IPSET} || 'ipset';
    my $result = 0;
@@ -4911,6 +4946,7 @@ our %detect_capability =
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
      NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
      NETMAP_TARGET => \&Netmap_Target,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
      NFACCT_MATCH => \&NFAcct_Match,
      NFQUEUE_TARGET => \&Nfqueue_Target,
@@ -4926,7 +4962,6 @@ our %detect_capability =
      POLICY_MATCH => \&Policy_Match,
      PPTP_HELPER => \&PPTP_Helper,
      RAW_TABLE => \&Raw_Table,
      RAWPOST_TABLE => \&Rawpost_Table,
      REALM_MATCH => \&Realm_Match,
      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
@@ -5054,7 +5089,6 @@ sub determine_capabilities() {
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
 	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
@@ -5096,6 +5130,7 @@ sub determine_capabilities() {
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5266,11 +5301,24 @@ sub update_config_file( $ ) {
    }
    update_default( 'USE_DEFAULT_RT', 'No' );
-    update_default( 'EXPORTMODULES',  'No' );
+
-    update_default( 'RESTART',        'reload' );
+    if ( $config{USE_DEFAULT_RT} eq '' || $config{USE_DEFAULT_RT} =~ /^no$/i ) {
-    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
+	update_default( 'BALANCE_PROVIDERS', 'No' );
-    update_default( 'LOGFORMAT',      'Shorewall:%s:%s:' );
+    } else {
-    update_default( 'LOGLIMIT',       '' );
+	update_default( 'BALANCE_PROVIDERS', 'Yes' );
    }
    update_default( 'EXPORTMODULES',     'No' );
    update_default( 'RESTART',           'reload' );
    update_default( 'PAGER',             $shorewallrc1{DEFAULT_PAGER} );
    update_default( 'LOGFORMAT',         'Shorewall:%s:%s:' );
    update_default( 'LOGLIMIT',          '' );
    if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
    } else {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
    }	
    my $fn;
@@ -5321,8 +5369,12 @@ sub update_config_file( $ ) {
 		    }
 		}
-
+		if ( supplied $val ) {
-		$val = conditional_quote $val;
+		    #
 		    # Log LEVEL and DEFAULT settings often contain parens
 		    #
 		    $val = ($var =~ /(?:LEVEL|DEFAULT)$/) ? qq("$val") : conditional_quote $val;
 		}
 		$_ = "$var=$val\n";
 	    }
@@ -5385,6 +5437,7 @@ EOF
 sub process_shorewall_conf( $$ ) {
    my ( $update, $annotate ) = @_;
    my $file   = find_file "$product.conf";
    my @vars;
    if ( -f $file ) {
 	$globals{CONFIGDIR} =  $configfile = $file;
@@ -5398,7 +5451,7 @@ sub process_shorewall_conf( $$ ) {
 	    # Don't expand shell variables or allow embedded scripting
 	    #
 	    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
-		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
+		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*)$/ ) {
 		    my ($var, $val) = ($1, $2);
 		    if ( exists $config{$var} ) {
@@ -5417,6 +5470,12 @@ sub process_shorewall_conf( $$ ) {
 			next;
 		    }
 		    if ( $update ) {
 			push @vars, $var;
 		    } else {
 			expand_variables( $val ) unless $val =~ /^'.*'$/;
 		    }
 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
 		    warning_message "Option $var=$val is deprecated"
@@ -5437,14 +5496,19 @@ sub process_shorewall_conf( $$ ) {
    #
    # Now update the config file if asked
    #
-    update_config_file( $annotate ) if $update;
+    if ( $update ) {
-    #
+	update_config_file( $annotate ); 
-    # Config file update requires that the option values not have
+	#
-    # Shell variables expanded. We do that now.
+	# Config file update requires that the option values not have
-    #
+	# Shell variables expanded. We do that now.
-    for ( values  %config ) {
+	#
-	if ( supplied $_ ) {
+	# To handle options like LOG_LEVEL, we process the options
-	    expand_variables( $_ ) unless /^'(.+)'$/;
+	# in the order in which they appear in the .conf file.
 	#
 	for ( @vars ) {
 	    if ( supplied( my $val = $config{$_} ) ) {
 		expand_variables( $config{$_} ) unless $val =~ /^'.*'$/;
 	    }
 	}
    }
 }
@@ -6273,6 +6337,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'TRACK_PROVIDERS'            , '';
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
    unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6289,6 +6354,8 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }
    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@@ -6329,6 +6396,9 @@ sub get_configuration( $$$$ ) {
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 	    $variables{SW_DBL_IPSET}   = $set;
 	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@@ -6336,6 +6406,8 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
    }
    add_variables( %variables );
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
@@ -6433,6 +6505,12 @@ sub get_configuration( $$$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';
    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
 	validate_level( $val );
    } else {
 	$config{LOG_LEVEL} = 'info';
    }
    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
@@ -6601,13 +6679,16 @@ sub get_configuration( $$$$ ) {
    }
    default 'RESTOREFILE'           , 'restore';
-    default 'DROP_DEFAULT'          , 'Drop';
+
-    default 'REJECT_DEFAULT'        , 'Reject';
+    default 'DROP_DEFAULT'          , 'none';
    default 'REJECT_DEFAULT'        , 'none';
    default 'BLACKLIST_DEFAULT'     , 'none';
    default 'QUEUE_DEFAULT'         , 'none';
    default 'NFQUEUE_DEFAULT'       , 'none';
    default 'ACCEPT_DEFAULT'        , 'none';
-    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
    }
@@ -6793,7 +6874,7 @@ sub generate_aux_config() {
    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
 	conditionally_add_option $option;
    }
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -389,6 +389,8 @@ sub resolve_proto( $ ) {
    my $proto = $_[0];
    my $number;
    $proto =~ s/:.*//;
    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -127,7 +127,7 @@ sub setup_ecn()
 	}
 	if ( @hosts ) {
-	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );
+	    my @interfaces = ( keys %interfaces );
 	    progress_message "$doing ECN control on @interfaces...";
@@ -1297,7 +1297,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
    }
-    my @maclist_interfaces = ( sort keys %maclist_interfaces );
+    my @maclist_interfaces = ( keys %maclist_interfaces );
    if ( $phase == 1 ) {
@@ -1618,7 +1618,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
@@ -1639,8 +1639,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};
-	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
+	    for my $typeref ( values %{$source_hosts_ref} ) {
-		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
+		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);
 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1662,7 +1662,7 @@ sub add_interface_jumps {
    our %input_jump_added;
    our %output_jump_added;
    our %forward_jump_added;
-    my @interfaces = sort grep $_ ne '%vserver%', @_;
+    my @interfaces = grep $_ ne '%vserver%', @_;
    my $dummy;
    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
    #
@@ -1679,12 +1679,6 @@ sub add_interface_jumps {
 	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
 	if ( have_capability 'RAWPOST_TABLE' ) {
 	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
 	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
 	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
 	}
 	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
    }
    #
@@ -1782,7 +1776,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
-	for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
+	for my $interface ( keys %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -2294,9 +2288,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( sort keys %$source_hosts_ref ) {
+	for my $type ( keys %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
+	    for my $interface ( keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2381,9 +2375,9 @@ sub generate_matrix() {
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
-		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
+		for my $type ( keys %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
+		    for my $interface ( keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -790,88 +790,39 @@ sub setup_netmap() {
 		my @rule = do_iproto( $proto, $dport, $sport );
-		unless ( $type =~ /:/ ) {
+		my @rulein;
-		    my @rulein;
+		my @ruleout;
 		    my @ruleout;
-		    $net1 = validate_net $net1, 0;
+		$net1 = validate_net $net1, 0;
-		    $net2 = validate_net $net2, 0;
+		$net2 = validate_net $net2, 0;
-		    if ( $interfaceref->{root} ) {
+		if ( $interfaceref->{root} ) {
-			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-		    } else {
+		} else {
-			@rulein  = imatch_source_dev( $interface );
+		    @rulein  = imatch_source_dev( $interface );
-			@ruleout = imatch_dest_dev( $interface );
+		    @ruleout = imatch_dest_dev( $interface );
-			$interface = $interfaceref->{name};
+		    $interface = $interfaceref->{name};
-		    }
+		}
-		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+		require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';
-		    if ( $type eq 'DNAT' ) {
+		if ( $type eq 'DNAT' ) {
-			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
+		    dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
-					  j => 'NETMAP' ,
+				      j => 'NETMAP' ,
-					  "--to $net2",
+				      "--to $net2",
-					  $net1 ,
+				      $net1 ,
-					  @rulein  ,
+				      @rulein  ,
-					  imatch_source_net( $net3 ) );
+				      imatch_source_net( $net3 ) );
-		    } elsif ( $type eq 'SNAT' ) {
+		} elsif ( $type eq 'SNAT' ) {
-			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+		    source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
-					   j => 'NETMAP' ,
+				       j => 'NETMAP' ,
-					   "--to $net2" ,
+				       "--to $net2" ,
-					   $net1 ,
+				       $net1 ,
-					   @ruleout ,
+				       @ruleout ,
-					   imatch_dest_net( $net3 ) );
+				       imatch_dest_net( $net3 ) );
 		    } else {
 			fatal_error "Invalid type ($type)";
 		    }
 		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
 		    my ( $target , $chain ) = ( $1, $2 );
 		    my $table = 'raw';
 		    my @match;
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 		    $net2 = validate_net $net2, 0;
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );
 			$interface = $interfaceref->{name};
 		    }
 		    if ( $chain eq 'P' ) {
 			$chain = prerouting_chain $interface;
 			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
 		    } elsif ( $chain eq 'O' ) {
 			$chain = output_chain $interface;
 		    } else {
 			$chain = postrouting_chain $interface;
 			$table = 'rawpost';
 		    }
 		    my $chainref = ensure_chain( $table, $chain );
 		    if ( $target eq 'DNAT' ) {
 			dest_iexclusion( $chainref ,
 					 j => 'RAWDNAT' ,
 					 "--to-dest $net2" ,
 					 $net1 ,
 					 imatch_source_net( $net3 ) ,
 					 @rule ,
 					 @match
 				       );
 		    } else {
 			source_iexclusion( $chainref ,
 					   j  => 'RAWSNAT' ,
 					   "--to-source $net2" ,
 					   $net1 ,
 					   imatch_dest_net( $net3 ) ,
 					   @rule ,
 					   @match );
 		    }
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
-		    fatal_error "Invalid TYPE ($type)";
+		    fatal_error "Invalid type ($type)";
 		}
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -519,11 +519,11 @@ sub process_a_provider( $ ) {
    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
    if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
+	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
-	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
+	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
    } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
+	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
    }
    unless ( $options eq '-' ) {
@@ -603,19 +603,37 @@ sub process_a_provider( $ ) {
    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
-    if ( $local ) {
+    unless ( $pseudo ) {
-	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
+	if ( $local ) {
-	fatal_error "'track' not valid with 'local'"           if $track;
+	    fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
-	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
+	    fatal_error "'track' not valid with 'local'"           if $track;
-	fatal_error "'persistent' is not valid with 'local"    if $persistent;
+	    fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
-    } elsif ( $tproxy ) {
+	    fatal_error "'persistent' is not valid with 'local"    if $persistent;
-	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
+	} elsif ( $tproxy ) {
-	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
+	    fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	fatal_error "'track' not valid with 'tproxy'"          if $track;
+	    fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
-	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
+	    fatal_error "'track' not valid with 'tproxy'"          if $track;
-	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
+	    fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
-	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
+	    fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
-	$mark = $globals{TPROXY_MARK};
+	    fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
 	    $mark = $globals{TPROXY_MARK};
 	} elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
 	    if ( $config{USE_DEFAULT_RT} ) {
 		if ( $rf ) {
 		    fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
 		} else {
 		    fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
 		}
 	    } else {
 		unless ( $balance ) {
 		    if ( $rf ) {
 			fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
 		    } else {
 			fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
 		    }
 		}
 	    }
 	}
    }
    my $val = 0;
@@ -1781,7 +1799,7 @@ sub map_provider_to_interface() {
    my $haveoptional;
-    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
+    for my $providerref ( values %providers ) {
 	if ( $providerref->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
@@ -1945,7 +1963,7 @@ sub compile_updown() {
    }
    my @nonshared = ( grep $providers{$_}->{optional},
-		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );
+		      values %provider_interfaces );
    if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2140,7 +2158,7 @@ sub handle_optional_interfaces( $ ) {
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
    # wildcard physical names are also included in the providers table.
    #
-    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
+    for my $providerref ( grep $_->{optional} , values %providers ) {
 	push @interfaces, $providerref->{interface};
 	$wildcards ||= $providerref->{wildcard};
    }
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -154,7 +154,7 @@ sub setup_proxy_arp() {
 	emit '';
-	for my $interface ( sort keys %reset ) {
+	for my $interface ( keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}
-	for my $interface ( sort keys %set ) {
+	for my $interface ( keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}
-	my ( $tgt, $options ) = split( ' ', $2 );
+	my ( $tgt, $options ) = split( ' ', $2, 2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -138,14 +138,12 @@ our %section_rmap = ( ALL_SECTION ,        'ALL',
 our @policy_chains;
-our %default_actions;
+our %policy_actions;
 our %macros;
 our $family;
 our @builtins;
 #
 # Commands that can be embedded in a basic rule and how many total tokens on the line (0 => unlimited).
 #
@@ -233,6 +231,7 @@ use constant { INLINE_OPT           => 1 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
 	       LOGJUMP_OPT          => 1024 ,
 	       SECTION_OPT          => 2048 ,
 };
 our %options = ( inline      => INLINE_OPT ,
@@ -246,6 +245,7 @@ our %options = ( inline      => INLINE_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
 		 logjump     => LOGJUMP_OPT ,
 		 section     => SECTION_OPT ,
    );
 our %reject_options;
@@ -309,11 +309,14 @@ sub initialize( $ ) {
    # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
    # in the %config hash when shorewall[6].conf was processed.
    #
-    %default_actions  = ( DROP     => 'none' ,
+    %policy_actions  = ( DROP	    => [] ,
-		 	  REJECT   => 'none' ,
+			 REJECT    => [] ,
-			  ACCEPT   => 'none' ,
+			 BLACKLIST => [] ,
-			  QUEUE    => 'none' ,
+			 ACCEPT    => [] ,
-			  NFQUEUE  => 'none' ,
+			 QUEUE	   => [] ,
 			 NFQUEUE   => [] ,
 			 CONTINUE  => [] ,
 			 NONE      => [] ,
 			);
    #
    # These are set to 1 as sections are encountered.
@@ -347,7 +350,7 @@ sub initialize( $ ) {
    #
    $macro_nest_level  = 0;
    #
-    # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
+    # All actions mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
    #
    %actions           = ();
    #
@@ -358,7 +361,6 @@ sub initialize( $ ) {
    @columns           = ( ( '-' ) x LAST_COLUMN, 0 );
    if ( $family == F_IPV4 ) {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
 	%reject_options = ( 'icmp-net-unreachable'   => 1,
 			    'icmp-host-unreachable'  => 1,
 			    'icmp-port-unreachable'  => 1,
@@ -367,10 +369,10 @@ sub initialize( $ ) {
 			    'icmp-host-prohibited'   => 1,
 			    'icmp-admin-prohibited'  => 1,
 			    'icmp-tcp-reset'         => 2,
 			    'tcp-reset'              => 2,
 	                  );
    } else {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn/;
 	%reject_options = ( 'icmp6-no-route'         => 1,
 			    'no-route'               => 1,
 			    'icmp6-adm-prohibited'   => 1,
@@ -427,6 +429,7 @@ sub convert_to_policy_chain($$$$$$)
    $chainref->{audit}       = $audit;
    $chainref->{policychain} = $chainref->{name};
    $chainref->{policypair}  = [ $source, $dest ];
    $chainref->{pactions}    = [];
 }
 #
@@ -476,7 +479,7 @@ sub set_policy_chain($$$$$$)
 		$chainref->{synchain}    = $polchainref->{synchain};
 	    }
-	    $chainref->{default}     = $polchainref->{default} if defined $polchainref->{default};
+	    $chainref->{pactions}    = $polchainref->{pactions} || [];
 	    $chainref->{is_policy}   = 1;
 	    push @policy_chains, $chainref;
 	} else {
@@ -525,12 +528,12 @@ sub normalize_action( $$$ );
 sub normalize_action_name( $ );
 sub normalize_single_action( $ );
-sub process_default_action( $$$$ ) {
+sub process_policy_action( $$$$ ) {
-    my ( $originalpolicy, $policy, $default, $level ) = @_;
+    my ( $originalpolicy, $policy, $paction, $level ) = @_;
-    if ( supplied $default ) {
+    if ( supplied $paction ) {
-	my $default_option = ( $policy =~ /_DEFAULT$/ );
+	my $paction_option = ( $policy =~ /_DEFAULT$/ );
-	my ( $def, $param ) = get_target_param( $default );
+	my ( $act, $param ) = get_target_param( $paction );
 	if ( supplied $level ) {
 	    validate_level( $level );
@@ -538,35 +541,49 @@ sub process_default_action( $$$$ ) {
 	    $level = 'none';
 	}
-	if ( "\L$default" eq 'none' ) {
+	if ( ( $targets{$act} || 0 ) & ACTION ) {
-	    if ( supplied $param || ( supplied $level && $level ne 'none' ) ) {
+	    $paction = supplied $param  ? normalize_action( $act, $level, $param  ) :
-		if ( $default_option ) {
+		       $level eq 'none' ? normalize_action_name $act :
-		    fatal_error "Invalid setting ($originalpolicy) for $policy";
+		       normalize_action( $act, $level, '' );
-		} else {
+	} elsif ( ( $targets{$act} || 0 ) == INLINE ) {
-		    fatal_error "Invalid policy ($originalpolicy)";
+	    $paction = $act;
-		}
+	    $paction = "$act($param)" if supplied $param;
-	    }
+	    $paction = join( ':', $paction, $level ) if $level ne 'none';
-
+	} elsif ( $paction_option ) {
-	    $default = 'none';
+	    fatal_error "Unknown Action ($paction) in $policy setting";
 	} elsif ( ( $targets{$def} || 0 ) == ACTION ) {
 	    $default = supplied $param  ? normalize_action( $def, $level, $param  ) :
 		       $level eq 'none' ? normalize_action_name $def :
 		       normalize_action( $def, $level, '' );
 	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
 	    $default = $def;
 	    $default = "$def($param)" if supplied $param;
 	    $default = join( ':', $default, $level ) if $level ne 'none';
 	} elsif ( $default_option ) {
 	    fatal_error "Unknown Action ($default) in $policy setting";
 	} else {
-	    fatal_error "Unknown Default Action ($default)";
+	    fatal_error "Unknown Policy Action ($paction)";
 	}
    } else {
-	$default = $default_actions{$policy} || 'none';
+	$paction = $policy_actions{$policy};
    }
-    $default;
+    $paction;
 }
 sub process_policy_actions( $$$ ) {
    my ( $originalpolicy, $policy, $pactions ) = @_;
    if ( supplied $pactions ) {
 	my @pactions;
 	if ( lc $pactions ne 'none' ) {
 	    @pactions = @{$policy_actions{$policy}} if $pactions =~ s/^\+//;
 	    for my $paction ( split_list3( $pactions, 'Policy Action' ) ) {
 		my ( $action, $level, $remainder ) = split( /:/, $paction, 3 );
 		fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder;
 		push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level );
 	    }
 	}
 	\@pactions;
    } else {
 	$policy_actions{$policy};
    }
 }
 #
@@ -654,12 +671,10 @@ sub process_a_policy1($$$$$$$) {
    require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
-    my ( $policy, $default, $level, undef, $remainder ) = split( /:/, $originalpolicy, ACTION_TUPLE_ELEMENTS );
+    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
    fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
    fatal_error "Invalid default action ($default:$level:$remainder)" if defined $remainder;
    ( $policy , my $queue ) = get_target_param $policy;
    fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
@@ -668,7 +683,7 @@ sub process_a_policy1($$$$$$$) {
 	fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
    }
-    $default = process_default_action( $originalpolicy, $policy, $default, $level );
+    my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
    if ( defined $queue ) {
 	$policy = handle_nfqueue( $queue,
@@ -679,6 +694,8 @@ sub process_a_policy1($$$$$$$) {
 	    if $clientwild || $serverwild;
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
    } elsif ( $policy eq 'BLACKLIST' ) {
 	fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
    }
    unless ( $clientwild || $serverwild ) {
@@ -723,11 +740,8 @@ sub process_a_policy1($$$$$$$) {
 	$chainref->{synchain}  = $chain
    }
-    assert( $default );
+    $chainref->{pactions} = $pactionref;
-    my $chainref1 = $usedactions{$default};
+    $chainref->{origin}   = shortlineinfo('');
    $chainref->{default} = $chainref1 ? $chainref1->{name} : $default;
    $chainref->{origin} = shortlineinfo('');
    if ( $clientwild ) {
 	if ( $serverwild ) {
@@ -760,7 +774,11 @@ sub process_a_policy() {
    our @zonelist;
    my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
-	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
+	split_line2( 'policy file',
 		     { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, rate => 4, connlimit => 5 } ,
 		     {} , # nopad
 		     6  , # maxcolumns
 		    );
    $loglevel  = '' if $loglevel  eq '-';
    $synparams = '' if $synparams eq '-';
@@ -817,33 +835,35 @@ sub process_policies()
    our %validpolicies = (
 			  ACCEPT => undef,
 			  REJECT => undef,
-			  DROP   => undef,
+			  DROP	 => undef,
 			  CONTINUE => undef,
 			  BLACKLIST => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
 			  );
-    our %map = ( DROP_DEFAULT    => 'DROP' ,
+    our %map = ( DROP_DEFAULT      => 'DROP' ,
-		 REJECT_DEFAULT  => 'REJECT' ,
+		 REJECT_DEFAULT    => 'REJECT' ,
-		 ACCEPT_DEFAULT  => 'ACCEPT' ,
+		 BLACKLIST_DEFAULT => 'BLACKLIST' ,
-		 QUEUE_DEFAULT   => 'QUEUE' ,
+		 ACCEPT_DEFAULT    => 'ACCEPT' ,
-		 NFQUEUE_DEFAULT => 'NFQUEUE' );
+		 QUEUE_DEFAULT     => 'QUEUE' ,
 		 NFQUEUE_DEFAULT   => 'NFQUEUE' );
    my $zone;
    my $firewall = firewall_zone;
    our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
-    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
+    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
-	my $action = $config{$option};
+	my $actions = $config{$option};
-	unless ( $action eq 'none' ) {
+	if ( $actions eq 'none' ) {
-	    my ( $default, $level, $remainder ) = split( /:/, $action, 3 );
+	    $actions = [];
-	    fatal_error "Invalid setting ( $action ) for $option" if supplied $remainder;
+	} else {
-	    $action = process_default_action( $action, $option, $default, $level );
+	    $actions = process_policy_actions( $actions, $option, $actions );
 	}
-	$default_actions{$map{$option}} = $action;
+	$policy_actions{$map{$option}} = $actions;
    }
    for $zone ( all_zones ) {
@@ -903,31 +923,36 @@ sub process_policies()
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
 sub add_policy_rules( $$$$$ ) {
-    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
+    my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
    unless ( $target eq 'NONE' ) {
 	my @pactions;
 	@pactions = @$pactions;
 	add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	if ( $default && $default ne 'none' ) {
+	for my $paction ( @pactions ) {
-	    my ( $action ) = split ':', $default;
+	    my ( $action ) = split ':', $paction;
-	    if ( ( $targets{$action} || 0 ) == ACTION ) {
+	    if ( ( $targets{$action} || 0 ) & ACTION ) {
 		#
 		# Default action is a regular action -- jump to the action chain
 		#
-		add_ijump $chainref, j => use_policy_action( $default, $chainref->{name} );
+		add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
 	    } else {
 		#
 		# Default action is an inline 
 		#
 		( undef, my $level )   = split /:/, $paction, 2;
 		( $action, my $param ) = get_target_param( $action );
 		process_inline( $action,      #Inline
 				$chainref,    #Chain
 				'',           #Matches
 				'',           #Matches1
-				$loglevel,    #Log Level and Tag
+				$level || '', #Log Level and Tag
-				$default,     #Target
+				$paction,     #Target
 				$param || '', #Param
 				'-',          #Source
 				'-',          #Dest
@@ -951,7 +976,20 @@ sub add_policy_rules( $$$$$ ) {
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
-	add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
+	if ( $target eq 'BLACKLIST' ) {
 	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
 	    if ( my $timeout = $globals{DBL_TIMEOUT} ) {
 		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" );
 	    } else {
 		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" );
 	    }
 	    $target = 'DROP';
 	} else {
 	    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
 	}
 	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
    }
 }
@@ -967,27 +1005,26 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
    my $chainref   = $_[0];
    my $policyref  = $filter_table->{$chainref->{policychain}};
    my $synparams  = $policyref->{synparams};
-    my $default    = $policyref->{default};
+    my $defaults   = $policyref->{pactions};
    my $policy     = $policyref->{policy};
    my $loglevel   = $policyref->{loglevel};
    assert( $policyref );
    if ( $chainref eq $policyref ) {
-	add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+	add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
    } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
-		add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+		add_policy_rules $chainref , $policy , $loglevel , $defaults, $config{MULTICAST};
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
 		add_policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
-	    add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+	    add_policy_rules $chainref , $policy , $loglevel , $defaults, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_ijump $chainref , g => $policyref;
@@ -1010,7 +1047,7 @@ sub complete_policy_chains() {
 	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
-	    my $default     = $chainref->{default};
+	    my $defaults    = $chainref->{pactions};
 	    my $name        = $chainref->{name};
 	    my $synparms    = $chainref->{synparms};
@@ -1022,7 +1059,7 @@ sub complete_policy_chains() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    ensure_rules_chain $name if ( $default ne 'none' ||
+		    ensure_rules_chain $name if ( @$defaults         ||
 						  $loglevel          ||
 						  $synparms          ||
 						  $config{MULTICAST} ||
@@ -1033,7 +1070,7 @@ sub complete_policy_chains() {
 	    }
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
-		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
 	    }
 	}
    }
@@ -1062,20 +1099,18 @@ sub complete_standard_chain ( $$$$ ) {
    my ( $stdchainref, $zone, $zone2, $default ) = @_;
    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
-    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
+    my ( $policy, $loglevel ) = ( $default , 6 );
    my $policy_actions = $policy_actions{$policy};
    my $policychainref;
    $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
    if ( $policychainref ) {
-	( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' };
+	( $policy, $loglevel, $policy_actions ) = @{$policychainref}{'policy', 'loglevel', 'pactions' };
 	$stdchainref->{origin} = $policychainref->{origin};
    } elsif ( $defaultaction !~ /:/ ) {
 	$defaultaction = normalize_single_action( $defaultaction );
    }
-
+    add_policy_rules $stdchainref , $policy , $loglevel, $policy_actions, 0;
    add_policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 #
@@ -1671,177 +1706,6 @@ sub map_old_actions( $ ) {
    }
 }
 #
 # The following small functions generate rules for the builtin actions of the same name
 #
 sub dropBcast( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    my $target = require_audit ( 'DROP', $audit );
    if ( have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
 	    if ( $family == F_IPV4 ) {
 		log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' );
 	    } else {
 		log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST );
 	    }
 	}
 	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
    } else {
 	if ( $family == F_IPV4 ) {
 	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
 	} else {
 	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
 	}
 	incr_cmd_level $chainref;
 	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '$address';
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
    }
    if ( $family == F_IPV4 ) {
 	log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
    } else {
 	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
    }
 }
 sub allowBcast( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    my $target = require_audit( 'ACCEPT', $audit );
    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
 	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' );
 	}
 	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
    } else {
 	if ( $family == F_IPV4 ) {
 	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
 	} else {
 	    add_commands $chainref, 'for address in $ALL_MACASTS; do';
 	}
 	incr_cmd_level $chainref;
 	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '$address';
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
    }
    if ( $family == F_IPV4 ) {
 	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
    } else {
 	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
    }
 }
 sub dropNotSyn ( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    my $target = require_audit( 'DROP', $audit );
    log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
    add_ijump $chainref , j => $target, p => '6 ! --syn';
 }
 sub rejNotSyn ( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    warning_message "rejNotSyn is deprecated in favor of NotSyn(REJECT)";
    my $target = 'REJECT --reject-with tcp-reset';
    if ( supplied $audit ) {
 	$target = require_audit( 'REJECT' , $audit );
    }
    log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
    add_ijump $chainref , j => $target, p => '6 ! --syn';
 }
 sub forwardUPnP ( $$$$ ) {
    my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE );
    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
 sub allowinUPnP ( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    my $target = require_audit( 'ACCEPT', $audit );
    if ( $level ne '' ) {
 	log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' );
 	log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' );
    }
    add_ijump $chainref, j => $target, p => '17 --dport 1900';
    add_ijump $chainref, j => $target, p => '6 --dport 49152';
 }
 sub Limit( $$$$ ) {
    my ($chainref, $level, $tag, $param ) = @_;
    my @param;
    if ( $param ) {
 	@param = split /,/, $param;
    } else {
 	@param = split /,/, $tag;
 	$tag = '';
    }
    fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
    my $set   = $param[0];
    for ( @param[1,2] ) {
 	fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
    }
    my $count = $param[1] + 1;
    require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
    warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
    add_irule $chainref, recent => "--name $set --set";
    if ( $level ne '' ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' );
 	add_ijump $xchainref, j => 'DROP';
 	add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
    } else {
 	add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
    }
    add_ijump $chainref, j => 'ACCEPT';
 }
 my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'allowBcast'     => \&allowBcast,
 		   'dropNotSyn'     => \&dropNotSyn,
 		   'rejNotSyn'      => \&rejNotSyn,
 		   'allowinUPnP'    => \&allowinUPnP,
 		   'forwardUPnP'    => \&forwardUPnP,
 		   'Limit'          => \&Limit,
 		 );
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
@@ -1863,12 +1727,6 @@ sub process_action(\$\$$) {
    my $actionref = $actions{$action};
    my $matches   = fetch_inline_matches;
    if ( $type & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
 	$builtinops{$action}->( $chainref, $level, $tag, $param );
 	return 0;
    }
    if ( $type & MANGLE_TABLE ) {
 	fatal_error "Action $action may only be used in the mangle file" unless $chainref->{table} eq 'mangle';
    } else {
@@ -1879,12 +1737,12 @@ sub process_action(\$\$$) {
    progress_message2 "$doing $actionfile for chain $chainref->{name}...";
    push_open $actionfile, 2, 1, undef, 2;
    my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
    my $options = $actionref->{options};
    my $nolog = $options & ( NOLOG_OPT | LOGJUMP_OPT );
    push_open $actionfile, 2, 1, undef, 2;
    setup_audit_action( $action ) if $options & AUDIT_OPT;
    $active{$action}++;
@@ -2141,7 +1999,6 @@ sub process_action(\$\$$) {
 #
 # This function is called prior to processing of the policy file. It:
 #
 # - Adds the builtin actions to the target table
 # - Reads actions.std and actions (in that order) and for each entry:
 #   o Adds the action to the target table
 #   o Verifies that the corresponding action file exists
@@ -2150,10 +2007,6 @@ sub process_action(\$\$$) {
 sub process_actions() {
    progress_message2 "Locating Action Files...";
    #
    # Add built-in actions to the target table and create those actions
    #
    $targets{$_} = new_action( $_ , ACTION + BUILTIN, NOINLINE_OPT, '' , '' ) for @builtins;
    for my $file ( qw/actions.std actions/ ) {
 	open_file( $file, 2 );
@@ -2718,7 +2571,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    # Determine the validity of the action
    #
-    $actiontype = ( $targets{$basictarget} || find_macro ( $basictarget ) );
+    $actiontype = $targets{$basictarget} || find_macro( $basictarget );
    if ( $config{ MAPOLDACTIONS } ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
@@ -2866,6 +2719,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 			  # tcp-reset
 			  #
 			  fatal_error "tcp-reset may only be used with PROTO tcp" unless ( resolve_proto( $proto ) || 0 ) == TCP;
 			  $exceptionrule = '-p 6 ';
 			  $param = 'tcp-reset';
 		      }
 		      $action = "REJECT --reject-with $param";
@@ -2893,7 +2748,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IPTABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -2906,7 +2761,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      IP6TABLES => sub {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
-		      my ( $tgt, $options ) = split / /, $param;
+		      my ( $tgt, $options ) = split / /, $param, 2;
 		      my $target_type = $builtin_target{$tgt};
 		      fatal_error "Unknown target ($tgt)" unless $target_type;
 		      fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
@@ -3126,6 +2981,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $actionchain; # Name of the action chain
    if ( $actiontype & ACTION ) {
 	#
 	# Handle 'section' option
 	#
 	$param = supplied $param ? join( ',' , $section_rmap{$section}, $param ) : $section_rmap{$section} if $actions{$basictarget}{options} & SECTION_OPT;
 	#
 	# Create the action:level:tag:param tuple.
 	#
@@ -4510,7 +4369,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4526,7 +4385,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    maxparams      => 1,
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
-		my ( $tgt,  $options ) = split( ' ', $params );
+		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
@@ -4965,6 +4824,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		     do_dscp( $dscp ) .
 		     state_match( $state ) .
 		     do_time( $time ) .
 		     do_condition( $condition, $chainref->{name} ) .
 		     ( $ttl ? "-t $ttl " : '' ) .
 		     $raw_matches ,
 		     $source ,
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1924,7 +1924,7 @@ sub process_traffic_shaping() {
 			my ( $options, $redopts ) = ( '', $tcref->{redopts} );
-			for my $option ( sort keys %validredoptions ) {
+			for my $option ( keys %validredoptions ) {
 			    my $type = $validredoptions{$option};
 			    if ( my $value = $redopts->{$option} ) {
@@ -1943,7 +1943,7 @@ sub process_traffic_shaping() {
 			my ( $options, $codelopts ) = ( '', $tcref->{codelopts} );
-			for my $option ( sort keys %validcodeloptions ) {
+			for my $option ( keys %validcodeloptions ) {
 			    my $type = $validcodeloptions{$option};
 			    if ( my $value = $codelopts->{$option} ) {
@@ -2312,9 +2312,10 @@ EOF
 EOF
 	}
 	return ( $mangle, $fn1 );
    }
    return ( $mangle, $fn1 );
 }
 #
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -713,10 +713,10 @@ sub zone_report()
 	my $printed = 0;
 	if ( $hostref ) {
-	    for my $type ( sort keys %$hostref ) {
+	    for my $type ( keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};
-		for my $interface ( sort keys %$interfaceref ) {
+		for my $interface ( keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
@@ -766,10 +766,10 @@ sub dump_zone_contents() {
 	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};
 	if ( $hostref ) {
-	    for my $type ( sort keys %$hostref ) {
+	    for my $type ( keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};
-		for my $interface ( sort keys %$interfaceref ) {
+		for my $interface ( keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
@@ -1275,6 +1275,7 @@ sub process_interface( $$ ) {
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
 		$options{logmartians} = 1 if $option eq 'routefilter' && $numval && ! $config{LOG_MARTIANS};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -2218,9 +2219,9 @@ sub find_hosts_by_option( $ ) {
    }
    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	for my $type (keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( sort keys %$interfaceref ) {
+	    for my $interface ( keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec  = $host->{ipsec};
@@ -2248,9 +2249,9 @@ sub find_zone_hosts_by_option( $$ ) {
    my @hosts;
    unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
+	for my $type (keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( sort keys %$interfaceref ) {
+	    for my $interface ( keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -349,7 +349,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 	case "$default_route" in
 	    *metric*)
 	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes or =Exact. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
@@ -526,13 +526,6 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
    done
    qt1 $g_tool -t rawpost -F
    qt1 $g_tool -t rawpost    -X
    for chain in POSTROUTING; do
 	qt1 $g_tool -t rawpost -P $chain ACCEPT
    done
    qt1 $g_tool -t nat    -F
    qt1 $g_tool -t nat    -X
@@ -582,9 +575,6 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
 	    '*'rawpost)
 		table=rawpost
 		;;
 	    '*'mangle)
 		table=mangle
 		;;
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -130,6 +130,8 @@ g_docker=
 g_dockernetwork=
 g_forcereload=
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
 initialize
 if [ -n "$STARTUP_LOG" ]; then
--- a/Shorewall/Samples/Universal/params
+++ b/Shorewall/Samples/Universal/params
@@ -0,0 +1,13 @@
 #
 # Shorewall - Sample Params File for universal configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
--- a/Shorewall/Samples/Universal/policy
+++ b/Shorewall/Samples/Universal/policy
@@ -7,7 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT
 #				LEVEL	BURST		MASK
 $FW	net	ACCEPT
-net	all	DROP
+net	all	DROP		$LOG_LEVEL
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -33,6 +33,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 LOG_LEVEL="info"
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -53,19 +55,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 UNTRACKED_LOG_LEVEL=
@@ -108,10 +110,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -140,6 +143,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall/Samples/one-interface/params
+++ b/Shorewall/Samples/one-interface/params
@@ -0,0 +1,13 @@
 #
 # Shorewall - Sample Params File for one-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
@@ -11,8 +11,8 @@
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
-$FW		net		ACCEPT
+$FW	net		ACCEPT
-net		all		DROP		info
+net	all		DROP		$LOG_LEVEL
 # The FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		info
+all	all		REJECT		$LOG_LEVEL
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -44,6 +44,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -64,19 +66,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 UNTRACKED_LOG_LEVEL=
@@ -119,10 +121,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -151,6 +154,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall/Samples/three-interfaces/params
+++ b/Shorewall/Samples/three-interfaces/params
@@ -0,0 +1,13 @@
 #
 # Shorewall - Sample Params File for three-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
-loc		net		ACCEPT
+loc	net		ACCEPT
-net		all		DROP		info
+net	all		DROP		$LOG_LEVEL
 # THE FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		info
+all	all		REJECT		$LOG_LEVEL
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -41,6 +41,8 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 LOG_LEVEL="info"
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -61,19 +63,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL=info
+MACLIST_LOG_LEVEL="$LOG_LEVEL"
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=info
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
-SFILTER_LOG_LEVEL=info
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
-SMURF_LOG_LEVEL=info
+SMURF_LOG_LEVEL="$LOG_LEVEL"
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 UNTRACKED_LOG_LEVEL=
@@ -116,10 +118,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -148,6 +151,8 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall/Samples/two-interfaces/params
+++ b/Shorewall/Samples/two-interfaces/params
@@ -0,0 +1,13 @@
 #
 # Shorewall - Sample Params File for two-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
--- a/Show More
+++ b/Show More