Correct indentation

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct typo in lib.private
2016-10-09 11:13:01 -07:00 · 2016-10-09 10:59:00 -07:00 · 2016-10-03 11:23:51 -07:00 · 2016-10-03 09:51:50 -07:00 · 2016-10-03 09:09:57 -07:00
163 changed files with 8873 additions and 8263 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -365,12 +365,6 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
-# Install the CLI
-#
-install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
-#
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -386,31 +380,6 @@ for f in lib.* ; do
    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done

-if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
-fi
-
-#
-# Install the Man Pages
-#
-if [ -n "$MANDIR" ]; then
-    cd manpages
-
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
-
-    for f in *.8; do
-	gzip -9c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
-    done
-
-    cd ..
-
-    echo "Man Pages Installed"
-fi
-
 #
 # Symbolically link 'functions' to lib.base
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,22 +20,412 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library is a compatibility wrapper around lib.core.
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
 #

-if [ -z "$PRODUCT" ]; then
+SHOREWALL_LIBVERSION=40509
+
+[ -n "${g_program:=shorewall}" ]
+
+if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc

-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
+    g_confdir="$CONFDIR"/$g_program
+    g_readrc=1
+fi

-    if [ -z "$SHOREWALL_LIBVERSION" ]; then
-	. ${g_basedir}/lib.core
+g_basedir=${SHAREDIR}/shorewall
+
+case $g_program in
+    shorewall)
+	g_product="Shorewall"
+	g_family=4
+	g_tool=iptables
+	g_lite=
+	;;
+    shorewall6)
+	g_product="Shorewall6"
+	g_family=6
+	g_tool=ip6tables
+	g_lite=
+	;;
+    shorewall-lite)
+	g_product="Shorewall Lite"
+	g_family=4
+	g_tool=iptables
+	g_lite=Yes
+	;;
+    shorewall6-lite)
+	g_product="Shorewall6 Lite"
+	g_family=6
+	g_tool=ip6tables
+	g_lite=Yes
+	;;
+esac
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi
+
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+#
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+#
+# Undo the effect of 'separate_list()'
+#
+combine_list()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o,}$f"
+    done
+
+    echo $o
+}
+
+#
+# Validate an IP address
+#
+valid_address() {
+    local x
+    local y
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	case $x in
+	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
+		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
+                ;;
+	    *)
+	        IFS=$ifs
+		return 2
+		;;
+	esac
+    done
+
+    IFS=$ifs
+
+    return 0
+}
+
+#
+# Miserable Hack to work around broken BusyBox ash in OpenWRT
+#
+addr_comp() {
+    test $(bc <<EOF
+$1 > $2
+EOF
+) -eq 1
+
+}
+
+#
+# Enumerate the members of an IP range -- When using a shell supporting only
+# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
+#
+# Comes in two flavors:
+#
+# ip_range() - produces a mimimal list of network/host addresses that spans
+#              the range.
+#
+# ip_range_explicit() - explicitly enumerates the range.
+#
+ip_range() {
+    local first
+    local last
+    local l
+    local x
+    local y
+    local z
+    local vlsm
+
+    case $1 in
+	!*)
+	    #
+	    # Let iptables complain if it's a range
+	    #
+	    echo $1
+	    return
+	    ;;
+	[0-9]*.*.*.*-*.*.*.*)
+            ;;
+	*)
+	    echo $1
+	    return
+	    ;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
    fi

-    set_default_product
+    l=$(( $last + 1 ))

-    setup_product_environment
-fi
+    while addr_comp $l $first; do
+	vlsm=
+	x=31
+	y=2
+	z=1
+
+	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
+	    vlsm=/$x
+	    x=$(( $x - 1 ))
+	    z=$y
+	    y=$(( $y * 2 ))
+	done
+
+	echo $(encodeaddr $first)$vlsm
+	first=$(($first + $z))
+    done
+}
+
+ip_range_explicit() {
+    local first
+    local last
+
+    case $1 in
+    [0-9]*.*.*.*-*.*.*.*)
+	;;
+    *)
+	echo $1
+	return
+	;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
+    fi
+
+    while ! addr_comp $first $last; do
+	echo $(encodeaddr $first)
+	first=$(($first + 1))
+    done
+}
+
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
+#
+# Netmask to VLSM
+#
+ip_vlsm() {
+    local mask
+    mask=$(decodeaddr $1)
+    local vlsm
+    vlsm=0
+    local x
+    x=$(( 128 << 24 )) # 0x80000000
+
+    while [ $(( $x & $mask )) -ne 0 ]; do
+	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
+	vlsm=$(($vlsm + 1))
+    done
+
+    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
+	echo "Invalid net mask: $1" >&2
+    else
+	echo $vlsm
+    fi
+}
+
+#
+# Set default config path
+#
+ensure_config_path() {
+    local F
+    F=${g_sharedir}/configpath
+    if [ -z "$CONFIG_PATH" ]; then
+	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
+	. $F
+    fi
+
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+    fi
+}
+
+#
+# Get fully-qualified name of file
+#
+resolve_file() # $1 = file name
+{
+    local pwd
+    pwd=$PWD
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	.)
+	    echo $pwd
+	    ;;
+	./*)
+	    echo ${pwd}${1#.}
+	    ;;
+	..)
+	    cd ..
+	    echo $PWD
+	    cd $pwd
+	    ;;
+	../*)
+	    cd ..
+	    resolve_file ${1#../}
+	    cd $pwd
+	    ;;
+	*)
+	    echo $pwd/$1
+	    ;;
+    esac
+}
+
+#
+# Determine how to do "echo -e"
+#
+
+find_echo() {
+    local result
+
+    result=$(echo "a\tb")
+    [ ${#result} -eq 3 ] && { echo echo; return; }
+
+    result=$(echo -e "a\tb")
+    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
+
+    result=$(which echo)
+    [ -n "$result" ] && { echo "$result -e"; return; }
+
+    echo echo
+}
+
+# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
+#
+#     None - No mktemp
+#     BSD  - BSD mktemp (Mandrake)
+#     STD  - mktemp.org mktemp
+#
+find_mktemp() {
+    local mktemp
+    mktemp=`mywhich mktemp 2> /dev/null`
+
+    if [ -n "$mktemp" ]; then
+	if qt mktemp -V ; then
+	    MKTEMP=STD
+	else
+	    MKTEMP=BSD
+	fi
+    else
+	MKTEMP=None
+    fi
+}
+
+#
+# create a temporary file. If a directory name is passed, the file will be created in
+# that directory. Otherwise, it will be created in a temporary directory.
+#
+mktempfile() {
+
+    [ -z "$MKTEMP" ] && find_mktemp
+
+    if [ $# -gt 0 ]; then
+	case "$MKTEMP" in
+	    BSD)
+		mktemp $1/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -p $1 shorewall.XXXXXX
+		;;
+	    None)
+		> $1/shorewall-$$ && echo $1/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    else
+	case "$MKTEMP" in
+	    BSD)
+		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -t shorewall.XXXXXX
+		;;
+	    None)
+		rm -f ${TMPDIR:-/tmp}/shorewall-$$
+		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    fi
+}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,18 +25,22 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=50100
+SHOREWALL_CAPVERSION=50004

-if [ -z "$g_basedir" ]; then
+[ -n "${g_program:=shorewall}" ]
+
+if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
    #
    . /usr/share/shorewall/shorewallrc

-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
+    g_confdir="$CONFDIR"/$g_program
+    g_readrc=1
 fi

-. ${g_basedir}/lib.core
+. ${SHAREDIR}/shorewall/lib.base

 #
 # Issue an error message and die
@@ -391,13 +395,13 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"

-	    printf '\a'
+	    $g_ring_bell

 	    packet_log 40

 	    if [ "$pause" = "Yes" ]; then
 		echo
-		printf 'Enter any character to continue: '
+		echo $g_echo_n 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@@ -945,7 +949,7 @@ show_events() {
 	for file in /proc/net/xt_recent/*; do
 	    base=$(basename $file)

-	    if [ "$base" != %CURRENTTIME -a "$base" != "*" ]; then
+	    if [ $base != %CURRENTTIME ]; then
 		echo $base
 		show_event $base
 		echo
@@ -1007,6 +1011,13 @@ show_raw() {
    $g_tool -t raw -L $g_ipt_options | $output_filter
 }

+show_rawpost() {
+    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+    echo
+    show_reset
+    $g_tool -t rawpost -L $g_ipt_options | $output_filter
+}
+
 show_mangle() {
    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
    echo
@@ -1150,43 +1161,6 @@ show_macros() {
    done
 }

-show_a_macro() {
-    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
-    cat ${directory}/macro.$1
-}
-#
-# Don't dump empty SPD entries
-#
-spd_filter()
-{
-    awk \
-    'BEGIN            { skip=0; }; \
-    /^src/            { skip=0; }; \
-    /^src 0.0.0.0\/0/ { skip=1; }; \
-    /^src ::\/0/      { skip=1; }; \
-                      { if ( skip == 0 ) print; };'
-}
-#
-# Print a heading with leading and trailing black lines
-#
-heading() {
-    echo
-    echo "$@"
-    echo
-}
-
-show_ipsec() {
-    heading "PFKEY SPD"
-    $IP -s xfrm policy | spd_filter
-    heading "PFKEY SAD"
-    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
-}
-
-show_ipsec_command() {
-    echo "$g_product $SHOREWALL_VERSION IPSEC at $g_hostname - $(date)"
-    show_ipsec
-}
-
 #
 # Show Command Executor
 #
@@ -1207,10 +1181,10 @@ show_command() {
 	if [ -n "$foo" ]; then
 	    macro=${macro#*.}
 	    foo=${foo%.*}
-	    if [ ${#macro} -gt 5 ]; then
-		printf "  $macro\t${foo#\#}\n"
+	    if [ ${#macro} -gt 10 ]; then
+		echo "   $macro  ${foo#\#}"
 	    else
-		printf "  $macro\t\t${foo#\#}\n"
+		$g_echo_e "   $macro  \t${foo#\#}"
 	    fi
 	fi
    }
@@ -1257,7 +1231,7 @@ show_command() {
 			    [ $# -eq 1 ] && missing_option_value -t

 			    case $2 in
-				mangle|nat|filter|raw)
+				mangle|nat|filter|raw|rawpost)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -1311,6 +1285,10 @@ show_command() {
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
+	rawpost)
+	    [ $# -gt 1 ] && too_many_arguments $2
+	    eval show_rawpost $g_pager
+	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
@@ -1378,14 +1356,14 @@ show_command() {
 		echo "LIBEXEC=${LIBEXECDIR}"
 		echo "SBINDIR=${SBINDIR}"
 		echo "CONFDIR=${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR=${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
-		echo "Default VARDIR is /var/lib/$PRODUCT"
+		echo "Default VARDIR is /var/lib/$g_program"
 		echo "LIBEXEC is ${LIBEXECDIR}"
 		echo "SBINDIR is ${SBINDIR}"
 		echo "CONFDIR is ${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR is ${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
 	    ;;
 	chain)
@@ -1448,12 +1426,8 @@ show_command() {
 		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
 	    fi
 	    ;;
-	ipsec)
-	    [ $# -gt 1 ] && too_many_arguments $2
-	    eval show_ipsec_command $g_pager
-	    ;;
 	*)
-	    case "$PRODUCT" in
+	    case "$g_program" in
 		*-lite)
 		    ;;
 	    	*)
@@ -1467,7 +1441,8 @@ show_command() {
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
-				    eval show_a_macro $2 $g_pager
+				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
+				    cat ${directory}/macro.$2
 				    return
 				fi
 			    done
@@ -1699,6 +1674,11 @@ do_dump_command() {
 	$g_tool -t raw -L $g_ipt_options
    fi

+    if qt $g_tool -t rawpost -L -n; then
+	heading "Rawpost Table"
+	$g_tool -t rawpost -L $g_ipt_options
+    fi
+
    local count
    local max

@@ -1749,7 +1729,12 @@ do_dump_command() {
    heading "Events"
    show_events

-    show_ipsec
+    if qt mywhich setkey; then
+	heading "PFKEY SPD"
+	setkey -DP
+	heading "PFKEY SAD"
+	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
+    fi

    heading "/proc"
    show_proc /proc/version
@@ -1820,7 +1805,6 @@ dump_command() {
 restore_command() {
    local finished
    finished=0
-    local result

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1885,11 +1869,8 @@ restore_command() {
 	progress_message3 "Restoring $g_product..."

 	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"
-	result=$?

 	[ -n "$g_nolock" ] || mutex_off
-
-	exit $result
    else
 	echo "File $g_restorepath: file not found"
 	[ -n "$g_nolock" ] || mutex_off
@@ -1949,6 +1930,15 @@ read_yesno_with_timeout() {
    fi
 }

+#
+# Print a heading with leading and trailing black lines
+#
+heading() {
+    echo
+    echo "$@"
+    echo
+}
+
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2749,6 +2739,7 @@ determine_capabilities() {
    CONNMARK_MATCH=
    XCONNMARK_MATCH=
    RAW_TABLE=
+    RAWPOST_TABLE=
    IPP2P_MATCH=
    OLD_IPP2P_MATCH=
    LENGTH_MATCH=
@@ -2804,8 +2795,6 @@ determine_capabilities() {
    IFACE_MATCH=
    TCPMSS_TARGET=
    WAIT_OPTION=
-    CPU_FANOUT=
-    NETMAP_TARGET=

    AMANDA_HELPER=
    FTP_HELPER=
@@ -2840,10 +2829,8 @@ determine_capabilities() {
 	if qt $g_tool -t nat -N $chain; then
 	    if [ $g_family -eq 4 ]; then
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
-		qt $g_tool -t nat -A $chain -j NETMAP --to 1.2.3.0/24 && NETMAP_TARGET=Yes
 	    else
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
-		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
@@ -3003,6 +2990,7 @@ determine_capabilities() {
    fi

    qt $g_tool -t raw	  -L -n && RAW_TABLE=Yes
+    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes

    if [ -n "$RAW_TABLE" ]; then
 	qt $g_tool -t raw -F $chain
@@ -3104,12 +3092,7 @@ determine_capabilities() {
 	qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
    fi
-
-    if qt $g_tool -A $chain -j NFQUEUE --queue-num 4; then
-	NFQUEUE_TARGET=Yes
-	qt $g_tool -A $chain -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout && CPU_FANOUT=Yes
-    fi
-
+    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes

    #
@@ -3228,6 +3211,7 @@ report_capabilities_unsorted() {
    report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
    [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
    report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
+    report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
    report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
    [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
    report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
@@ -3306,8 +3290,6 @@ report_capabilities_unsorted() {
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
    report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
-    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
-    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET

    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3357,6 +3339,7 @@ report_capabilities_unsorted1() {
    report_capability1 CONNMARK_MATCH
    report_capability1 XCONNMARK_MATCH
    report_capability1 RAW_TABLE
+    report_capability1 RAWPOST_TABLE
    report_capability1 IPP2P_MATCH
    report_capability1 OLD_IPP2P_MATCH
    report_capability1 CLASSIFY_TARGET
@@ -3412,8 +3395,6 @@ report_capabilities_unsorted1() {
    report_capability1 IFACE_MATCH
    report_capability1 TCPMSS_TARGET
    report_capability1 WAIT_OPTION
-    report_capability1 CPU_FANOUT
-    report_capability1 NETMAP_TARGET

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3574,40 +3555,10 @@ blacklist_command() {
 	    ;;
    esac

-    if $IPSET -A $g_blacklistipset $@ -exist; then
-	local message
-
-	progress_message2 "$1 Blacklisted"
-
-	if [ -n "$g_disconnect" ]; then
-	    message="$(conntrack -D -s $1 2>&1)"
-	    if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
-		if [ $VERBOSITY -gt 1 ]; then
-		    echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " src " ); }; { print; }'
-		else
-		    echo "$message" | head -n1 | sed 's/^.*: //; s/ / src /'
-		fi
-	    fi
-
-	    if [ $g_disconnect = src-dst ]; then
-		message="$(conntrack -D -d $1 2>&1)"
-		if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
-		    if [ $VERBOSITY -gt 1 ]; then
-			echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " dst " ); }; { print; }'
-		    else
-			echo "$message" | head -n1 | sed 's/^.*: //; s/ / dst /'
-		    fi
-		fi
-	    fi
-	fi
-    else
-	error_message "ERROR: Address $1 not blacklisted"
-	return 1
-    fi
+    $IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }

    return 0
 }
-
 save_command() {
    local finished
    finished=0
@@ -3810,68 +3761,6 @@ verify_firewall_script() {
    fi
 }

-setup_dbl() {
-    local original
-
-    original=$DYNAMIC_BLACKLIST
-
-    case $DYNAMIC_BLACKLIST in
-	*:*,)
-	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
-	    ;;
-	ipset*,disconnect*)
-	    if qt mywhich conntrack; then
-		g_disconnect=src
-		DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,disconnect//')
-	    else
-		fatal_error "The 'disconnect' option requires that the conntrack utility be installed"
-	    fi
-	    ;;
-    esac
-
-    case $DYNAMIC_BLACKLIST in
-	ipset*,src-dst*)
-	    #
-	    # This utility doesn't need to know about 'src-dst'
-	    #
-	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
-
-	    [ -n "$g_disconnect" ] && g_disconnect=src-dst
-	    ;;
-    esac
-
-    case $DYNAMIC_BLACKLIST in
-	ipset*,timeout*)
-	    #
-	    # This utility doesn't need to know about 'timeout=nnn'
-	    #
-	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
-	    ;;
-    esac
-
-    case $DYNAMIC_BLACKLIST in
-	[Nn]o)
-	    DYNAMIC_BLACKLIST='';
-	    ;;
-	[Yy]es)
-	    ;;
-	ipset|ipset::*|ipset-only|ipset-only::*)
-	    g_blacklistipset=SW_DBL$g_family
-	    ;;
-	ipset:[a-zA-Z]*)
-	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
-	    g_blacklistipset=${g_blacklistipset%%:*}
-	    ;;
-	ipset-only:[a-zA-Z]*)
-	    g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
-	    g_blacklistipset=${g_blacklistipset%%:*}
-	    ;;
-	*)
-	    fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
-	    ;;
-    esac
-}
-
 ################################################################################
 # The remaining functions are used by the Lite cli - they are overloaded by
 # the Standard CLI by loading lib.cli-std
@@ -3885,7 +3774,7 @@ get_config() {

    ensure_config_path

-    config=$(find_file ${PRODUCT}.conf)
+    config=$(find_file ${g_program}.conf)

    if [ -f $config ]; then
 	if [ -r $config ]; then
@@ -4011,29 +3900,55 @@ get_config() {

    g_loopback=$(find_loopback_interfaces)

-    if [ -z "$g_nopager" ]; then
-	[ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER

-	if [ -n "$PAGER" -a -t 1 ]; then
-	    case $PAGER in
-		/*)
-		    g_pager="$PAGER"
-		    [ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
-		    ;;
-		*)
-		    g_pager=$(mywhich $PAGER 2> /dev/null)
-		    [ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
-		    ;;
-	    esac
+    if [ -n "$PAGER" -a -t 1 ]; then
+	case $PAGER in
+	    /*)
+		g_pager="$PAGER"
+		[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		;;
+	    *)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
+		[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
+		;;
+	esac

-	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"

-	    g_pager="| $g_pager"
-	fi
-    fi
+	g_pager="| $g_pager"
+     fi

    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	setup_dbl
+	case $DYNAMIC_BLACKLIST in
+	    [Nn]o)
+		DYNAMIC_BLACKLIST='';
+		;;
+	    [Yy]es)
+	        ;;
+	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
+		g_blacklistipset=SW_DBL$g_family
+		;;
+	    ipset:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    *)
+		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
+		;;
+	esac
    fi

    lib=$(find_file lib.cli-user)
@@ -4306,9 +4221,8 @@ usage() # $1 = exit status
 	echo "   [ show | list | ls ] ipa"
    fi

-    echo "   [ show | list | ls ] ipsec"
    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
-    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
    ecko "   [ show | list | ls ] macro <macro>"
    ecko "   [ show | list | ls ] macros"
    echo "   [ show | list | ls ] nfacct"
@@ -4337,7 +4251,7 @@ usage() # $1 = exit status
 #
 # This is the main entry point into the CLI. It directly handles all commands supported
 # by both the full and lite versions. Note, however, that functions such as start_command()
-# appear in both this library and in lib.cli-std. The ones in cli-std overload the ones
+# appear in both this library and it lib.cli-std. The ones in cli-std overload the ones
 # here if that lib is loaded below.
 #
 shorewall_cli() {
@@ -4379,16 +4293,12 @@ shorewall_cli() {
    g_loopback=
    g_compiled=
    g_pager=
-    g_nopager=
    g_blacklistipset=
-    g_disconnect=

    VERBOSE=
    VERBOSITY=1
-    #
-    # Set the default product based on the Shorewall packages installed
-    #
-    set_default_product
+
+    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std

    finished=0

@@ -4478,34 +4388,6 @@ shorewall_cli() {
 			    g_timestamp=Yes
 			    option=${option#t}
 			    ;;
-			p*)
-			    g_nopager=Yes
-			    option=${option#p}
-			    ;;
-			6*)
-			    if [ "$PRODUCT" = shorewall ]; then
-				PRODUCT=shorewall6
-			    elif [ "$PRODUCT" = shorewall-lite ]; then
-				PRODUCT=shorewall6-lite
-			    fi
-			    option=${option#6}
-			    ;;
-			4*)
-			    if [ "$PRODUCT" = shorewall6 ]; then
-				PRODUCT=shorewall
-			    elif [ "$PRODUCT" = shorewall6-lite ]; then
-				PRODUCT=shorewall-lite
-			    fi
-			    option=${option#4}
-			    ;;
-			l*)
-			    if [ "$PRODUCT" = shorewall ]; then
-				PRODUCT=shorewall-lite
-			    elif [ "$PRODUCT" = shorewall6 ]; then
-				PRODUCT=shorewall6-lite
-			    fi
-			    option=${option#l}
-			    ;;
 			-)
 			    finished=1
 			    option=
@@ -4527,16 +4409,12 @@ shorewall_cli() {
 	usage 1
    fi

-    setup_product_environment 1
-
-   [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std
-
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    MUTEX_TIMEOUT=

    [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir

-    [ -n "${VARDIR:=/var/lib/$PRODUCT}" ]
+    [ -n "${VARDIR:=/var/lib/$g_program}" ]

    g_firewall=${VARDIR}/firewall

@@ -4551,6 +4429,26 @@ shorewall_cli() {

    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"

+    case $(echo -e) in
+	-e*)
+	    g_ring_bell="echo \a"
+	    g_echo_e="echo"
+	    ;;
+	*)
+	    g_ring_bell="echo -e \a"
+	    g_echo_e="echo -e"
+	    ;;
+    esac
+
+    case $(echo -n "Testing") in
+	-n*)
+	    g_echo_n=
+	    ;;
+	*)
+	    g_echo_n=-n
+	    ;;
+    esac
+
    COMMAND=$1

    case "$COMMAND" in
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,440 +0,0 @@
-#
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
-#
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# This library contains the code common to all Shorewall components except the
-# generated scripts.
-#
-
-SHOREWALL_LIBVERSION=50100
-
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product
-    g_basedir=${SHAREDIR}/shorewall
-
-    g_sharedir="$SHAREDIR"/$PRODUCT
-    g_confdir="$CONFDIR"/$PRODUCT
-
-    case $PRODUCT in
-	shorewall)
-	    g_product="Shorewall"
-	    g_family=4
-	    g_tool=iptables
-	    g_lite=
-	    ;;
-	shorewall6)
-	    g_product="Shorewall6"
-	    g_family=6
-	    g_tool=ip6tables
-	    g_lite=
-	    ;;
-	shorewall-lite)
-	    g_product="Shorewall Lite"
-	    g_family=4
-	    g_tool=iptables
-	    g_lite=Yes
-	    ;;
-	shorewall6-lite)
-	    g_product="Shorewall6 Lite"
-	    g_family=6
-	    g_tool=ip6tables
-	    g_lite=Yes
-	    ;;
-	*)
-	    fatal_error "Unknown PRODUCT ($PRODUCT)"
-	    ;;
-    esac
-
-    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
-    #
-    # We need to do this again, now that we have the correct product
-    #
-    [ -n "$1" ] && . ${g_basedir}/shorewallrc
-
-    if [ -z "${VARLIB}" ]; then
-	VARLIB=${VARDIR}
-	VARDIR=${VARLIB}/${PRODUCT}
-    elif [ -z "${VARDIR}" ]; then
-	VARDIR="${VARLIB}/${PRODUCT}"
-    fi
-}
-
-set_default_product() {
-    case $(basename $0) in
-	shorewall6)
-	    PRODUCT=shorewall6
-	    ;;
-	shorewall4)
-	    PRODUCT=shorewall
-	    ;;
-	shorewall-lite)
-	    PRODUCT=shorewall-lite
-	    ;;
-	shorewall6-lite)
-	    PRODUCT=shorewall6-lite
-	    ;;
-	*)
-	    if [ -f ${g_basedir}/version ]; then
-		PRODUCT=shorewall
-	    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
-		PRODUCT=shorewall-lite
-	    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
-		PRODUCT=shorewall6-lite
-	    else
-		fatal_error "No Shorewall firewall product is installed"
-	    fi
-	    ;;
-    esac
-}
-
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-#
-# Undo the effect of 'separate_list()'
-#
-combine_list()
-{
-    local f
-    local o
-    o=
-
-    for f in $* ; do
-        o="${o:+$o,}$f"
-    done
-
-    echo $o
-}
-
-#
-# Validate an IP address
-#
-valid_address() {
-    local x
-    local y
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	case $x in
-	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
-		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
-                ;;
-	    *)
-	        IFS=$ifs
-		return 2
-		;;
-	esac
-    done
-
-    IFS=$ifs
-
-    return 0
-}
-
-#
-# Miserable Hack to work around broken BusyBox ash in OpenWRT
-#
-addr_comp() {
-    test $(bc <<EOF
-$1 > $2
-EOF
-) -eq 1
-
-}
-
-#
-# Enumerate the members of an IP range -- When using a shell supporting only
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
-#
-# Comes in two flavors:
-#
-# ip_range() - produces a mimimal list of network/host addresses that spans
-#              the range.
-#
-# ip_range_explicit() - explicitly enumerates the range.
-#
-ip_range() {
-    local first
-    local last
-    local l
-    local x
-    local y
-    local z
-    local vlsm
-
-    case $1 in
-	!*)
-	    #
-	    # Let iptables complain if it's a range
-	    #
-	    echo $1
-	    return
-	    ;;
-	[0-9]*.*.*.*-*.*.*.*)
-            ;;
-	*)
-	    echo $1
-	    return
-	    ;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    l=$(( $last + 1 ))
-
-    while addr_comp $l $first; do
-	vlsm=
-	x=31
-	y=2
-	z=1
-
-	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
-	    vlsm=/$x
-	    x=$(( $x - 1 ))
-	    z=$y
-	    y=$(( $y * 2 ))
-	done
-
-	echo $(encodeaddr $first)$vlsm
-	first=$(($first + $z))
-    done
-}
-
-ip_range_explicit() {
-    local first
-    local last
-
-    case $1 in
-    [0-9]*.*.*.*-*.*.*.*)
-	;;
-    *)
-	echo $1
-	return
-	;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    while ! addr_comp $first $last; do
-	echo $(encodeaddr $first)
-	first=$(($first + 1))
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
-#
-# Netmask to VLSM
-#
-ip_vlsm() {
-    local mask
-    mask=$(decodeaddr $1)
-    local vlsm
-    vlsm=0
-    local x
-    x=$(( 128 << 24 )) # 0x80000000
-
-    while [ $(( $x & $mask )) -ne 0 ]; do
-	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
-	vlsm=$(($vlsm + 1))
-    done
-
-    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
-	echo "Invalid net mask: $1" >&2
-    else
-	echo $vlsm
-    fi
-}
-
-#
-# Set default config path
-#
-ensure_config_path() {
-    local F
-    F=${g_sharedir}/configpath
-    if [ -z "$CONFIG_PATH" ]; then
-	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
-	. $F
-    fi
-
-    if [ -n "$g_shorewalldir" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
-    fi
-}
-
-#
-# Get fully-qualified name of file
-#
-resolve_file() # $1 = file name
-{
-    local pwd
-    pwd=$PWD
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	.)
-	    echo $pwd
-	    ;;
-	./*)
-	    echo ${pwd}${1#.}
-	    ;;
-	..)
-	    cd ..
-	    echo $PWD
-	    cd $pwd
-	    ;;
-	../*)
-	    cd ..
-	    resolve_file ${1#../}
-	    cd $pwd
-	    ;;
-	*)
-	    echo $pwd/$1
-	    ;;
-    esac
-}
-
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
-#
-#     None - No mktemp
-#     BSD  - BSD mktemp (Mandrake)
-#     STD  - mktemp.org mktemp
-#
-find_mktemp() {
-    local mktemp
-    mktemp=`mywhich mktemp 2> /dev/null`
-
-    if [ -n "$mktemp" ]; then
-	if qt mktemp -V ; then
-	    MKTEMP=STD
-	else
-	    MKTEMP=BSD
-	fi
-    else
-	MKTEMP=None
-    fi
-}
-
-#
-# create a temporary file. If a directory name is passed, the file will be created in
-# that directory. Otherwise, it will be created in a temporary directory.
-#
-mktempfile() {
-
-    [ -z "$MKTEMP" ] && find_mktemp
-
-    if [ $# -gt 0 ]; then
-	case "$MKTEMP" in
-	    BSD)
-		mktemp $1/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -p $1 shorewall.XXXXXX
-		;;
-	    None)
-		> $1/shorewall-$$ && echo $1/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    else
-	case "$MKTEMP" in
-	    BSD)
-		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -t shorewall.XXXXXX
-		;;
-	    None)
-		rm -f ${TMPDIR:-/tmp}/shorewall-$$
-		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    fi
-}
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -81,6 +81,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
 	fi
    fi
 }
@@ -130,7 +128,7 @@ for PRODUCT in $PRODUCTS; do
    setstatedir

    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
    fi
 done

--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -33,11 +33,9 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+    if [ ! -x "$STATEDIR/firewall" ]; then
+	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT $OPTIONS compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
 	fi
    fi
 }
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -73,10 +73,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
 	return 0
    fi
@@ -104,7 +102,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "

  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
@@ -125,7 +123,7 @@ shorewall_start () {

  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then

-      printf "Restoring ipsets: "
+      echo -n "Restoring ipsets: "

      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -142,7 +140,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,10 +44,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	${SBINDIR}/$PRODUCT $OPTIONS compile -c
    else
 	return 0
    fi
@@ -64,7 +62,7 @@ start () {
 	return 6 #Not configured
    fi

-    printf "Initializing \"Shorewall-based firewalls\": "
+    echo -n "Initializing \"Shorewall-based firewalls\": "

    for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -99,7 +97,7 @@ stop () {
    local PRODUCT
    local STATEDIR

-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "

    for PRODUCT in $PRODUCTS; do
 	setstatedir
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,10 +75,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
 	return 0
    fi
@@ -89,7 +87,7 @@ start () {
    local PRODUCT
  local STATEDIR

-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -114,7 +112,7 @@ stop () {
    local PRODUCT
    local STATEDIR

-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -81,7 +81,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,10 +79,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
 	return 0
    fi
@@ -93,7 +91,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -114,7 +112,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -164,10 +164,10 @@ if [ $# -eq 0 ]; then
    #
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
-	file=./shorewallrc
+	file=~/.shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=~/.shorewallrc
+	file=./.shorewallrc
     else
 	fatal_error "No configuration file specified and ~/.shorewallrc not found"
    fi
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,10 +33,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
 	return 0
    fi
@@ -64,7 +62,7 @@ shorewall_start () {
    local PRODUCT
    local STATEDIR

-    printf "Initializing \"Shorewall-based firewalls\": "
+    echo -n "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -92,7 +90,7 @@ shorewall_stop () {
    local PRODUCT
    local STATEDIR

-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -126,6 +126,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -0,0 +1,18 @@
+# Shorewall Lite Makefile to restart if firewall script is newer than last restart
+VARDIR=$(shell /sbin/shorewall-lite show vardir)
+SHAREDIR=/usr/share/shorewall-lite
+RESTOREFILE?=.restore
+
+all: $(VARDIR)/$(RESTOREFILE)
+
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
+	@/sbin/shorewall-lite -q save >/dev/null; \
+	if \
+	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
+	then \
+	    /sbin/shorewall-lite -q save >/dev/null; \
+	else \
+	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
+	fi
+
+# EOF
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -13,7 +13,7 @@

 . /lib/lsb/init-functions

-SRWL='/sbin/shorewall -l'
+SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}

@@ -85,7 +85,7 @@ fi

 # start the firewall
 shorewall_start () {
-  printf "Starting \"Shorewall firewall\": "
+  echo -n "Starting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
@@ -93,10 +93,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  if [ "$SAFESTOP" = 1 ]; then
-      printf "Stopping \"Shorewall Lite firewall\": "
+      echo -n "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
-      printf "Clearing all \"Shorewall Lite firewall\" rules: "
+      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -104,14 +104,14 @@ shorewall_stop () {

 # restart the firewall
 shorewall_restart () {
-  printf "Restarting \"Shorewall firewall\": "
+  echo -n "Restarting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

 # refresh the firewall
 shorewall_refresh () {
-  printf "Refreshing \"Shorewall firewall\": "
+  echo -n "Refreshing \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc

-prog="shorewall -l"
+prog="shorewall-lite"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi

 start() {
-    printf $"Starting Shorewall: "
+    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }

 stop() {
-    printf $"Stopping Shorewall: "
+    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    printf $"Restarting Shorewall: "
+    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"

 start() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
 }

 boot() {
@@ -78,17 +78,17 @@ boot() {
 }

 restart() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
 }

 reload() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
 }

 stop() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
 }

 status() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -114,7 +114,7 @@ require()
 #
 cd "$(dirname $0)"

-if [ -f shorewall-lite.service ]; then
+if [ -f shorewall-lite ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
 else
@@ -331,6 +331,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi

+    make_directory ${DESTDIR}${SBINDIR} 755
    make_directory ${DESTDIR}${INITDIR} 755

 else
@@ -361,9 +362,9 @@ else
 fi

 #
-# Check for ${SHAREDIR}/$PRODUCT/version
+# Check for ${SBINDIR}/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -371,15 +372,17 @@ fi

 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

+install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755

+echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
@@ -430,6 +433,15 @@ elif [ $HOST = gentoo ]; then
    # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
    perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
+
+#
+# Install the  Makefile
+#
+install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
+[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
+echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
+
 #
 # Install the default config path file
 #
@@ -486,7 +498,7 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages

-    mkdir -p ${DESTDIR}${MANDIR}/man5/
+    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

    for f in *.5; do
 	gzip -c $f > $f.gz
@@ -494,8 +506,6 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

-    mkdir -p ${DESTDIR}${MANDIR}/man8/
-
    for f in *.8; do
 	gzip -c $f > $f.gz
 	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
@@ -530,11 +540,6 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup

-#
-#  Creatae the symbolic link for the CLI
-#
-ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
-
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
@@ -550,6 +555,7 @@ fi

 if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi

 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,20 +45,19 @@
 #    require Shorewall to be installed.


-PRODUCT=shorewall-lite
+g_program=shorewall-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1

 . ${SHAREDIR}/shorewall/lib.cli
-
-setup_product_environment
-
-. ${SHAREDIR}/shorewall-lite/configpath
+. /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
+#         Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
+#
+################################################################################################
+PRODUCT=shorewall-lite
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
+
+shorewall_cli $@
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -125,6 +125,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -0,0 +1,23 @@
+#
+# Shorewall -- /etc/shorewall/Makefile
+#
+# Reload Shorewall if config files are updated.
+
+SWBIN	?= /sbin/shorewall -q
+CONFDIR	?= /etc/shorewall
+SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
+
+.PHONY: clean
+
+$(SWSTATE): $(CONFDIR)/*
+	@$(SWBIN) save >/dev/null; \
+	RESULT=$$($(SWBIN) reload 2>&1); \
+	if [ $$? -eq 0 ]; then \
+	    $(SWBIN) save >/dev/null; \
+	else \
+	    echo "$${RESULT}" >&2; \
+	    false; \
+	fi
+
+clean:
+	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -120,6 +120,7 @@ our @EXPORT = ( qw(
 		    %chain_table
 		    %targets
 		    $raw_table
+		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
@@ -196,6 +197,7 @@ our %EXPORT_TAGS = (
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       ensure_raw_chain
+				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
@@ -264,12 +266,10 @@ our %EXPORT_TAGS = (
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
-				       interface_address
 				       get_interface_address
 				       get_interface_addresses
 				       get_interface_bcasts
 				       get_interface_acasts
-				       interface_gateway
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
@@ -416,6 +416,7 @@ our $VERSION = 'MODULEVERSION';
 #
 our %chain_table;
 our $raw_table;
+our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
@@ -756,11 +757,13 @@ sub initialize( $$$ ) {
    ( $family, my $hard, $export ) = @_;

    %chain_table = ( raw    =>  {},
+		     rawpost => {},
 		     mangle =>  {},
 		     nat    =>  {},
 		     filter =>  {} );

    $raw_table     = $chain_table{raw};
+    $rawpost_table = $chain_table{rawpost};
    $nat_table     = $chain_table{nat};
    $mangle_table  = $chain_table{mangle};
    $filter_table  = $chain_table{filter};
@@ -805,6 +808,7 @@ sub initialize( $$$ ) {
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
+		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
 		     RAWDNAT      => 1,
 		     REDIRECT     => 1,
@@ -1190,16 +1194,9 @@ sub compatible( $$ ) {
 	}
    }
    #
-    # Don't combine chains where each specifies
-    #    -m policy
-    # or when one specifies
-    #    -m multiport
-    # and the other specifies
-    #    --dport or --sport or -m multiport
+    # Don't combine chains where each specifies '-m policy'
    #
-    return ! ( $ref1->{policy} && $ref2->{policy} ||
-	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
-		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
+    return ! ( $ref1->{policy} && $ref2->{policy} );
 }

 #
@@ -1219,7 +1216,6 @@ sub merge_rules( $$$ ) {
 	if ( exists $fromref->{$option} ) {
 	    push( @{$toref->{matches}}, $option ) unless exists $toref->{$option};
 	    $toref->{$option} = $fromref->{$option};
-	    $toref->{simple} = 0;
 	}
    }

@@ -2721,6 +2717,24 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
 	$chainref->{optflags}   |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
+
+	if ( $config{CHAIN_SCRIPTS} ) {
+	    unless ( $chain eq 'accounting' ) {
+		my $file = find_file $chain;
+
+		if ( -f $file ) {
+		    progress_message "Running $file...";
+
+		    my ( $level, $tag ) = ( '', '' );
+
+		    unless ( my $return = eval `cat $file` ) {
+			fatal_error "Couldn't parse $file: $@" if $@;
+			fatal_error "Couldn't do $file: $!"    unless defined $return;
+			fatal_error "Couldn't run $file"       unless $return;
+		    }
+		}
+	    }
+	}
    }

    $chainref;
@@ -2733,13 +2747,11 @@ sub accounting_chainrefs() {
    grep $_->{accounting} , values %$filter_table;
 }

-sub ensure_mangle_chain($;$$) {
-    my ( $chain, $number, $restriction ) = @_;
+sub ensure_mangle_chain($) {
+    my $chain = $_[0];

    my $chainref = ensure_chain 'mangle', $chain;
-    $chainref->{referenced}  = 1;
-    $chainref->{chainnumber} = $number if $number;
-    $chainref->{restriction} = $restriction if $restriction;
+    $chainref->{referenced} = 1;
    $chainref;
 }

@@ -2759,6 +2771,14 @@ sub ensure_raw_chain($) {
    $chainref;
 }

+sub ensure_rawpost_chain($) {
+    my $chain = $_[0];
+
+    my $chainref = ensure_chain 'rawpost', $chain;
+    $chainref->{referenced} = 1;
+    $chainref;
+}
+
 #
 # Add a builtin chain
 #
@@ -2957,6 +2977,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}

+	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
+
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3019,6 +3041,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}

+	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
+
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3322,7 +3346,7 @@ sub check_optimization( $ ) {
 # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
 #
 sub optimize_level0() {
-    for my $table ( qw/raw mangle nat filter/ ) {
+    for my $table ( qw/raw rawpost mangle nat filter/ ) {
 	my $tableref = $chain_table{$table};
 	next unless $tableref;

@@ -3572,7 +3596,7 @@ sub optimize_level4( $$ ) {
    if ( my $chains  = @chains ) {
 	$passes++;

-	progress_message "\n Table $table pass $passes, $chains short chains, level 4c...";
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";

 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
@@ -4241,6 +4265,7 @@ sub valid_tables() {
    my @table_list;

    push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
+    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
    push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
    push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    push @table_list, 'filter'; #MUST BE LAST!!!
@@ -5748,12 +5773,12 @@ sub have_ipset_rules() {
    $ipset_rules;
 }

-sub get_interface_address( $;$ );
+sub get_interface_address( $ );

-sub get_interface_gateway ( $;$$ );
+sub get_interface_gateway ( $;$ );

-sub record_runtime_address( $$;$$ ) {
-    my ( $addrtype, $interface, $protect, $provider ) = @_;
+sub record_runtime_address( $$;$ ) {
+    my ( $addrtype, $interface, $protect ) = @_;

    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
@@ -5767,9 +5792,9 @@ sub record_runtime_address( $$;$$ ) {
    my $addr;

    if ( $addrtype eq '&' ) {
-	$addr = get_interface_address( $interface, $provider );
+	$addr = get_interface_address( $interface );
    } else {
-	$addr = get_interface_gateway( $interface, $protect, $provider );
+	$addr = get_interface_gateway( $interface, $protect );
    }

    $addr . ' ';
@@ -5794,18 +5819,12 @@ sub conditional_rule( $$ ) {
 		if ( $type eq '&' ) {
 		    $variable = get_interface_address( $interface );
 		    add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
-		    incr_cmd_level $chainref;
 		} else {
 		    $variable = get_interface_gateway( $interface );
-
-		    if ( $variable =~ /^\$/ ) {
-			add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
-			incr_cmd_level $chainref;
-		    } else {
-			return 0;
-		    }
+		    add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
 		}

+		incr_cmd_level $chainref;
 		return 1;
 	    }
 	} elsif ( $type eq '%' && $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
@@ -6766,8 +6785,8 @@ sub interface_address( $ ) {
 #
 # Record that the ruleset requires the first IP address on the passed interface
 #
-sub get_interface_address ( $;$ ) {
-    my ( $logical, $provider ) = @_;
+sub get_interface_address ( $ ) {
+    my ( $logical ) = $_[0];

    my $interface = get_physical( $logical );
    my $variable = interface_address( $interface );
@@ -6777,8 +6796,6 @@ sub get_interface_address ( $;$ ) {

    $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";

-    set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
-
    "\$$variable";
 }

@@ -6839,21 +6856,14 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $;$$ ) {
-    my ( $logical, $protect, $provider ) = @_;
+sub get_interface_gateway ( $;$ ) {
+    my ( $logical, $protect ) = @_;

    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
-    my $gateway  = get_interface_option( $interface, 'gateway' );

    $global_variables |= ALL_COMMANDS;

-    if ( $gateway ) {
-	fatal_error q(A gateway variable cannot be used for a provider interface with GATEWAY set to 'none' in the providers file)   if $gateway eq 'none';
-	fatal_error q(A gateway variable cannot be used for a provider interface with an empty GATEWAY column in the providers file) if $gateway eq 'omitted';
-	return $gateway if $gateway ne 'detect';
-    }
-
    if ( interface_is_optional $logical ) {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
@@ -6861,8 +6871,6 @@ sub get_interface_gateway ( $;$$ ) {
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

-    set_interface_option($interface, 'used_gateway_variable', 1) unless $provider;
-
    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }

@@ -7265,7 +7273,6 @@ sub isolate_dest_interface( $$$$ ) {
    my ( $diface, $dnets );

    if ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) {
-	my $niladdr = NILIP;
 	#
 	# DETECT_DNAT_IPADDRS=Yes and we're generating the nat rule
 	#
@@ -7282,14 +7289,14 @@ sub isolate_dest_interface( $$$$ ) {

 	    push_command( $chainref , "for address in $list; do" , 'done' );

-	    push_command( $chainref , "if [ \$address != $niladdr ]; then" , 'fi' ) if $optional;
+	    push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;

 	    $rule .= '-d $address ';
 	} else {
 	    my $interface = $interfaces[0];
 	    my $variable  = get_interface_address( $interface );

-	    push_command( $chainref , "if [ $variable != $niladdr ]; then" , 'fi') if interface_is_optional( $interface );
+	    push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi') if interface_is_optional( $interface );

 	    $rule .= "-d $variable ";
 	}
@@ -7590,7 +7597,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule1( $$$$$$$$$$$$;$ )
+sub expand_rule( $$$$$$$$$$$$;$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7607,6 +7614,8 @@ sub expand_rule1( $$$$$$$$$$$$;$ )
 	$logname,      # Name of chain to name in log messages
       ) = @_;

+    return if $chainref->{complete};
+
    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
    my  $chain = $actparams{chain} || $chainref->{name};
@@ -7841,78 +7850,6 @@ sub expand_rule1( $$$$$$$$$$$$;$ )
    $diface;
 }

-sub expand_rule( $$$$$$$$$$$$;$$$ )
-{
-    my ($chainref ,    # Chain
-	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
-	$prerule,      # Matches that go at the front of the rule
-	$rule,         # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
-	$source,       # SOURCE
-	$dest,         # DEST
-	$origdest,     # ORIGINAL DEST
-	$target,       # Target ('-j' part of the rule - may be empty)
-	$loglevel ,    # Log level (and tag)
-	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
-	$exceptionrule,# Caller's matches used in exclusion case
-	$usergenerated,# Rule came from the IP[6]TABLES target
-	$logname,      # Name of chain to name in log messages
-	$device,       # TC Device Name
-	$classid,      # TC Class Id
-       ) = @_;
-
-    return if $chainref->{complete};
-
-    my ( @source, @dest );
-
-    $source = '' unless defined $source;
-    $dest   = '' unless defined $dest;
-
-    if ( $source =~ /\(.+\)/ ) {
-	@source = split_list3( $source, 'SOURCE' );
-    } else {
-	@source = ( $source );
-    }
-
-    if ( $dest =~ /\(.+\)/ ) {
-	@dest = split_list3( $dest, 'DEST' );
-    } else {
-	@dest = ( $dest );
-    }
-
-    for $source ( @source ) {
-	if ( $source =~ /^(.+?):\((.+)\)$/ ) {
-	    $source = join( ':', $1, $2 );
-	} elsif ( $source =~ /^\((.+)\)$/ ) {
-	    $source = $1;
-	}
-
-	for $dest ( @dest ) {
-	    if ( $dest =~ /^(.+?):\((.+)\)$/ ) {
-		$dest = join( ':', $1, $2 );
-	    } elsif ( $dest =~ /^\((.+)\)$/ ) {
-		$dest = $1;
-	    }
-
-	    if ( ( my $result = expand_rule1( $chainref ,
-					      $restriction ,
-					      $prerule ,
-					      $rule ,
-					      $source ,
-					      $dest ,
-					      $origdest ,
-					      $target ,
-					      $loglevel ,
-					      $disposition ,
-					      $exceptionrule ,
-					      $usergenerated ,
-					      $logname ,
-		   ) ) && $device ) {
-		fatal_error "Class Id $classid is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
-	    }
-	}
-    }
-}
-
 #
 # Returns true if the passed interface is associated with exactly one zone
 #
@@ -8328,65 +8265,37 @@ EOF

 sub ensure_ipsets( @ ) {
    my $set;
-    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
-
-    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
-	shift;
-
-	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));

+    if ( @_ > 1 ) {
 	push_indent;
-
-	if ( $family == F_IPV4 ) {
-	    emit(  q(    #),
-		   q(    # Set the timeout for the dynamic blacklisting ipset),
-		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
-	} else {
-	    emit(  q(    #),
-		   q(    # Set the timeout for the dynamic blacklisting ipset),
-		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
-	}
-
-	pop_indent;
-
-	emit( qq(    fi\n) );
-
+	emit( "for set in @_; do" );
+	$set = '$set';
+    } else {
+	$set = $_[0];
    }

-    if ( @_ ) {
-	if ( @_ > 1 ) {
-	    push_indent;
-	    emit( "for set in @_; do" );
-	    $set = '$set';
+    if ( $family == F_IPV4 ) {
+	if ( have_capability 'IPSET_V5' ) {
+	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
+		   qq(    fi) );
 	} else {
-	    $set = $_[0];
-	}
-
-	if ( $family == F_IPV4 ) {
-	    if ( have_capability 'IPSET_V5' ) {
-		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
-		       qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
-		       qq(        \$IPSET create $set hash:net family inet timeout 0${counters}) ,
-		       qq(    fi) );
-	    } else {
-		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
-		       qq(        \$IPSET -N $set iphash) ,
-		       qq(    fi) );
-	    }
-	} else {
-	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
-		   qq(        \$IPSET create $set hash:net family inet6 timeout 0${counters}) ,
+	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+		   qq(        \$IPSET -N $set iphash) ,
 		   qq(    fi) );
 	}
+    } else {
+	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
+	       qq(    fi) );
+    }

-	if ( @_ > 1 ) {
-	    emit 'done';
-	    pop_indent;
-	}
+    if ( @_ > 1 ) {
+	emit 'done';
+	pop_indent;
    }
 }

@@ -8564,21 +8473,10 @@ sub create_load_ipsets() {
 	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################

 	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
-	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then' );
-
-	    if ( my $set = $globals{DBL_IPSET} ) {
-		emit( '        #',
-		      '        # Update the dynamic blacklisting ipset timeout value',
-		      '        #',
-		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
-		      '        zap_ipsets',
-		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
-		      '    fi' );
-	    } else {
-		emit( '        zap_ipsets',
-		      '        $IPSET -R < ${VARDIR}/ipsets.save',
-		      '    fi' );
-	    }
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
+		  '        zap_ipsets',
+		  '        $IPSET -R < ${VARDIR}/ipsets.save',
+		  '    fi' );
 	}

 	if ( @ipsets ) {
@@ -8921,7 +8819,7 @@ sub create_chainlist_reload($) {
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;

-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;

 	    $chains{$table} = {} unless $chains{$table};

@@ -8950,7 +8848,7 @@ sub create_chainlist_reload($) {

 	enter_cat_mode;

-	for $table ( qw(raw nat mangle filter) ) {
+	for $table ( qw(raw rawpost nat mangle filter) ) {
 	    my $tableref=$chains{$table};

 	    next unless $tableref;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -701,7 +701,7 @@ sub compiler {
    #
    # Allow user to load Perl modules
    #
-    run_user_exit 'compile';
+    run_user_exit1 'compile';
    #
    # Create a temp file to hold the script
    #
@@ -804,8 +804,33 @@ sub compiler {
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
-
+    #
+    # Generate a function to bring up each provider
+    #
    process_providers( $tcinterfaces );
+    #
+    # [Re-]establish Routing
+    #
+    if ( $scriptfilename || $debug ) {
+	emit(  "\n#",
+	       '# Setup routing and traffic shaping',
+	       '#',
+	       'setup_routing_and_traffic_shaping() {'
+	    );
+
+	push_indent;
+    }
+
+    setup_providers;
+    #
+    # TCRules and Traffic Shaping
+    #
+    setup_tc( $update );
+
+    if ( $scriptfilename || $debug ) {
+	pop_indent;
+	emit "}\n"; # End of setup_routing_and_traffic_shaping()
+    }

    $have_arptables = process_arprules if $family == F_IPV4;

@@ -816,9 +841,13 @@ sub compiler {
    #
    process_tos;
    #
-    # Setup Masquerade/SNAT
+    # ECN
    #
-    setup_snat( $update );
+    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    #
+    # Setup Masquerading/SNAT
+    #
+    setup_masq;
    #
    # Setup Nat
    #
@@ -860,37 +889,6 @@ sub compiler {
    #
    setup_accounting if $config{ACCOUNTING};

-    enable_script;
-    #
-    # Generate a function to bring up each provider
-    #
-    if ( $scriptfilename || $debug ) {
-	emit(  "\n#",
-	       '# Setup routing and traffic shaping',
-	       '#',
-	       'setup_routing_and_traffic_shaping() {'
-	    );
-
-	push_indent;
-    }
-
-    setup_providers;
-    #
-    # TCRules and Traffic Shaping
-    #
-    setup_tc( $update );
-
-    if ( $scriptfilename || $debug ) {
-	pop_indent;
-	emit "}\n"; # End of setup_routing_and_traffic_shaping()
-    }
-    #
-    # ECN
-    #
-    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-
-    disable_script;
-
    if ( $scriptfilename ) {
 	#
 	# Compiling a script - generate the zone by zone matrix
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -130,11 +130,9 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_list
 				       split_list1
 				       split_list2
-				       split_list3
 				       split_line
 				       split_line1
 				       split_line2
-				       split_rawline2
 				       first_entry
 				       open_file
 				       close_file
@@ -155,6 +153,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       propagateconfig
 				       append_file
 				       run_user_exit
+				       run_user_exit1
+				       run_user_exit2
 				       generate_aux_config
 				       format_warning
 				       no_comment
@@ -174,7 +174,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
-				       $rawcurrentline
 				       $currentfilename
 				       $debug
 				       $file_format
@@ -389,6 +388,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
+		 RAWPOST_TABLE   => 'Rawpost Table',
 		 CONDITION_MATCH => 'Condition Match',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
@@ -411,8 +411,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IFACE_MATCH     => 'Iface Match',
                 TCPMSS_TARGET   => 'TCPMSS Target',
                 WAIT_OPTION     => 'iptables --wait option',
-                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
-                 NETMAP_TARGET   => 'NETMAP Target',

 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -566,7 +564,6 @@ our $usedcaller;
 our $inline_matches;

 our $currentline;            # Current config file line image
-our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
 our $currentfilename;        # File NAME
 our $currentlinenumber;      # Line number
@@ -643,7 +640,6 @@ our %eliminated = ( LOGRATE          => 1,
 		    WIDE_TC_MARKS    => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
-		    CHAIN_SCRIPTS    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -749,7 +745,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "5.0.9-Beta2",
-		    CAPVERSION              => 50100 ,
+		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -758,8 +754,6 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
-		    DBL_IPSET               => '',
-		    DBL_TIMEOUT             => 0,
 		    POSTROUTING             => 'POSTROUTING',
 		  );
    #
@@ -891,6 +885,7 @@ sub initialize( $;$$) {
 	  WARNOLDCAPVERSION => undef,
 	  DEFER_DNS_RESOLUTION => undef,
 	  USE_RT_NAMES => undef,
+	  CHAIN_SCRIPTS => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
@@ -903,7 +898,6 @@ sub initialize( $;$$) {
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
-	  FIREWALL => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -980,6 +974,7 @@ sub initialize( $;$$) {
 	       CONNMARK_MATCH => undef,
 	       XCONNMARK_MATCH => undef,
 	       RAW_TABLE => undef,
+	       RAWPOST_TABLE => undef,
 	       IPP2P_MATCH => undef,
 	       OLD_IPP2P_MATCH => undef,
 	       CLASSIFY_TARGET => undef,
@@ -1035,8 +1030,6 @@ sub initialize( $;$$) {
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
-	       CPU_FANOUT => undef,
-	       NETMAP_TARGET => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -2001,21 +1994,6 @@ sub find_writable_file($) {
    "$config_path[0]$filename";
 }

-#
-# Determine if a value has been supplied
-#
-sub supplied( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '';
-}
-
-sub passed( $ ) {
-    my $val = shift;
-
-    defined $val && $val ne '' && $val ne '-';
-}
-
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2074,7 +2052,7 @@ sub split_list1( $$;$ ) {
 sub split_list2( $$ ) {
    my ($list, $type ) = @_;

-    fatal_error "Invalid $type ($list)" if $list =~ /^:/;
+    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;

    my @list1 = split /:/, $list;
    my @list2;
@@ -2111,7 +2089,6 @@ sub split_list2( $$ ) {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
-	    fatal_error "Invalid $type ($list)" unless supplied $_;
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
@@ -2277,6 +2254,21 @@ sub split_columns( $ ) {
    @list2;
 }

+#
+# Determine if a value has been supplied
+#
+sub supplied( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '';
+}
+
+sub passed( $ ) {
+    my $val = shift;
+
+    defined $val && $val ne '' && $val ne '-';
+}
+
 sub clear_comment();

 #
@@ -2447,25 +2439,6 @@ sub split_line2( $$;$$$ ) {
    @line;
 }

-#
-# Same as above, only it splits the raw current line
-#
-sub split_rawline2( $$;$$$ ) {
-    my $savecurrentline = $currentline;
-
-    $currentline = $rawcurrentline;
-    #
-    # Delete trailing comment
-    #
-    $currentline =~ s/\s*#.*//;
-
-    my @result = &split_line2( @_ );
-
-    $currentline = $savecurrentline;
-
-    @result;
-}
-
 sub split_line1( $$;$$ ) {
    &split_line2( @_, undef );
 }
@@ -3050,9 +3023,9 @@ sub process_compiler_directive( $$$$ ) {

    if ( $directive_callback ) {
        $directive_callback->( $keyword, $line ) 
+    } else {
+        $omitting;
    }
-
-    $omitting;
 }

 #
@@ -3760,7 +3733,6 @@ sub read_a_line($) {

 	    if ( $omitting ) {
 		print "OMIT=> $_\n" if $debug;
-		$directive_callback->( 'OMITTED', $_ ) if ( $directive_callback );
 		next;
 	    }

@@ -3815,10 +3787,6 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
-	    # Save Raw Image
-	    #
-	    $rawcurrentline = $currentline;
-	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
@@ -3847,7 +3815,7 @@ sub read_a_line($) {
 		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
 		fatal_error "This file does not allow ?SECTION" unless $section_function;
 		$section_function->($sectionname);
-		$directive_callback->( 'SECTION', $rawcurrentline ) if $directive_callback;
+		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
 		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
@@ -4319,22 +4287,6 @@ sub Masquerade_Tgt() {
    $result;
 }

-sub Netmap_Target() {
-    have_capability( 'NAT_ENABLED' ) || return '';
-
-    my $result = '';
-    my $address = $family == F_IPV4 ? '1.2.3.0/24' : '2001::/64';
-
-    if ( qt1( "$iptables $iptablesw -t nat -N $sillyname" ) ) {
-	$result = qt1( "$iptables $iptablesw -t nat -A $sillyname -j NETMAP --to $address" );
-	qt1( "$iptables $iptablesw -t nat -F $sillyname" );
-	qt1( "$iptables $iptablesw -t nat -X $sillyname" );
-
-    }
-
-    $result;
-}
-
 sub Udpliteredirect() {
    have_capability( 'NAT_ENABLED' ) || return '';

@@ -4533,6 +4485,10 @@ sub Raw_Table() {
    qt1( "$iptables $iptablesw -t raw -L -n" );
 }

+sub Rawpost_Table() {
+    qt1( "$iptables $iptablesw -t rawpost -L -n" );
+}
+
 sub Old_IPSet_Match() {
    my $ipset  = $config{IPSET} || 'ipset';
    my $result = 0;
@@ -4585,11 +4541,11 @@ sub IPSet_Match() {
 }

 sub IPSet_Match_Nomatch() {
-    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_NOMATCH};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_NOMATCH};
 }

 sub IPSet_Match_Counters() {
-    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
 }

 sub IPSET_V5() {
@@ -4860,10 +4816,6 @@ sub Tcpmss_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
 }

-sub Cpu_Fanout() {
-    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
-}
-
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4880,7 +4832,6 @@ our %detect_capability =
      CONNMARK => \&Connmark,
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
-      CPU_FANOUT => \&Cpu_Fanout,
      CT_TARGET => \&Ct_Target,
      DSCP_MATCH => \&Dscp_Match,
      DSCP_TARGET => \&Dscp_Target,
@@ -4924,7 +4875,6 @@ our %detect_capability =
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
      NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
-      NETMAP_TARGET => \&Netmap_Target,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
      NFACCT_MATCH => \&NFAcct_Match,
      NFQUEUE_TARGET => \&Nfqueue_Target,
@@ -4940,6 +4890,7 @@ our %detect_capability =
      POLICY_MATCH => \&Policy_Match,
      PPTP_HELPER => \&PPTP_Helper,
      RAW_TABLE => \&Raw_Table,
+      RAWPOST_TABLE => \&Rawpost_Table,
      REALM_MATCH => \&Realm_Match,
      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
@@ -5067,6 +5018,7 @@ sub determine_capabilities() {
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
+	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
 	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
@@ -5107,8 +5059,6 @@ sub determine_capabilities() {
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
-	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
-	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );

 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5282,8 +5232,6 @@ sub update_config_file( $ ) {
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
-    update_default( 'LOGFORMAT',      'Shorewall:%s:%s:' );
-    update_default( 'LOGLIMIT',       '' );

    my $fn;

@@ -6232,6 +6180,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
+    default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';

    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6304,27 +6253,9 @@ sub get_configuration( $$$$ ) {

    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
-	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
-
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );

-	    ( $key , my @options ) = split_list( $key, 'option' );
-
-	    my $options = '';
-
-	    for ( @options ) {
-		if ( $simple_options{$_} ) {
-		    $options = join( ',' , $options, $_ );
-		} elsif ( $_ =~ s/^timeout=(\d+)$// ) {
-		    $globals{DBL_TIMEOUT} = $1;
-		} else {
-		    fatal_error "Invalid ipset option ($_)";
-		}
-	    }
-
-	    $globals{DBL_OPTIONS} = $options;
-
-	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
+	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;

 	    if ( supplied( $set ) ) {
 		fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
@@ -6332,7 +6263,7 @@ sub get_configuration( $$$$ ) {
 		$set = 'SW_DBL' . $family;
 	    }

-	    add_ipset( $globals{DBL_IPSET} = $set );
+	    add_ipset( $set );
 	    
 	    $level = validate_level( $level );

@@ -6748,7 +6679,32 @@ sub append_file( $;$$ ) {
    $result;
 }

+#
+# Run a Perl extension script
+#
 sub run_user_exit( $ ) {
+    my $chainref = $_[0];
+    my $file = find_file $chainref->{name};
+
+    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
+	progress_message2 "Running $file...";
+
+	my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
+
+	unless (my $return = eval $command ) {
+	    fatal_error "Couldn't parse $file: $@" if $@;
+
+	    unless ( defined $return ) {
+		fatal_error "Couldn't do $file: $!" if $!;
+		fatal_error "Couldn't do $file";
+	    }
+
+	    fatal_error "$file returned a false value";
+	}
+    }
+}
+
+sub run_user_exit1( $ ) {
    my $file = find_file $_[0];

    if ( -f $file ) {
@@ -6780,6 +6736,37 @@ sub run_user_exit( $ ) {
    }
 }

+sub run_user_exit2( $$ ) {
+    my ($file, $chainref) = ( find_file $_[0], $_[1] );
+
+    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
+	progress_message2 "Running $file...";
+	#
+	# File may be empty -- in which case eval would fail
+	#
+	push_open $file;
+
+	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
+	    close_file;
+	    pop_open;
+
+	    unless (my $return = eval `cat $file` ) {
+		fatal_error "Couldn't parse $file: $@" if $@;
+
+		unless ( defined $return ) {
+		    fatal_error "Couldn't do $file: $!" if $!;
+		    fatal_error "Couldn't do $file";
+		}
+
+		fatal_error "$file returned a false value";
+	    }
+	}
+
+	pop_open;
+
+    }
+}
+
 #
 # Generate the aux config file for Shorewall Lite
 #
@@ -6806,7 +6793,7 @@ sub generate_aux_config() {

    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";

-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
 	conditionally_add_option $option;
    }

--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -432,18 +432,13 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
-    my $pair = $portpair;
-    #
-    # Accept '-' as a port-range separator
-    #
-    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;

-    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;

-    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';

-    my @ports = split /:/, $pair, 2;
+    my @ports = split /:/, $portpair, 2;

    my $protonum = resolve_proto( $proto ) || 0;

@@ -472,7 +467,7 @@ sub validate_portpair1( $$ ) {

    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;

-    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';

    my @ports = split /-/, $portpair, 2;
@@ -483,10 +478,9 @@ sub validate_portpair1( $$ ) {

    if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
    } else {
 	$what = 'port';
-	fatal_error 'Invalid port number (0)' unless $portpair;
    }

    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
@@ -503,7 +497,7 @@ sub validate_port_list( $$ ) {
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );

-    if ( @list > 1 && $list =~ /[:-]/ ) {
+    if ( @list > 1 && $list =~ /:/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -216,7 +216,6 @@ sub convert_blacklist() {
    my $audit       = $disposition =~ /^A_/;
    my $target      = $disposition;
    my $orig_target = $target;
-    my $warnings    = 0;
    my @rules;

    if ( @$zones || @$zones1 ) {
@@ -238,22 +237,12 @@ sub convert_blacklist() {
 	    return 0;
 	}

-	directive_callback(
-	    sub ()
-	    {
-		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
-	    }
-	    );
-
 	first_entry "Converting $fn...";

 	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) =
-		split_rawline2( 'blacklist file',
-				{ networks => 0, proto => 1, port => 2, options => 3 },
-				{},
-				4,
-		);
+		split_line( 'blacklist file',
+			    { networks => 0, proto => 1, port => 2, options => 3 } );

 	    if ( $options eq '-' ) {
 		$options = 'src';
@@ -311,8 +300,6 @@ sub convert_blacklist() {
 	    }
 	}

-	directive_callback(0);
-
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
@@ -325,7 +312,7 @@ sub convert_blacklist() {
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
-# Shorewall - Blacklist Rules File
+# Shorewall version 5.0 - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -407,8 +394,7 @@ sub convert_routestopped() {
    if ( my $fn = open_file 'routestopped' ) {
 	my ( @allhosts, %source, %dest , %notrack, @rule );

-	my $seq      = 0;
-	my $warnings = 0;
+	my $seq  = 0;
 	my $date = compiletime;

 	my ( $stoppedrules, $fn1 );
@@ -420,7 +406,7 @@ sub convert_routestopped() {
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
-# Shorewall - Stopped Rules File
+# Shorewall version 5 - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
@@ -436,13 +422,6 @@ sub convert_routestopped() {
 EOF
 	}

-	directive_callback(
-	    sub ()
-	    {
-		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
-	    }
-	    );
-
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -457,16 +436,13 @@ EOF
 	while ( read_a_line ( NORMAL_READ ) ) {

 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_rawline2( 'routestopped file',
-				{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 },
-				{},
-				6,
-				0,
-		);
+		split_line( 'routestopped file',
+			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );

 	    my $interfaceref;

 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';

 	    my $routeback = 0;
@@ -480,6 +456,8 @@ EOF
 	    $hosts = ALLIP if $hosts eq '-';

 	    for my $host ( split /,/, $hosts ) {
+		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
+		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
@@ -523,8 +501,6 @@ EOF
 	    push @allhosts, @hosts;
 	}

-	directive_callback(0);
-
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;
@@ -712,8 +688,7 @@ sub add_common_rules ( $ ) {
    my $dbl_ipset;
    my $dbl_level;
    my $dbl_tag;
-    my $dbl_src_target;
-    my $dbl_dst_target;
+    my $dbl_target;

    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -774,42 +749,8 @@ sub add_common_rules ( $ ) {
 	}

 	if ( $dbl_ipset ) {
-	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
-
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
-
-		log_rule_limit( $dbl_level,
-				$chainref,
-				'dbl_log',
-				'DROP',
-				$globals{LOGLIMIT},
-				$dbl_tag,
-				'add',
-				'',
-				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
-		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
-
-		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
-
-		    log_rule_limit( $dbl_level,
-				    $chainref,
-				    'dbl_log',
-				    'DROP',
-				    $globals{LOGLIMIT},
-				    $dbl_tag,
-				    'add',
-				    '',
-				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
-		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
-		} else {
-		    $dbl_dst_target = $dbl_src_target;
-		}		    
-	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+	    if ( $dbl_level ) {
+		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );

 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -822,7 +763,7 @@ sub add_common_rules ( $ ) {
 				$origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 	    } else {
-		$dbl_src_target = $dbl_dst_target = 'DROP'; 
+		$dbl_target = 'DROP'; 
 	    }
 	}
    }
@@ -936,17 +877,17 @@ sub add_common_rules ( $ ) {
 		    #
 		    # src
 		    #
-		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		} elsif ( $in == 2 ) {
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}

 		if ( $out == 2 ) {
 		    #
 		    # dst
 		    #
-		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 	    }
 	    
@@ -1028,7 +969,7 @@ sub add_common_rules ( $ ) {
 	    );
    }
 	    
-    run_user_exit 'initdone';
+    run_user_exit1 'initdone';

    if ( $upgrade ) {
 	convert_blacklist;
@@ -1454,6 +1395,8 @@ sub setup_mac_lists( $ ) {
 		}
 	    }

+	    run_user_exit2( 'maclog', $chainref );
+
 	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
@@ -1679,6 +1622,12 @@ sub add_interface_jumps {
 	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );

+	if ( have_capability 'RAWPOST_TABLE' ) {
+	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
+	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
+	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
+	}
+
 	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
    }
    #
@@ -2756,9 +2705,6 @@ EOF
    pop_indent;

    emit '
-    rm -f ${VARDIR}/*.address
-    rm -f ${VARDIR}/*.gateway
-
    run_stopped_exit';

    my @ipsets = all_ipsets;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,8 +36,8 @@ use Shorewall::Providers qw( provider_realm );
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
+our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();

 Exporter::export_ok_tags('rules');
@@ -62,7 +62,7 @@ sub initialize($) {
 #
 sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;

    my $pre_nat;
    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
@@ -70,12 +70,10 @@ sub process_one_masq1( $$$$$$$$$$$ )
    my $baserule = '';
    my $inlinematches = '';
    my $prerule       = '';
-    my $savelist;
    #
    # Leading '+'
    #
    $pre_nat = 1 if $interfacelist =~ s/^\+//;
-
    #
    # Check for INLINE
    #
@@ -84,9 +82,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    } else {
 	$inlinematches = get_inline_matches(0);
-    }
-
-    $savelist = $interfacelist;
+    }	
    #
    # Handle early matches
    #
@@ -153,12 +149,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
    $baserule .= do_user( $user )                    if $user ne '-';
    $baserule .= do_probability( $probability )      if $probability ne '-';

-    my $target;
-
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-
-	$target = 'MASQUERADE ';
+	my $target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -200,7 +193,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	# Parse the ADDRESSES column
 	#
 	if ( $addresses ne '-' ) {
-	    my $saveaddresses = $addresses;
 	    if ( $addresses eq 'random' ) {
 		require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
 		$randomize = '--random ';
@@ -232,7 +224,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		    my $addrlist = '';
 		    my @addrs = split_list $addresses, 'address';

-		    fatal_error "Only one ADDRESS may be specified" if @addrs > 1;
+		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;

 		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -248,7 +240,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			    # Address Variable
 			    #
 			    $target = 'SNAT ';
-
 			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 				#
 				# User-defined address variable
@@ -278,20 +269,14 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr, 2;
+				my ($ipaddr, $rest) = split ':', $addr;
 				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $ipaddr, 0;
 				}
-
-				if ( supplied $rest ) {
-				    validate_portpair1( $proto, $rest );
-				    $addrlist .= "--to-source $addr ";
-				} else {
-				    $addrlist .= "--to-source $ipaddr";
-				}
-
+				validate_portpair1( $proto, $rest ) if supplied $rest;
+				$addrlist .= "--to-source $addr ";
 				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
 				my $ports = $addr;
@@ -352,7 +337,6 @@ sub process_one_masq1( $$$$$$$$$$$ )

 	    $target .= $randomize;
 	    $target .= $persistent;
-	    $addresses = $saveaddresses;
 	} else {
 	    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )  if $family == F_IPV6;
 	    $add_snat_aliases = 0;
@@ -402,250 +386,32 @@ sub process_one_masq1( $$$$$$$$$$$ )

 }

-sub convert_one_masq1( $$$$$$$$$$$$ )
+sub process_one_masq( )
 {
-    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	split_line2( 'masq file',
+		     { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+		     {},    #Nopad
+		     undef, #Columns
+		     1 );   #Allow inline matches

-    my $pre_nat;
-    my $destnets = '';
-    my $savelist;
-    #
-    # Leading '+'
-    #
-    $pre_nat = ( $interfacelist =~ s/^\+// );
-    #
-    # Check for INLINE
-    #
-    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
-	$interfacelist = $1;
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
    }
-
-    $savelist = $interfacelist;
-    #
-    # Parse the remaining part of the INTERFACE column
-    #
-    if ( $family == F_IPV4 ) {
-	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
-	    $destnets = $2;
-	    $interfacelist = $1;
-	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
-	    $destnets = $2;
-	    $interfacelist = $1;
-	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
-	    $interfacelist = $1;
-	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
-	    my ( $one, $two ) = ( $1, $2 );
-	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
-		$interfacelist = $one;
-		$destnets = $two;
-	    }
-	}
-    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
-	$interfacelist = $1;
-	$destnets      = $2;
-    }
-    #
-    # If there is no source or destination then allow all addresses
-    #
-    $networks = ALLIP if $networks eq '-';
-    $destnets = ALLIP if $destnets eq '-';
-
-    my $target;
-    #
-    # Parse the ADDRESSES column
-    #
-    if ( $addresses ne '-' ) {
-	my $saveaddresses = $addresses;
-	if ( $addresses ne 'random' ) {
-	    $addresses =~ s/:persistent$//;
-	    $addresses =~ s/:random$//;
-
-	    if ( $addresses eq 'detect' ) {
-		$target = 'SNAT';
-	    } elsif ( $addresses eq 'NONAT' ) {
-		$target = 'CONTINUE';
-	    } elsif ( $addresses ) {
-		if ( $addresses =~ /^:/ ) {
-		    $target = 'MASQUERADE';
-		} else {
-		    $target = 'SNAT';
-		}
-	    }
-	}
-
-	$addresses = $saveaddresses;
-    } else {
-	$target = 'MASQUERADE';
-    }
-
-    if ( $snat ) {
-	$target .= '+' if $pre_nat;
-
-	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
-	    $addresses =~ s/^://;
-	    $target .= '(' . $addresses . ')';
-	}
-
-	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
-	#
-	# Supress superfluous trailing dashes
-	#
-	$line =~ s/(?:\t-)+$//;
-
-	my $raw_matches = fetch_inline_matches;
-
-	$line .= join( '', ' ;;', $raw_matches ) if $raw_matches ne ' ';
-
-	print $snat "$line\n";
-    }
-
-    progress_message "   Masq record \"$rawcurrentline\" Converted";
-
 }

-sub process_one_masq( $ )
+#
+# Process the masq file
+#
+sub setup_masq()
 {
-    my ( $snat ) = @_;
-
-    if ( $snat ) {
-	unless ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
-	    #
-	    # Line was not blank or all comment
-	    #
-	    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
-		split_rawline2( 'masq file',
-				{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
-				{},    #Nopad
-				undef, #Columns
-				1 );   #Allow inline matches
-
-	    if ( $interfacelist ne '-' ) { 
-		for my $proto ( split_list $protos, 'Protocol' ) {
-		    convert_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
-		}
-	    }
-	}
-    } else {
-	my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
-	    split_line2( 'masq file',
-			 { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
-			 {},    #Nopad
-			 undef, #Columns
-			 1 );   #Allow inline matches
-
-	fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
-
-	for my $proto ( split_list $protos, 'Protocol' ) {
-	    process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
-	}
-    }
-}
-
-sub open_snat_for_output( $ ) {
-    my ($fn ) = @_;
-    my ( $snat, $fn1 );
-
-    if ( -f ( $fn1 = find_writable_file( 'snat' ) ) ) {
-	open( $snat , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
-    } else {
-	open( $snat , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
-	#
-	# Transfer permissions from the existing masq file to the new snat file
-	#
-	transfer_permissions( $fn, $fn1 );
-
-	if ( $family == F_IPV4 ) {
-	    print $snat <<'EOF';
-#
-# Shorewall - SNAT/Masquerade File
-#
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
-EOF
-	} else {
-	    print $snat <<'EOF';
-#
-# Shorewall6 - SNAT/Masquerade File
-#
-# For information about entries in this file, type "man shorewall6-snat"
-#
-# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
-EOF
-	}
-
-	print $snat <<'EOF';
-###################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
-EOF
-    }
-
-    return ( $snat, $fn1 );
-}
-
-#
-# Convert a masq file into the equivalent snat file
-#
-sub convert_masq() {
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
-	my ( $snat, $fn1 ) = open_snat_for_output( $fn );

-	my $have_masq_rules;
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );

-	directive_callback(
-	    sub ()
-	    {
-		if ( $_[0] eq 'OMITTED' ) {
-		    #
-		    # Convert the raw rule
-		    #
-		    process_one_masq( $snat) if $snat;
-		} else {
-		    print $snat "$_[1]\n"; 0;
-		}
-	    }
-	    );
-
-	first_entry(
-	    sub {
-		my $date = compiletime;
-		progress_message2 "Converting $fn...";
-		print( $snat
-		       "#\n" ,
-		       "# Rules generated from masq file $fn by Shorewall $globals{VERSION} - $date\n" ,
-		       "#\n" );
-	    }
-	    );
-
-	while ( read_a_line( NORMAL_READ ) ) {
-	    #
-	    # Process the file normally
-	    #
-	    process_one_masq(0);
-	    #
-	    # Now Convert it
-	    #
-	    process_one_masq($snat);
-
-	    $have_masq_rules++;
-	}
-
-	if ( $have_masq_rules ) {
-	    progress_message2 "Converted $fn to $fn1";
-	    if ( rename $fn, "$fn.bak" ) {
-		progress_message2 "$fn renamed $fn.bak";
-	    } else {
-		fatal_error "Cannot Rename $fn to $fn.bak: $!";
-	    }
-	} else {
-	    if ( unlink $fn ) {
-		warning_message "Empty masq file ($fn) removed";
-	    } else {
-		warning_message "Unable to remove empty masq file $fn: $!";
-	    }
-	}
-
-	close $snat, directive_callback( 0 );
+	process_one_masq while read_a_line( NORMAL_READ );
    }
 }

@@ -790,39 +556,88 @@ sub setup_netmap() {

 		my @rule = do_iproto( $proto, $dport, $sport );

-		my @rulein;
-		my @ruleout;
+		unless ( $type =~ /:/ ) {
+		    my @rulein;
+		    my @ruleout;

-		$net1 = validate_net $net1, 0;
-		$net2 = validate_net $net2, 0;
+		    $net1 = validate_net $net1, 0;
+		    $net2 = validate_net $net2, 0;

-		if ( $interfaceref->{root} ) {
-		    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-		} else {
-		    @rulein  = imatch_source_dev( $interface );
-		    @ruleout = imatch_dest_dev( $interface );
-		    $interface = $interfaceref->{name};
-		}
+		    if ( $interfaceref->{root} ) {
+			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		    } else {
+			@rulein  = imatch_source_dev( $interface );
+			@ruleout = imatch_dest_dev( $interface );
+			$interface = $interfaceref->{name};
+		    }

-		require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';
+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';

-		if ( $type eq 'DNAT' ) {
-		    dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
-				      j => 'NETMAP' ,
-				      "--to $net2",
-				      $net1 ,
-				      @rulein  ,
-				      imatch_source_net( $net3 ) );
-		} elsif ( $type eq 'SNAT' ) {
-		    source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
-				       j => 'NETMAP' ,
-				       "--to $net2" ,
-				       $net1 ,
-				       @ruleout ,
-				       imatch_dest_net( $net3 ) );
+		    if ( $type eq 'DNAT' ) {
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
+					  j => 'NETMAP' ,
+					  "--to $net2",
+					  $net1 ,
+					  @rulein  ,
+					  imatch_source_net( $net3 ) );
+		    } elsif ( $type eq 'SNAT' ) {
+			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+					   j => 'NETMAP' ,
+					   "--to $net2" ,
+					   $net1 ,
+					   @ruleout ,
+					   imatch_dest_net( $net3 ) );
+		    } else {
+			fatal_error "Invalid type ($type)";
+		    }
+		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
+		    my ( $target , $chain ) = ( $1, $2 );
+		    my $table = 'raw';
+		    my @match;
+
+		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
+
+		    $net2 = validate_net $net2, 0;
+
+		    unless ( $interfaceref->{root} ) {
+			@match = imatch_dest_dev(  $interface );
+			$interface = $interfaceref->{name};
+		    }
+
+		    if ( $chain eq 'P' ) {
+			$chain = prerouting_chain $interface;
+			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
+		    } elsif ( $chain eq 'O' ) {
+			$chain = output_chain $interface;
+		    } else {
+			$chain = postrouting_chain $interface;
+			$table = 'rawpost';
+		    }
+
+		    my $chainref = ensure_chain( $table, $chain );
+
+
+		    if ( $target eq 'DNAT' ) {
+			dest_iexclusion( $chainref ,
+					 j => 'RAWDNAT' ,
+					 "--to-dest $net2" ,
+					 $net1 ,
+					 imatch_source_net( $net3 ) ,
+					 @rule ,
+					 @match
+				       );
+		    } else {
+			source_iexclusion( $chainref ,
+					   j  => 'RAWSNAT' ,
+					   "--to-source $net2" ,
+					   $net1 ,
+					   imatch_dest_net( $net3 ) ,
+					   @rule ,
+					   @match );
+		    }
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
-		    fatal_error "Invalid type ($type)";
+		    fatal_error "Invalid TYPE ($type)";
 		}

 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -220,14 +220,7 @@ sub copy_table( $$$ ) {
 	       '            esac',
 	     );
    } else {
-	emit ( '            case $net in',
-	       '                fe80:*)',
-	       '                    ;;',
-	       '                *)',
-	       "                    run_ip route add table $number \$net \$route $realm",
-	       '                    ;;',
-	       '            esac',
-	     );
+	emit ( "            run_ip route add table $number \$net \$route $realm" );
    }

    emit ( '            ;;',
@@ -298,14 +291,7 @@ sub copy_and_edit_table( $$$$$ ) {
 		'                    esac',
 	     );
    } else {
-	emit (  '                    case $net in',
-		'                        fe80:*)',
-		'                            ;;',
-		'                        *)',
-		"                            run_ip route add table $id \$net \$route $realm",
-		'                            ;;',
-		'                    esac',
-	     );
+	emit (  "                    run_ip route add table $id \$net \$route $realm" );
    }

    emit (  '                    ;;',
@@ -323,14 +309,27 @@ sub balance_default_route( $$$$ ) {
    emit '';

    if ( $first_default_route ) {
-	if ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    }
 	} else {
-	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
+	    # IPv6 doesn't support multi-hop routes
+	    #
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+	    }
 	}

 	$first_default_route = 0;
    } else {
+	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
+
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -347,14 +346,27 @@ sub balance_fallback_route( $$$$ ) {
    emit '';

    if ( $first_fallback_route ) {
-	if ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    }
 	} else {
-	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
+	    # IPv6 doesn't support multi-hop routes
+	    #
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+	    }
 	}

 	$first_fallback_route = 0;
    } else {
+	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
+
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -486,14 +498,12 @@ sub process_a_provider( $ ) {

    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, 1 );
+	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
-	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gatewaycase = 'none';
 	$gateway = '';
-	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -507,15 +517,12 @@ sub process_a_provider( $ ) {
 	}

 	$gatewaycase = 'specified';
-	set_interface_option( $interface, 'gateway', $gateway );
    } else {
 	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
-	set_interface_option( $interface, 'gateway', $pseudo ? 'detect' : 'omitted' );
    }

-
    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );

    if ( $pseudo ) {	
@@ -535,6 +542,7 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
+		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
@@ -557,6 +565,7 @@ sub process_a_provider( $ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
+		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
@@ -744,9 +753,9 @@ sub emit_started_message( $$$$$ ) {
    my ( $spaces, $level, $pseudo, $name, $number ) = @_;

    if ( $pseudo ) {
-	emit qq(${spaces}progress_message${level} "Optional interface $name Started");
+	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
    } else {
-	emit qq(${spaces}progress_message${level} "Provider $name ($number) Started");
+	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
    }
 }

@@ -813,15 +822,23 @@ sub add_a_provider( $$ ) {
 	}

 	if ( $gateway ) {
-	    $address = get_interface_address( $interface, 1 ) unless $address;
+	    $address = get_interface_address $interface unless $address;

 	    emit( qq([ -z "$address" ] && return\n) );

 	    if ( $hostroute ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		if ( $family == F_IPV4 ) {
+		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		    emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		    emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		} else {
+		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
+		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
+		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+		    emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing );
+		    emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		}
 	    }

 	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
@@ -939,11 +956,17 @@ CEOF
    }

    if ( $gateway ) {
-	$address = get_interface_address( $interface, 1 ) unless $address;
+	$address = get_interface_address $interface unless $address;

 	if ( $hostroute ) {
-	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+	    if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+	    } else {
+		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
+		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+	    }
 	}

 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -957,8 +980,13 @@ CEOF
 	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
+		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    } else {
+		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
+		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    }
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
@@ -1034,12 +1062,23 @@ CEOF
 	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;

-	    if ( $gateway ) {
-		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+	    if ( $family == F_IPV4 ) {
+		if ( $gateway ) {
+		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+		} else {
+		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+		}
 	    } else {
-		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+		#
+		# IPv6 doesn't support multi-hop routes
+		#
+		if ( $gateway ) {
+		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
+		} else {
+		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
+		}
 	    }
-	} else {
+	    	} else {
 	    $weight = 1;
 	}

@@ -1052,16 +1091,6 @@ CEOF
 	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );

-	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    emit( '',
-		  'if [ -n "$g_forcereload" ]; then',
-		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
-		  '    COMMAND=reload',
-		  '    detect_configuration',
-		  '    define_firewall',
-		  'fi' );
-	}
-
 	pop_indent;

 	unless ( $pseudo ) {
@@ -1072,17 +1101,6 @@ CEOF
 	}

 	emit "fi\n";
-
-	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
-
-	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
-	}
-
-	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
-	}
    } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
@@ -1107,17 +1125,6 @@ CEOF
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
-
-
-	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
-	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
-	}
-
-	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(\necho "\$$variable" > \${VARDIR}/${physical}.gateway) );
-	}
    } else {
 	if ( $shared ) {
 	    emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" );
@@ -1161,7 +1168,7 @@ CEOF
 		$via = "dev $physical";
 	    }

-	    $via .= " weight $weight" unless $weight < 0;
+	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
 	    $via .= " $realm"         if $realm;

 	    emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1256,7 +1263,7 @@ sub add_an_rtrule1( $$$$$ ) {
    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
    } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address( '&', $source, undef, 1 );
+	$source = 'from ' . record_runtime_address '&', $source;
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -1510,17 +1517,11 @@ sub finish_providers() {

    if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-
 	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
-	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
-		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
-		    '    else',
-		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
-		    '    fi',
-		    '' );
+	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
+	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
 	}

 	if ( $config{USE_DEFAULT_RT} ) {
@@ -1574,11 +1575,10 @@ sub finish_providers() {

    if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}

@@ -2207,7 +2207,6 @@ sub handle_optional_interfaces( $ ) {
 		}

 		push_indent;
-
 		if ( $providerref->{gatewaycase} eq 'detect' ) {
 		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
@@ -2220,28 +2219,6 @@ sub handle_optional_interfaces( $ ) {
 		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
 		emit( 'fi' );

-		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    my $variable = interface_address( $interface );
-
-		    emit( '',
-			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
-			  '        g_forcereload=Yes',
-			  '    fi',
-			  'fi' );
-		}
-
-		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-		    my $variable = interface_gateway( $interface );
-
-		    emit( '',
-			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
-			  '        g_forcereload=Yes',
-			  '    fi',
-			  'fi' );
-		}
-
 		pop_indent;

 		emit( "fi\n" );
@@ -2252,7 +2229,6 @@ sub handle_optional_interfaces( $ ) {
 		my $base        = uc var_base( $physical );
 		my $case        = $physical;
 		my $wild        = $case =~ s/\+$/*/;
-		my $variable    = interface_address( $interface );

 		if ( $wildcards ) {
 		    emit( "$case)" );
@@ -2273,15 +2249,6 @@ sub handle_optional_interfaces( $ ) {
 		emit ( "    SW_${base}_IS_USABLE=Yes" ,
 		       'fi' );

-		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    emit( '',
-			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
-			  '        g_forcereload=Yes',
-			  '    fi',
-			  'fi' );
-		}
-
 		if ( $wildcards ) {
 		    pop_indent, emit( 'fi' ) if $wild;
 		    emit( ';;' );
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}

-	my ( $tgt, $options ) = split( ' ', $2, 2 );
+	my ( $tgt, $options ) = split( ' ', $2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -42,7 +42,7 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( process_tc setup_tc );
-our @EXPORT_OK = qw( initialize );
+our @EXPORT_OK = qw( process_tc_rule initialize );
 our $VERSION = 'MODULEVERSION';

 our %flow_keys = ( 'src'            => 1,
@@ -827,7 +827,7 @@ sub validate_tc_class( ) {
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
 		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
-               fatal_error q(The 'occurs' option is not valid with 'default')      if defined($devref->{default}) && $devref->{default} == $classnumber;
+		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
 		warning_message "MARK ($mark) is ignored on an occurring class"     if $mark ne '-';

@@ -1308,8 +1308,6 @@ sub handle_ematch( $$ ) {

    $setname =~ s/\+//;

-    add_ipset($setname);
-
    return "ipset\\($setname $options\\)";
 }

@@ -1520,7 +1518,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 	$rule .= ' and' if $have_rule;

 	if ( $source =~ /^\+/ ) {
-	    $rule .= join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
+	    $rule = join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
 	} else {
 	    my @parts = decompose_net_u32( $source );

@@ -1559,9 +1557,9 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 		    $rule .= ' and' if @parts;
 		}
 	    }
-	}

-	$have_rule = 1;
+	    $have_rule = 1;
+	}
    }

    if ( $have_rule ) {
@@ -2150,50 +2148,6 @@ sub process_secmark_rule() {
    }
 }

-sub convert_one_tos( $ ) {
-    my ( $mangle ) = @_;
-
-    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
-	split_rawline2( 'tos file entry',
-			{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 },
-			undef,
-			7 );
-
-    my $chain_designator = 'P';
-
-    decode_tos($tos, 1);
-
-    my ( $srczone , $source , $remainder );
-
-    if ( $family == F_IPV4 ) {
-	( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
-	fatal_error 'Invalid SOURCE' if defined $remainder;
-    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
-	$srczone = $1;
-	$source  = $2;
-    } else {
-	$srczone = $src;
-    }
-
-    if ( $srczone eq firewall_zone ) {
-	$chain_designator = 'O';
-	$src         = $source || '-';
-    } else {
-	$src =~ s/^all:?//;
-    }
-
-    $dst =~ s/^all:?//;
-
-    $src    = '-' unless supplied $src;
-    $dst    = '-' unless supplied $dst;
-    $proto  = '-' unless supplied $proto;
-    $ports  = '-' unless supplied $ports;
-    $sports = '-' unless supplied $sports;
-    $mark   = '-' unless supplied $mark;
-
-    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
-}
-

 sub convert_tos($$) {
    my ( $mangle, $fn1 ) = @_;
@@ -2211,25 +2165,6 @@ sub convert_tos($$) {
    }

    if ( my $fn = open_file 'tos' ) {
-	directive_callback(
-	    sub ()
-	    {
-		if ( $_[0] eq 'OMITTED' ) {
-		    #
-		    # Convert the raw rule
-		    #
-		    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
-			print $mangle "$_[1]\n";
-		    } else {
-			convert_one_tos( $mangle );
-			$have_tos = 1;
-		    }
-		} else {
-		    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
-		}
-	    }
-	    );
-
 	first_entry(
 		    sub {
 			my $date = compiletime;
@@ -2243,11 +2178,47 @@ sub convert_tos($$) {

 	while ( read_a_line( NORMAL_READ ) ) {

-	    convert_one_tos( $mangle );
 	    $have_tos = 1;
-	}

-	directive_callback(0);
+	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
+		split_line( 'tos file entry',
+			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
+
+	    my $chain_designator = 'P';
+
+	    decode_tos($tos, 1);
+
+	    my ( $srczone , $source , $remainder );
+
+	    if ( $family == F_IPV4 ) {
+		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
+		fatal_error 'Invalid SOURCE' if defined $remainder;
+	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
+		$srczone = $1;
+		$source  = $2;
+	    } else {
+		$srczone = $src;
+	    }
+
+	    if ( $srczone eq firewall_zone ) {
+		$chain_designator = 'O';
+		$src         = $source || '-';
+	    } else {
+		$src =~ s/^all:?//;
+	    }
+
+	    $dst =~ s/^all:?//;
+
+	    $src    = '-' unless supplied $src;
+	    $dst    = '-' unless supplied $dst;
+	    $proto  = '-' unless supplied $proto;
+	    $ports  = '-' unless supplied $ports;
+	    $sports = '-' unless supplied $sports;
+	    $mark   = '-' unless supplied $mark;
+
+	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
+
+	}

 	if ( $have_tos ) {
 	    progress_message2 "Converted $fn to $fn1";
@@ -2277,10 +2248,9 @@ sub open_mangle_for_output( $ ) {
 	#
 	transfer_permissions( $fn, $fn1 );

-	if ( $family == F_IPV4 ) {
-	    print $mangle <<'EOF';
+	print $mangle <<'EOF';
 #
-# Shorewall -- /etc/shorewall/mangle
+# Shorewall version 4 - Mangle File
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
@@ -2290,31 +2260,13 @@ sub open_mangle_for_output( $ ) {
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##############################################################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
+####################################################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
+#                                                       PORT(S) PORT(S)
 EOF
-	} else {
-	    print $mangle <<'EOF';
-#
-# Shorewall6 -- /etc/shorewall6/mangle
-#
-# For information about entries in this file, type "man shorewall6-mangle"
-#
-# See http://shorewall.net/traffic_shaping.htm for additional information.
-# For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
-#
-# See http://shorewall.net/PacketMarking.html for a detailed description of
-# the Netfilter/Shorewall packet marking mechanism.
-#
-######################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
-EOF
-
-	}
-
-	return ( $mangle, $fn1 );
    }
+
+    return ( $mangle, $fn1 );
 }

 #
@@ -2324,13 +2276,13 @@ sub setup_tc( $ ) {
    $convert = $_[0];

    if ( $config{MANGLE_ENABLED} ) {
-	ensure_mangle_chain( 'tcpre', PREROUTING, PREROUTE_RESTRICT );
-	ensure_mangle_chain( 'tcout', OUTPUT    , OUTPUT_RESTRICT );
+	ensure_mangle_chain 'tcpre';
+	ensure_mangle_chain 'tcout';

 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    ensure_mangle_chain( 'tcfor',  FORWARD    , NO_RESTRICT );
-	    ensure_mangle_chain( 'tcpost', POSTROUTING, POSTROUTE_RESTRICT );
-	    ensure_mangle_chain( 'tcin',   INPUT      , INPUT_RESTRICT );
+	    ensure_mangle_chain 'tcfor';
+	    ensure_mangle_chain 'tcpost';
+	    ensure_mangle_chain 'tcin';
 	}

 	my @mark_part;
@@ -2383,24 +2335,7 @@ sub setup_tc( $ ) {
 		#
 		( $mangle, $fn1 ) = open_mangle_for_output( $fn );

-		directive_callback(
-		    sub ()
-		    {
-			if ( $_[0] eq 'OMITTED' ) {
-			    #
-			    # Convert the raw rule
-			    #
-			    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
-				print $mangle "$_[1]\n";
-			    } else {
-				process_tc_rule;
-				$have_tcrules++;
-			    }
-			} else {
-			    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
-			}
-		    }
-		    );
+		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );

 		first_entry(
 			    sub {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -95,6 +95,7 @@ our @EXPORT = ( qw( NOTHING
                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
+		    set_interface_provider
 		    interface_zone
 		    interface_zones
 		    verify_required_interfaces
@@ -194,6 +195,7 @@ our %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
+#                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                     origin      => <where defined>
@@ -396,6 +398,7 @@ sub initialize( $$ ) {
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
+				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
@@ -1116,8 +1119,6 @@ sub process_interface( $$ ) {

    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;

-    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
-
    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;

    if ( supplied $port ) {
@@ -1192,7 +1193,7 @@ sub process_interface( $$ ) {
    my %options;

    $options{port} = 1 if $port;
-    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
+    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';

    my $hostoptionsref = {};

@@ -1315,7 +1316,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;

 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
+		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;

 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -38,11 +38,12 @@ fi
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR/shorewall"
+g_confdir="$CONFDIR/$PRODUCT"
+g_readrc=1

-. $g_basedir/lib.cli
-
-setup_product_environment
+. $g_sharedir/lib.cli

 CONFIG_PATH="$2"

--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -526,6 +526,13 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
    done

+    qt1 $g_tool -t rawpost -F
+    qt1 $g_tool -t rawpost    -X
+
+    for chain in POSTROUTING; do
+	qt1 $g_tool -t rawpost -P $chain ACCEPT
+    done
+
    qt1 $g_tool -t nat    -F
    qt1 $g_tool -t nat    -X

@@ -575,6 +582,9 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
 	    '*'mangle)
 		table=mangle
 		;;
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -128,9 +128,6 @@ g_compiled=
 g_file=
 g_docker=
 g_dockernetwork=
-g_forcereload=
-
-[ -n "$SERVICEDIR" ] && SUBSYSLOCK=

 initialize

--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
+#  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
@@ -23,12 +23,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -47,11 +41,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -75,7 +69,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -144,6 +138,8 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

 CLEAR_TC=Yes
@@ -291,3 +287,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -34,12 +34,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -58,11 +52,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -86,7 +80,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -155,6 +149,8 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

 CLEAR_TC=Yes
@@ -302,3 +298,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -0,0 +1,19 @@
+#
+# Shorewall - Sample Masq file for three-interface configuration.
+# Copyright (C) 2006-2015 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-masq"
+################################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
+eth0			10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -31,12 +31,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -55,11 +49,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -83,7 +77,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -152,6 +146,8 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=Yes

 CLEAR_TC=Yes
@@ -299,3 +295,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -1,23 +0,0 @@
-#
-# Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
-#------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
-#
-# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
-#
-MASQUERADE		10.0.0.0/8,\
-			169.254.0.0/16,\
-			172.16.0.0/12,\
-			192.168.0.0/16		eth0
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -0,0 +1,19 @@
+#
+# Shorewall - Sample Masq file for two-interface configuration.
+# Copyright (C) 2006-2015 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-masq"
+################################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
+eth0			10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -34,12 +34,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -58,11 +52,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -86,7 +80,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -155,6 +149,8 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=Yes

 CLEAR_TC=Yes
@@ -302,3 +298,5 @@ PROVIDER_OFFSET=
 MASK_BITS=

 ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -1,23 +0,0 @@
-#
-# Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
-#------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
-#
-# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
-#
-MASQUERADE		10.0.0.0/8,\
-			169.254.0.0/16,\
-			172.16.0.0/12,\
-			92.168.0.0/16		eth0
--- a/Shorewall/Actions/action.A_Drop
+++ b/Shorewall/Actions/action.A_Drop
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
--- a/Shorewall/Actions/action.AutoBL
+++ b/Shorewall/Actions/action.AutoBL
--- a/Shorewall/Actions/action.AutoBLL
+++ b/Shorewall/Actions/action.AutoBLL
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
--- a/Shorewall/Actions/action.Drop
+++ b/Shorewall/Actions/action.Drop
--- a/Shorewall/Actions/action.DropSmurfs
+++ b/Shorewall/Actions/action.DropSmurfs
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
--- a/Shorewall/Actions/action.GlusterFS
+++ b/Shorewall/Actions/action.GlusterFS
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
--- a/Shorewall/Actions/action.Reject
+++ b/Shorewall/Actions/action.Reject
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
--- a/Shorewall/Actions/action.mangletemplate
+++ b/Shorewall/Actions/action.mangletemplate
--- a/Shorewall/Actions/action.template
+++ b/Shorewall/Actions/action.template
--- a/Shorewall/configfiles/mangle
+++ b/Shorewall/configfiles/mangle
@@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP	SWITCH
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -23,12 +23,6 @@ VERBOSITY=1

 PAGER=

-###############################################################################
-#			     F I R E W A L L
-###############################################################################
-
-FIREWALL=
-
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -47,11 +41,11 @@ LOGALLNEW=

 LOGFILE=/var/log/messages

-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=

 MACLIST_LOG_LEVEL=info

@@ -138,12 +132,14 @@ AUTOCOMMENT=Yes

 AUTOHELPERS=Yes

-AUTOMAKE=Yes
+AUTOMAKE=No

 BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=Yes
+
 CLAMPMSS=No

 CLEAR_TC=Yes
@@ -182,7 +178,7 @@ INLINE_MATCHES=No

 IPSET_WARNINGS=Yes

-IP_FORWARDING=Keep
+IP_FORWARDING=On

 KEEP_RT_TABLES=No

@@ -208,7 +204,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=All
+OPTIMIZE=0

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall/configfiles/snat
+++ b/Shorewall/configfiles/snat
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/snat
-#
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for more information
-#
-###########################################################################################################################################
-#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -89,7 +89,7 @@ wait_for_pppd () {

 # start the firewall
 shorewall_start () {
-  printf "Starting \"Shorewall firewall\": "
+  echo -n "Starting \"Shorewall firewall\": "
  wait_for_pppd
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
@@ -98,10 +98,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  if [ "$SAFESTOP" = 1 ]; then
-      printf "Stopping \"Shorewall firewall\": "
+      echo -n "Stopping \"Shorewall firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
-      printf "Clearing all \"Shorewall firewall\" rules: "
+      echo -n "Clearing all \"Shorewall firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -109,21 +109,21 @@ shorewall_stop () {

 # reload the firewall
 shorewall_reload () {
-  printf "Reloading \"Shorewall firewall\": "
+  echo -n "Reloading \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RELOADOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

 # restart the firewall
 shorewall_restart () {
-  printf "Restarting \"Shorewall firewall\": "
+  echo -n "Restarting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

 # refresh the firewall
 shorewall_refresh () {
-  printf "Refreshing \"Shorewall firewall\": "
+  echo -n "Refreshing \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi

 start() {
-    printf $"Starting Shorewall: "
+    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }

 stop() {
-    printf $"Stopping Shorewall: "
+    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -66,7 +66,7 @@ stop() {
 }

 reload() {
-    printf $"Reloading Shorewall: "
+    echo -n $"Reloading Shorewall: "
    $shorewall $OPTIONS reload $RELOADOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -83,7 +83,7 @@ reload() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    printf $"Restarting Shorewall: "
+    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -103,7 +103,7 @@ require()

 cd "$(dirname $0)"

-if [ -f shorewall.service ]; then
+if [ -f shorewall ]; then
    PRODUCT=shorewall
    Product=Shorewall
 else
@@ -175,6 +175,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
@@ -380,9 +381,9 @@ fi
 echo "Installing $Product Version $VERSION"

 #
-# Check for /usr/share/$PRODUCT/version
+# Check for /sbin/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -393,6 +394,10 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreve
    exit 1
 fi

+install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/${PRODUCT}
+echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+
 #
 # Install the Firewall Script
 #
@@ -691,15 +696,17 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/maclist ]; then
    echo "mac list file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/maclist"
 fi

-#
-# Install the SNAT file
-#
-run_install $OWNERSHIP -m 0644 snat           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-run_install $OWNERSHIP -m 0644 snat.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+if [ -f masq ]; then
+    #
+    # Install the Masq file
+    #
+    run_install $OWNERSHIP -m 0644 masq           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+    run_install $OWNERSHIP -m 0644 masq.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/snat ]; then
-    run_install $OWNERSHIP -m 0600 snat${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/snat
-    echo "SNAT file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/snat"
+    if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/masq ]; then
+	run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
+	echo "Masquerade file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/masq"
+    fi
 fi

 if [ -f arprules ]; then
@@ -1042,11 +1049,18 @@ fi

 cd ..

+#
+# Install the  Makefiles
+#
+run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/Makefile
+
+if [ -z "$SPARSE" ]; then
+    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
+    echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
+fi
 #
 # Install the Action files
 #
-cd Actions
-
 for f in action.* ; do
    case $f in
 	*.deprecated)
@@ -1059,10 +1073,8 @@ for f in action.* ; do
 	    ;;
    esac
 done
-#
-# Now the Macros
-#
-cd ../Macros
+
+cd Macros

 for f in macro.* ; do
    case $f in
@@ -1094,10 +1106,7 @@ if [ $PRODUCT = shorewall6 ]; then
    # Symbolically link 'functions' to lib.base
    #
    ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
-    #
-    # And create a sybolic link for the CLI
-    #
-    ln -sf shorewall ${DESTDIR}${SBINDIR}/shorewall6
+    [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
 fi

 if [ -d Perl ]; then
@@ -1172,7 +1181,7 @@ if [ -n "$MANDIR" ]; then

 cd manpages

-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

 for f in *.5; do
    gzip -9c $f > $f.gz
@@ -1180,8 +1189,6 @@ for f in *.5; do
    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done

-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
-
 for f in *.8; do
    gzip -9c $f > $f.gz
    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -48,10 +48,10 @@ get_config() {
    fi

    if [ "$(id -u)" -eq 0 ]; then
-	config=$(find_file ${PRODUCT}.conf)
+	config=$(find_file $g_program.conf)
    else
-	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
-	config="$g_shorewalldir/$PRODUCT.conf"
+	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
+	config="$g_shorewalldir/$g_program.conf"
    fi

    if [ -f $config ]; then
@@ -155,7 +155,7 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${PRODUCT}.conf"
+		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf"
 		    ;;
 		Yes|yes|YES)
 		    ;;
@@ -318,27 +318,53 @@ get_config() {

    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER

-    if [ -z "$g_nopager" ]; then
-	if [ -n "$PAGER" -a -t 1 ]; then
-	    case $PAGER in
-		/*)
-		    g_pager="$PAGER"
-		    [ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
-		    ;;
-		*)
-		    g_pager=$(mywhich $PAGER 2> /dev/null)
-		    [ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
-		    ;;
-	    esac
+    if [ -n "$PAGER" -a -t 1 ]; then
+	case $PAGER in
+	    /*)
+		g_pager="$PAGER"
+		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
+		;;
+	    *)
+		g_pager=$(mywhich $PAGER 2> /dev/null)
+		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
+		;;
+	esac

-	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"

-	    g_pager="| $g_pager"
-	fi
+	g_pager="| $g_pager"
    fi

    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	setup_dbl
+	case $DYNAMIC_BLACKLIST in
+	    [Nn]o)
+		DYNAMIC_BLACKLIST='';
+		;;
+	    [Yy]es)
+	        ;;
+	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
+		g_blacklistipset=SW_DBL$g_family
+		;;
+	    ipset:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    ipset-only,src-dst:[a-zA-Z]*)
+		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
+		g_blacklistipset=${g_blacklistipset%%:*}
+		;;
+	    *)
+		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
+		;;
+	esac
    fi

    lib=$(find_file lib.cli-user)
@@ -397,8 +423,8 @@ compiler() {
    pc=${LIBEXECDIR}/shorewall/compiler.pl

    if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
-	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$g_program ]; then
+	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
 	fi
    fi
    #
@@ -1229,13 +1255,13 @@ safe_commands() {

    if run_it ${VARDIR}/.$command $g_debugging $command; then

-	printf "Do you want to accept the new firewall configuration? [y/n] "
+	echo -n "Do you want to accept the new firewall configuration? [y/n] "

 	if read_yesno_with_timeout $timeout ; then
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" -o "$command" = "reload" ]; then
-		run_it ${VARDIR}/.safe -r restore
+		run_it ${VARDIR}/.safe restore
 	    else
 		run_it ${VARDIR}/.$command clear
 	    fi
@@ -1419,7 +1445,6 @@ remote_reload_command() # $* = original arguments less the command.
    sharedir=${SHAREDIR}
    local litedir
    local exitstatus
-    local program

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1447,12 +1472,6 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
-			D)
-			    [ $# -gt 1 ] || fatal_error "Missing directory name"
-			    g_shorewalldir=$2
-			    option=
-			    shift
-			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
@@ -1476,7 +1495,7 @@ remote_reload_command() # $* = original arguments less the command.

    case $# in
 	0)
-	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
+	    missing_argument
 	    ;;
 	1)
 	    g_shorewalldir="."
@@ -1496,17 +1515,12 @@ remote_reload_command() # $* = original arguments less the command.
 	sbindir="$SBINDIR"
 	confdir="$CONFDIR"
 	libexec="$LIBEXECDIR"
-	litedir="${VARDIR}-lite"
 	. $sharedir/shorewall/shorewallrc
    else
-	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $g_basedir/shorewalrc" >&2
-	sbindir="$SBINDIR"
-	confdir="$CONFDIR"
-	libexec="$LIBEXECDIR"
-	litedir="${VARDIR}-lite"
+	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $SHAREDIR/shorewall" >&2
    fi

-    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
+    if [ -f $g_shorewalldir/${g_program}.conf ]; then
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
 	fi
@@ -1516,13 +1530,8 @@ remote_reload_command() # $* = original arguments less the command.
 	get_config No

 	g_haveconfig=Yes
-
-	if [ -z "$system" ]; then
-	    system=$FIREWALL
-	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
-	fi
    else
-	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
+	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
    fi

    if [ -z "$getcaps" ]; then
@@ -1547,14 +1556,12 @@ remote_reload_command() # $* = original arguments less the command.

    g_export=Yes

-    program=$sbindir/${PRODUCT}-lite
-    #
-    # Handle nonstandard remote VARDIR
-    #
-    temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
- 
+    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
+
    [ -n "$temp" ] && litedir="$temp"

+    [ -n "$litedir" ] || litedir=${VARLIB}/${g_program}-lite
+
    g_file="$g_shorewalldir/firewall"

    exitstatus=0
@@ -1565,29 +1572,30 @@ remote_reload_command() # $* = original arguments less the command.
 	    save=$(find_file save);

 	    if [ -f $save ]; then
-		progress_message3 "Copying $save to ${system}:${confdir}/${PRODUCT}-lite/"
-		rcp_command $save ${confdir}/$PRODUCT/
+		progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/"
+		rcp_command $save ${confdir}/shorewall-lite/
 		exitstatus=$?
 	    fi

 	    if [ $exitstatus -eq 0 ]; then
+
 		progress_message3 "Copy complete"

 		if [ $COMMAND = remote-reload ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp reload"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload"; then
 			progress_message3 "System $system reloaded"
 		    else
 			exitstatus=$?
 			savit=
 		    fi
 		elif [ $COMMAND = remote-restart ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp restart"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart"; then
 			progress_message3 "System $system restarted"
 		    else
 			exitstatus=$?
 			saveit=
 		    fi
-		elif rsh_command "$program $g_debugging $verbose $timestamp start"; then
+		elif rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start"; then
 		    progress_message3 "System $system started"
 		else
 		    exitstatus=$?
@@ -1595,7 +1603,7 @@ remote_reload_command() # $* = original arguments less the command.
 		fi

 		if [ -n "$saveit" ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp save"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save"; then
 			progress_message3 "Configuration on system $system saved"
 		    else
 			exitstatus=$?
@@ -1660,7 +1668,7 @@ export_command() # $* = original arguments less the command.
 	    target=$2
 	    ;;
 	*)
-	    fatal_error "Invalid command syntax (\"man shorewall\" for help)"
+	    fatal_error "Invalid command syntax (\"man $g_program\" for help)"
 	    ;;
    esac

--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -154,20 +154,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><option>nat</option></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.13. Specifies that this action is
-                to be used in <ulink
-                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
-                than <ulink
-                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
-                <option>mangle</option> and <option>nat</option> options are
-                mutually exclusive.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><option>noinline</option></term>

--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -380,7 +380,7 @@
      </varlistentry>

      <varlistentry>
-        <term>SOURCE (format 3 prior to Shorewall 5.1.0) ‒
+        <term>SOURCE (format 3) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
@@ -394,91 +394,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
-        later) -
-        {-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
-
-        <listitem>
-          <para>where <replaceable>source-spec</replaceable> is one of the
-          following:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>Where interface is the logical name of an interface
-                defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and using dash ("-") as a separator.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of an ipset preceded by a plus sign ("+").
-                    See <ulink
-                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para><replaceable>exclusion</replaceable> is described in
-                <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the incoming interace and source address match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>See <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
-                (5)</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source-spec</replaceable>s separated by commas may be
-          specified provided that the following alternative forms are
-          used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>DEST (Prior to Shorewall 5.1.0) ‒
+        <term>DEST ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
@@ -490,89 +406,6 @@
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
-        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
-
-        <listitem>
-          <para>where <replaceable>dest-spec</replaceable> is one of the
-          following:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>Where interface is the logical name of an interface
-                defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and using dash ("-") as a separator.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of an ipset preceded by a plus sign ("+").
-                    See <ulink
-                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para><replaceable>exclusion</replaceable> is described in
-                <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the outgoing interace and destination address
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>See <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
-                (5)</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple source-specs
-          separated by commas may be specified provided that the following
-          alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term>PROTO ‒
        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -774,7 +774,7 @@ loc     eth2            -</programlisting>
                iptables and kernel. It provides a more efficient alternative
                to the <option>sfilter</option> option below. It performs a
                function similar to <option>routefilter</option> (see above)
-                but works with Multi-ISP configurations that do not use
+                but works with Multi-ISP configurations that do now use
                balanced routes.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -775,253 +775,98 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE -
-        {-|<replaceable>source-spec</replaceable>[,...]}</emphasis></term>
+        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
+        role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
+        role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>

        <listitem>
-          <para>where <replaceable>source-spec</replaceable> is one of:</para>
+          <para>May be:</para>

-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
+          <orderedlist>
+            <listitem>
+              <para>An interface name - matches traffic entering the firewall
+              on the specified interface. May not be used in classify rules or
+              in rules using the :T chain qualifier.</para>
+            </listitem>

-              <listitem>
-                <para>where <replaceable>interface</replaceable> is the
-                logical name of an interface defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-                Matches packets entering the firewall from the named
-                interface. May not be used in CLASSIFY rules or in rules using
-                the :T chain qualifier.</para>
-              </listitem>
-            </varlistentry>
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses or
+              MAC addresses. <emphasis role="bold">This form will not match
+              traffic that originates on the firewall itself unless either
+              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
+              the ACTION column.</emphasis></para>

-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+              <para>Examples:<simplelist>
+                  <member>0.0.0.0/0</member>
+                </simplelist></para>

-              <listitem>
-                <para>where <replaceable>address</replaceable> is:</para>
+              <para><simplelist>
+                  <member>192.168.1.0/24, 172.20.4.0/24</member>
+                </simplelist></para>
+            </listitem>

-                <blockquote>
-                  <para>A host or network IP address.</para>
+            <listitem>
+              <para>An interface name followed by a colon (":") followed by a
+              comma-separated list of host or network IP addresses or MAC
+              addresses. May not be used in classify rules or in rules using
+              the :T chain qualifier.</para>
+            </listitem>

-                  <para>The name of an ipset preceded by a plus sign
-                  ("+").</para>
+            <listitem>
+              <para>$FW optionally followed by a colon (":") and a
+              comma-separated list of host or network IP addresses. Matches
+              packets originating on the firewall. May not be used with a
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
+            </listitem>
+          </orderedlist>

-                  <para>A MAC address in Shorewall format (preceded by a tilde
-                  ("~") and using dash ("-") as a separator (e.g.,
-                  ~00-A0-C9-15-39-78).</para>
-                </blockquote>
+          <para>MAC addresses must be prefixed with "~" and use "-" as a
+          separator.</para>

-                <para>Matches traffic whose source IP address matches one of
-                the listed addresses and that does not match an address listed
-                in the <replaceable>exclusion</replaceable> (see <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+          <para>Example: ~00-A0-C9-15-39-78</para>

-                <para><emphasis role="bold">This form will not match traffic
-                that originates on the firewall itself unless either
-                &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used
-                in the ACTION column.</emphasis></para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two forms and matches
-                when both the incoming interface and source IP address
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets arriving through the named
-                <replaceable>interface</replaceable> and whose source IP
-                address does not match any of the addresses in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW</term>
-
-              <listitem>
-                <para>Matches packets originating on the firewall system. May
-                not be used with a chain qualifier (:P, :F, etc.) in the
-                ACTION column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> is as above
-                (MAC addresses are not permitted). Matches packets originating
-                on the firewall and whose source IP address matches one of the
-                listed addresses and does not match any address listed in the
-                <replaceable>exclusion</replaceable>. May not be used with a
-                chain qualifier (:P, :F, etc.) in the ACTION column. </para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>Matches traffic originating on the firewall, provided
-                that the source IP address does not match any address listed
-                in the <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source_spec</replaceable>s, separated by commas, may be
-          given provided that the following alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST -
-        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
+        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>

        <listitem>
-          <para>where <replaceable>dest-spec</replaceable> is one of:</para>
+          <para>May be:</para>

-          <variablelist>
-            <varlistentry>
-              <term><replaceable>interface</replaceable></term>
+          <orderedlist>
+            <listitem>
+              <para>An interface name. May not be used in the PREROUTING chain
+              (:P in the mark column or no chain qualifier and
+              MARK_IN_FORWARD_CHAIN=No in <ulink
+              url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
+              interface name may be optionally followed by a colon (":") and
+              an IP address list.</para>
+            </listitem>

-              <listitem>
-                <para>where <replaceable>interface</replaceable> is the
-                logical name of an interface defined in <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-                Matches packets leaving the firewall through the named
-                interface. May not be used in the PREROUTING chain (:P in the
-                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
-                in <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses.
+              The list may include ip address ranges if your kernel and
+              iptables include iprange support.</para>
+            </listitem>

-            <varlistentry>
-              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+            <listitem>
+              <para>Beginning with Shorewall 4.4.13, $FW may be specified by
+              itself or qualified by an address list. This causes marking to
+              occur in the INPUT chain.</para>
+            </listitem>
+          </orderedlist>

-              <listitem>
-                <para>where <replaceable>address</replaceable> is:</para>
-
-                <blockquote>
-                  <para>A host or network IP address.</para>
-
-                  <para>The name of an ipset preceded by a plus sign
-                  ("+").</para>
-
-                  <para>A MAC address in Shorewall format (preceded by a tilde
-                  ("~") and using dash ("-") as a separator (e.g.,
-                  ~00-A0-C9-15-39-78).</para>
-                </blockquote>
-
-                <para>Matches traffic whose destination IP address matches one
-                of the listed addresses and that does not match an address
-                listed in the <replaceable>exclusion</replaceable> (see <ulink
-                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>This form combines the preceding two forms and matches
-                when both the outgoing interface and destination IP address
-                match. May not be used in the PREROUTING chain (:P in the mark
-                column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
-                <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets leaving through the named
-                <replaceable>interface</replaceable> and whose destination IP
-                address does not match any of the addresses in the
-                <replaceable>exclusion</replaceable>. May not be used in the
-                PREROUTING chain (:P in the mark column or no chain qualifier
-                and MARK_IN_FORWARD_CHAIN=No in <ulink
-                url="manpages/shorewall.conf">shorewall.conf</ulink>
-                (5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW</term>
-
-              <listitem>
-                <para>Matches packets originating on the firewall system. May
-                not be used with a chain qualifier (:P, :F, etc.) in the
-                ACTION column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
-
-              <listitem>
-                <para>where <replaceable>address</replaceable> is as above
-                (MAC addresses are not permitted). Matches packets destined
-                for the firewall and whose destination IP address matches one
-                of the listed addresses and does not match any address listed
-                in the <replaceable>exclusion</replaceable>. May not be used
-                with a chain qualifier (:P, :F, etc.) in the ACTION
-                column.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>Matches traffic destined for the firewall, provided that
-                the destination IP address does not match any address listed
-                in the <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>dest_spec</replaceable>s, separated by commas, may be
-          given provided that the following alternative forms are used:</para>
-
-          <blockquote>
-            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
-
-            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>

@@ -1487,53 +1332,6 @@ Normal-Service       =&gt; 0x00</programlisting>
          </variablelist>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 5.1.0 and allows enabling and disabling the
-          rule without requiring <command>shorewall restart</command>.</para>
-
-          <para>The rule is enabled if the value stored in
-          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
-          is 1. The rule is disabled if that file contains 0 (the default). If
-          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0.</para>
-
-          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          '@{0}' are replaced by the name of the chain to which the rule is a
-          added. The <replaceable>switch-name</replaceable> (after '@...'
-          expansion) must begin with a letter and be composed of letters,
-          decimal digits, underscores or hyphens. Switch names must be 30
-          characters or less in length.</para>
-
-          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
-          turn a switch <emphasis role="bold">on</emphasis>:</para>
-
-          <simplelist>
-            <member><command>echo 1 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
-
-          <simplelist>
-            <member><command>echo 0 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>Switch settings are retained over <command>shorewall
-          restart</command>.</para>
-
-          <para>When the <replaceable>switch-name</replaceable> is followed by
-          <option>=0</option> or <option>=1</option>, then the switch is
-          initialized to off or on respectively by the
-          <command>start</command> command. Other commands do not affect the
-          switch setting.</para>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -25,10 +25,8 @@
  <refsect1>
    <title>Description</title>

-    <para>This file is used to define dynamic NAT (Masquerading) and to define
-    Source NAT (SNAT). While still supported, its use is deprecated in favor
-    of <ulink url="shorewall-snat.html">shorewall-snat</ulink>(5) which was
-    introduced in Shorewall 5.0.14.</para>
+    <para>Use this file to define dynamic NAT (Masquerading) and to define
+    Source NAT (SNAT).</para>

    <warning>
      <para>The entries in this file are order-sensitive. The first entry that
@@ -164,7 +162,7 @@
      <varlistentry>
        <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
        role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
        role="bold">:random</emphasis>][:persistent]|<emphasis
        role="bold">detect</emphasis>|<emphasis
@@ -684,7 +682,7 @@
       #INTERFACE SOURCE         ADDRESS     ...
       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
-       eth0       192.168.1.0/24 1.1.1.9 ; mark=3:C</programlisting>
+       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-netmap.xml
+++ b/Shorewall/manpages/shorewall-netmap.xml
@@ -41,18 +41,38 @@
      <varlistentry>
        <term><emphasis role="bold">TYPE</emphasis> - <emphasis
        role="bold">{DNAT</emphasis>|<emphasis
-        role="bold">SNAT}</emphasis></term>
+        role="bold">SNAT}[:{P|O|T}</emphasis>]</term>

        <listitem>
-          <para>Must be DNAT or SNAT</para>
+          <para>Must be DNAT or SNAT; beginning with Shorewall 4.4.23, may be
+          optionally followed by :P, :O or :T to perform <firstterm>stateless
+          NAT</firstterm>. Stateless NAT requires <firstterm>Rawpost Table
+          support</firstterm> in your kernel and iptables (see the output of
+          <command>shorewall show capabilities</command>).</para>

-          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
-          its destination address rewritten to the corresponding address in
-          NET2.</para>
+          <para>If DNAT or DNAT:P, traffic entering INTERFACE and addressed to
+          NET1 has its destination address rewritten to the corresponding
+          address in NET2.</para>

-          <para>If SNAT, traffic leaving INTERFACE with a source address in
-          NET1 has it's source address rewritten to the corresponding address
-          in NET2.</para>
+          <para>If SNAT or SNAT:T, traffic leaving INTERFACE with a source
+          address in NET1 has it's source address rewritten to the
+          corresponding address in NET2.</para>
+
+          <para>If DNAT:O, traffic originating on the firewall and leaving via
+          INTERFACE and addressed to NET1 has its destination address
+          rewritten to the corresponding address in NET2.</para>
+
+          <para>If DNAT:P, traffic entering via INTERFACE and addressed to
+          NET1 has its destination address rewritten to the corresponding
+          address in NET2.</para>
+
+          <para>If SNAT:P, traffic entering via INTERFACE with a destination
+          address in NET1 has it's source address rewritten to the
+          corresponding address in NET2.</para>
+
+          <para>If SNAT:O, traffic originating on the firewall and leaving via
+          INTERFACE with a source address in NET1 has it's source address
+          rewritten to the corresponding address in NET2.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -629,7 +629,7 @@

            <varlistentry>
              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</term>

              <listitem>
                <para>Queues the packet to a user-space application using the
@@ -648,24 +648,17 @@
                systems: start multiple instances of the userspace program on
                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
                the same connection are put into the same nfqueue.</para>
-
-                <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
-                followed by the letter 'c' to indicate that the CPU ID will be
-                used as an index to map packets to the queues. The idea is
-                that you can improve performance if there's a queue per CPU.
-                Requires the NFQUEUE CPU Fanout capability in your kernel and
-                iptables.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold"><emphasis
-              role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]</emphasis></term>
+              role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>

              <listitem>
                <para>like NFQUEUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>

@@ -907,199 +900,108 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE -
-        <replaceable>source-spec</replaceable>[,...]</emphasis></term>
+        <term><emphasis role="bold">SOURCE</emphasis> -
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
+        role="bold">all</emphasis>|<emphasis
+        role="bold">any</emphasis>}[<emphasis
+        role="bold">+</emphasis>][<emphasis
+        role="bold">-</emphasis>]}<emphasis
+        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
+        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>

        <listitem>
-          <para>Source hosts to which the rule applies.</para>
+          <para>Source hosts to which the rule applies. May be a
+          <replaceable>zone</replaceable> declared in /etc/shorewall/zones,
+          <emphasis role="bold">$FW</emphasis> to indicate the firewall
+          itself, <emphasis role="bold">all</emphasis>, <emphasis
+          role="bold">all+</emphasis>, <emphasis role="bold">all-</emphasis>,
+          <emphasis role="bold">all+-</emphasis> or <emphasis
+          role="bold">none</emphasis>.</para>

-          <para><replaceable>source-spec</replaceable> is one of the
-          following:</para>
+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
+          This <replaceable>zone-list</replaceable> may be optionally followed
+          by "+" to indicate that the rule is to apply to intra-zone traffic
+          as well as inter-zone traffic.</para>

-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
+          <para>When <emphasis role="bold">none</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column, the rule is ignored.</para>

-              <listitem>
-                <para>The name of a zone defined in <ulink
-                url="shorewall-zones.html">shorewall-zones</ulink>(5). When
-                only the zone name is specified, the packet source may be any
-                host in that zone.</para>
+          <para><emphasis role="bold">all</emphasis> means "All Zones",
+          including the firewall itself. <emphasis role="bold">all-</emphasis>
+          means "All Zones, except the firewall itself". When <emphasis
+          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
+          used either in the <emphasis role="bold">SOURCE</emphasis> or
+          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
+          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
+          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
+          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
+          <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

-                <para>zone may also be one of the following:</para>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">any</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+          specified, clients may be further restricted to a list of networks
+          and/or hosts by appending ":" and a comma-separated list of network
+          and/or host addresses. Hosts may be specified by IP or MAC address;
+          mac addresses must begin with "~" and must use "-" as a
+          separator.</para>

-                <variablelist>
-                  <varlistentry>
-                    <term>all[+][-]</term>
+          <para>The above restriction on <emphasis
+          role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
+          <emphasis role="bold">any</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+          removed in Shorewall-4.4.13.</para>

-                    <listitem>
-                      <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
-                      Normally all omits intra-zone traffic, but intra-zone
-                      traffic can be included specifying "+".</para>
-                    </listitem>
-                  </varlistentry>
+          <para><emphasis role="bold">any</emphasis> is equivalent to
+          <emphasis role="bold">all</emphasis> when there are no nested zones.
+          When there are nested zones, <emphasis role="bold">any</emphasis>
+          only refers to top-level zones (those with no parent zones). Note
+          that <emphasis role="bold">any</emphasis> excludes all vserver
+          zones, since those zones are nested within the firewall zone.
+          Beginning with Shorewall 4.4.13, exclusion is supported with
+          <emphasis role="bold">any</emphasis> -- see see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

-                  <varlistentry>
-                    <term>any[+][-]</term>
+          <para>Hosts may also be specified as an IP address range using the
+          syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          This requires that your kernel and iptables contain iprange match
+          support. If your kernel and iptables have ipset match support then
+          you may give the name of an ipset prefaced by "+". The ipset name
+          may be optionally followed by a number from 1 to 6 enclosed in
+          square brackets ([]) to indicate the number of levels of source
+          bindings to be matched.</para>

-                    <listitem>
-                      <para><emphasis role="bold">any</emphasis> is equivalent
-                      to <emphasis role="bold">all</emphasis> when there are
-                      no nested zones. When there are nested zones, <emphasis
-                      role="bold">any</emphasis> only refers to top-level
-                      zones (those with no parent zones). Note that <emphasis
-                      role="bold">any</emphasis> excludes all vserver zones,
-                      since those zones are nested within the firewall
-                      zone.</para>
-                    </listitem>
-                  </varlistentry>
+          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
+          firewall interface can be specified by an ampersand ('&amp;')
+          followed by the logical name of the interface as found in the
+          INTERFACE column of <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+          (5).</para>

-                  <varlistentry>
-                    <term>none</term>
+          <para>Beginning with Shorewall 4.5.4, A
+          <replaceable>countrycode-list</replaceable> may be specified. A
+          countrycode-list is a comma-separated list of up to 15 two-character
+          ISO-3661 country codes enclosed in square brackets ('[...]') and
+          preceded by a caret ('^'). When a single country code is given, the
+          square brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
+          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
+          Specifying a <replaceable>countrycode-list</replaceable> requires
+          <firstterm>GeoIP Match</firstterm> support in your iptables and
+          Kernel.</para>

-                    <listitem>
-                      <para>When <emphasis role="bold">none</emphasis> is used
-                      either in the <emphasis role="bold">SOURCE</emphasis> or
-                      <emphasis role="bold">DEST</emphasis> column, the rule
-                      is ignored.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>Similar to with <emphasis role="bold">all</emphasis> and
-                <emphasis role="bold">any</emphasis>, intra-zone traffic is
-                normally excluded when multiple zones are listed. Intra-zone
-                traffic may be included by following the list with a plus sign
-                ("+").</para>
-
-                <para><emphasis role="bold">all</emphasis> and <emphasis
-                role="bold">any</emphasis> may be followed by an exclamation
-                point ("!") and a comma-separated list of zone names to be
-                omitted.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>When this form is used,
-                <replaceable>interface</replaceable> must be the name of an
-                interface associated with the named
-                <replaceable>zone</replaceable> in either <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-                or <ulink
-                url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
-                packets from hosts in the <replaceable>zone</replaceable> that
-                arrive through the named interface will match the rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>where address can be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address. A network address may
-                    be followed by exclusion (see <ulink
-                    url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>An address range, specified using the syntax
-                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>+<replaceable>ipset</replaceable> where
-                    <replaceable>ipset</replaceable> is the name of an ipset
-                    and must be preceded by a plus sign ("+").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A MAC address in Shorewall format (preceded by a
-                    tilde ("~") and with the hex byte values separated by
-                    dashes (e.g., "~00-0a-f6-04-9c-7d").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code</replaceable> where
-                    country-code is a two-character ISO-3661 country code
-                    preceded by a caret ("^").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code-list</replaceable> where
-                    <replaceable>country-code-list</replaceable> is a
-                    comma-separated list of up to 15 ISO-3661 country codes
-                    enclosed in square brackets ("[...]").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The primary IP address of a firewall interface can
-                    be specified by an ampersand ('&amp;') followed by the
-                    logical name of the interface as found in the INTERFACE
-                    column of <ulink
-                    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
-                    (5).</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the incoming interface and source address match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches if the host IP address does not match
-                any of the entries in the exclusion (see <ulink
-                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets from the named
-                <replaceable>zone</replaceable> entering through the specified
-                <replaceable>interface</replaceable> where the source address
-                does not match any entry in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>source-spec</replaceable>s may be listed, provided that
-          extended forms of the source-spec are used:</para>
-
-          <blockquote>
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
-
-            <para>zone:(interface:address[,...])</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
-
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>

          <para>Examples:</para>

@@ -1168,8 +1070,8 @@
              <term>$FW:&amp;eth0</term>

              <listitem>
-                <para>The primary IP address of eth0 in the firewall
-                zone.</para>
+                <para>The primary IP address of eth0 in the firewall zone
+                (Shorewall 4.4.17 and later).</para>
              </listitem>
            </varlistentry>

@@ -1190,259 +1092,92 @@
                zone.</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term>net:^CN</term>
-
-              <listitem>
-                <para>China.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
-
-              <listitem>
-                <para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
-                packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
-                in the dmz zone when the packet arrives through eth2 plus all
-                of the net zone.</para>
-              </listitem>
-            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST -
-        <replaceable>dest-spec</replaceable>[,...]</emphasis></term>
+        <term><emphasis role="bold">DEST</emphasis> -
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
+        role="bold">all</emphasis>|<emphasis
+        role="bold">any</emphasis>}[<emphasis
+        role="bold">+</emphasis>][<emphasis
+        role="bold">-</emphasis>]}<emphasis
+        role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
+        role="bold">random</emphasis>]]</term>

        <listitem>
-          <para>Destination hosts to which the rule applies.</para>
+          <para>Location of Server. May be a zone declared in <ulink
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
+          $<emphasis role="bold">FW</emphasis> to indicate the firewall
+          itself, <emphasis role="bold">all</emphasis>. <emphasis
+          role="bold">all+</emphasis> or <emphasis
+          role="bold">none</emphasis>.</para>

-          <para><replaceable>dest-spec</replaceable> is one of the
-          following:</para>
+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
+          This <replaceable>zone-list</replaceable> may be optionally followed
+          by "+" to indicate that the rule is to apply to intra-zone traffic
+          as well as inter-zone traffic.</para>

-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
+          <para>Beginning with Shorewall 4.5.4, A
+          <replaceable>countrycode-list</replaceable> may be specified. A
+          countrycode-list is a comma-separated list of up to 15 two-character
+          ISO-3661 country codes enclosed in square brackets ('[...]') and
+          preceded by a caret ('^'). When a single country code is given, the
+          square brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
+          url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
+          Specifying a <replaceable>countrycode-list</replaceable> requires
+          <firstterm>GeoIP Match</firstterm> support in your iptables and
+          Kernel.</para>

-              <listitem>
-                <para>The name of a zone defined in <ulink
-                url="shorewall-zones.html">shorewall-zones</ulink>(5). When
-                only the zone name is specified, the packet destination may be
-                any host in that zone.</para>
+          <para>When <emphasis role="bold">none</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column, the rule is ignored.</para>

-                <para>zone may also be one of the following:</para>
+          <para><emphasis role="bold">all</emphasis> means "All Zones",
+          including the firewall itself. <emphasis role="bold">all-</emphasis>
+          means "All Zones, except the firewall itself". When <emphasis
+          role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
+          used either in the <emphasis role="bold">SOURCE</emphasis> or
+          <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
+          not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
+          role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
+          Beginning with Shorewall 4.4.13, exclusion is supported -- see see
+          <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>

-                <variablelist>
-                  <varlistentry>
-                    <term>all[+][-]</term>
+          <para><emphasis role="bold">any</emphasis> is equivalent to
+          <emphasis role="bold">all</emphasis> when there are no nested zones.
+          When there are nested zones, <emphasis role="bold">any</emphasis>
+          only refers to top-level zones (those with no parent zones). Note
+          that <emphasis role="bold">any</emphasis> excludes all vserver
+          zones, since those zones are nested within the firewall zone.</para>

-                    <listitem>
-                      <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
-                      Normally all omits intra-zone traffic, but intra-zone
-                      traffic can be included specifying "+".</para>
-                    </listitem>
-                  </varlistentry>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">any</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
+          specified, clients may be further restricted to a list of networks
+          and/or hosts by appending ":" and a comma-separated list of network
+          and/or host addresses. Hosts may be specified by IP or MAC address;
+          mac addresses must begin with "~" and must use "-" as a
+          separator.</para>

-                  <varlistentry>
-                    <term>any[+][-]</term>
+          <para>When <emphasis role="bold">all</emphasis> is used either in
+          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis> column intra-zone traffic is not
+          affected. When <emphasis role="bold">all+</emphasis> is used,
+          intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
+          exclusion is supported -- see see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>

-                    <listitem>
-                      <para><emphasis role="bold">any</emphasis> is equivalent
-                      to <emphasis role="bold">all</emphasis> when there are
-                      no nested zones. When there are nested zones, <emphasis
-                      role="bold">any</emphasis> only refers to top-level
-                      zones (those with no parent zones). Note that <emphasis
-                      role="bold">any</emphasis> excludes all vserver zones,
-                      since those zones are nested within the firewall
-                      zone.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>none</term>
-
-                    <listitem>
-                      <para>When <emphasis role="bold">none</emphasis> is used
-                      either in the <emphasis role="bold">SOURCE</emphasis> or
-                      <emphasis role="bold">DEST</emphasis> column, the rule
-                      is ignored.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-
-                <para>Similar to with <emphasis role="bold">all</emphasis> and
-                <emphasis role="bold">any</emphasis>, intra-zone traffic is
-                normally excluded when multiple zones are listed. Intra-zone
-                traffic may be included by following the list with a plus sign
-                ("+").</para>
-
-                <para><emphasis role="bold">all</emphasis> and <emphasis
-                role="bold">any</emphasis> may be followed by an exclamation
-                point ("!") and a comma-separated list of zone names to be
-                omitted.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
-
-              <listitem>
-                <para>When this form is used,
-                <replaceable>interface</replaceable> must be the name of an
-                interface associated with the named
-                <replaceable>zone</replaceable> in either <ulink
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-                or <ulink
-                url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
-                packets to hosts in the <replaceable>zone</replaceable> that
-                are sent through the named interface will match the
-                rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>where address can be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>A host or network IP address. A network address may
-                    be followed by exclusion (see <ulink
-                    url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>An address range, specified using the syntax
-                    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>+<replaceable>ipset</replaceable> where
-                    <replaceable>ipset</replaceable> is the name of an ipset
-                    and must be preceded by a plus sign ("+").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code</replaceable> where
-                    country-code is a two-character ISO-3661 country code
-                    preceded by a caret ("^").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>^<replaceable>country-code-list</replaceable> where
-                    <replaceable>country-code-list</replaceable> is a
-                    comma-separated list of up to 15 ISO-3661 country codes
-                    enclosed in square brackets ("[...]").</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The primary IP address of a firewall interface can
-                    be specified by an ampersand ('&amp;') followed by the
-                    logical name of the interface as found in the INTERFACE
-                    column of <ulink
-                    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
-                    (5).</para>
-                  </listitem>
-                </itemizedlist>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
-
-              <listitem>
-                <para>This form combines the preceding two and requires that
-                both the outgoing interface and destinationaddress
-                match.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches if the host IP address does not match
-                any of the entries in the exclusion (see <ulink
-                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
-
-              <listitem>
-                <para>This form matches packets to the named
-                <replaceable>zone</replaceable> leaving through the specified
-                <replaceable>interface</replaceable> where the destination
-                address does not match any entry in the
-                <replaceable>exclusion</replaceable>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>
-
-              <listitem>
-                <para>This form applies when the ACTION is DNAT[-] or
-                REDIRECT[-]. The zone may be omitted in REDIRECT rules ($FW is
-                assumed) and must be omitted in DNAT-, REDIRECT- and NONAT
-                rules.</para>
-
-                <para><replaceable role="bold">server-IP</replaceable> is not
-                allowed in REDIRECT rules and may be omitted in DNAT[-] rules
-                provided that <replaceable>port-or-port-range</replaceable> is
-                included.</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>The IP address of the server to which the packet is
-                    to be sent.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A range of IP address with the low and high address
-                    separated by a dash (:"-"). Connections are distributed
-                    among the IP addresses in the range.</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para>If <replaceable>server-IP </replaceable>is omitted in a
-                DNAT[-] rule, only the destination port number is modified by
-                the rule.</para>
-
-                <para>port-or-port-range may be:</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>An integer port number in the range 1 -
-                    65535.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>The name of a service from
-                    <filename>/etc/services</filename>.</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>A port range with the low and high integer port
-                    numbers separated by a dash ("-"). Connections are
-                    distributed among the ports in the range.</para>
-                  </listitem>
-                </itemizedlist>
-
-                <para>If <emphasis role="bold">random</emphasis> is specified,
-                port mapping will be randomized.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
+          <para>The <replaceable>zone</replaceable> should be omitted in
+          DNAT-, REDIRECT- and NONAT rules.</para>

          <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
          then either:<orderedlist numeration="loweralpha">
@@ -1459,134 +1194,82 @@
                <para>the SOURCE <replaceable>zone</replaceable> must be an
                ipv4 zone that is associated with only the same bridge.</para>
              </listitem>
-            </orderedlist>Beginning with Shorewall 5.1.0, multiple
-          <replaceable>dest-spec</replaceable>s may be listed, provided that
-          extended forms of the source-spec are used:</para>
+            </orderedlist></para>

-          <blockquote>
-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
+          <para>Except when <emphasis
+          role="bold">{all|any}</emphasis>[<emphasis
+          role="bold">+]|[-</emphasis>] is specified, the server may be
+          further restricted to a particular network, host or interface by
+          appending ":" and the network, host or interface. See <emphasis
+          role="bold">SOURCE</emphasis> above.</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>

-            <para>zone:(interface:address[,...])</para>
+          <para>Restriction: MAC addresses are not allowed (this is a
+          Netfilter restriction).</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
+          <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
+          you may specify a range of IP addresses using the syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          When the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">DNAT-</emphasis>, the connections will be assigned to
+          addresses in the range in a round-robin fashion.</para>

-            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
-          </blockquote>
+          <para>If your kernel and iptables have ipset match support then you
+          may give the name of an ipset prefaced by "+". The ipset name may be
+          optionally followed by a number from 1 to 6 enclosed in square
+          brackets ([]) to indicate the number of levels of destination
+          bindings to be matched. Only one of the <emphasis
+          role="bold">SOURCE</emphasis> and <emphasis
+          role="bold">DEST</emphasis> columns may specify an ipset
+          name.</para>

-          <para>Multiple <replaceable>dest-spec</replaceable>s are not
-          permitted in DNAT[-] and REDIRECT[-] rules.</para>
+          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
+          firewall interface can be specified by an ampersand ('&amp;')
+          followed by the logical name of the interface as found in the
+          INTERFACE column of <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+          (5).</para>

-          <para>Examples:</para>
+          <para>The <replaceable>port</replaceable> that the server is
+          listening on may be included and separated from the server's IP
+          address by ":". If omitted, the firewall will not modify the
+          destination port. A destination port may only be included if the
+          <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">REDIRECT</emphasis>.</para>

          <variablelist>
            <varlistentry>
-              <term>dmz:192.168.2.2</term>
+              <term>Example:</term>

              <listitem>
-                <para>Host 192.168.2.2 in the DMZ</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:155.186.235.0/24</term>
-
-              <listitem>
-                <para>Subnet 155.186.235.0/24 on the Internet</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc:192.168.1.1,192.168.1.2</term>
-
-              <listitem>
-                <para>Hosts 192.168.1.1 and 192.168.1.2 in the local
-                zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:192.0.2.11-192.0.2.17</term>
-
-              <listitem>
-                <para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:!192.0.2.11-192.0.2.17</term>
-
-              <listitem>
-                <para>All hosts in the net zone except for
-                192.0.2.11-192.0.2.17.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:155.186.235.0/24!155.186.235.16/28</term>
-
-              <listitem>
-                <para>Subnet 155.186.235.0/24 on the Internet except for
-                155.186.235.16/28</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>$FW:&amp;eth0</term>
-
-              <listitem>
-                <para>The primary IP address of eth0 in the firewall
-                zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc,dmz</term>
-
-              <listitem>
-                <para>Both the <emphasis role="bold">loc</emphasis> and
-                <emphasis role="bold">dmz</emphasis> zones.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>all!dmz</term>
-
-              <listitem>
-                <para>All but the <emphasis role="bold">dmz</emphasis>
-                zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:^CN</term>
-
-              <listitem>
-                <para>China.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>dmz:192.168.10.4:25</term>
-
-              <listitem>
-                <para>Port 25 on server 192.168.10.4 in the dmz zone (DNAT
-                rule).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
-
-              <listitem>
-                <para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
-                packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
-                in the dmz zone when the packet arrives through eth2 plus all
-                of the net zone.</para>
+                <para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
+                specifies a local server at IP address 192.168.1.3 and
+                listening on port 3128.</para>
              </listitem>
            </varlistentry>
          </variablelist>
+
+          <para>The <emphasis>port</emphasis> may be specified as a service
+          name. You may specify a port range in the form
+          <emphasis>lowport-highport</emphasis> to cause connections to be
+          assigned to ports in the range in round-robin fashion. When a port
+          range is specified, <emphasis>lowport</emphasis> and
+          <emphasis>highport</emphasis> must be given as integers; service
+          names are not permitted. Additionally, the port range may be
+          optionally followed by <emphasis role="bold">:random</emphasis>
+          which causes assignment to ports in the list to be random.</para>
+
+          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">REDIRECT</emphasis> or <emphasis
+          role="bold">REDIRECT-</emphasis>, this column needs only to contain
+          the port number on the firewall that the request should be
+          redirected to. That is equivalent to specifying
+          <option>$FW</option>::<replaceable>port</replaceable>.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -1,743 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall-snat</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>snat</refname>
-
-    <refpurpose>Shorewall SNAT/Masquerade definition file</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>/etc/shorewall/snat</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>This file is used to define dynamic NAT (Masquerading) and to define
-    Source NAT (SNAT). It superseded <ulink
-    url="shorewall-masq.html">shorewall-masq</ulink>(5) in Shorewall
-    5.0.14.</para>
-
-    <warning>
-      <para>The entries in this file are order-sensitive. The first entry that
-      matches a particular connection will be the one that is used.</para>
-    </warning>
-
-    <warning>
-      <para>If you have more than one ISP link, adding entries to this file
-      will <emphasis role="bold">not</emphasis> force connections to go out
-      through a particular link. You must use entries in <ulink
-      url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      PREROUTING entries in <ulink
-      url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
-      that.</para>
-    </warning>
-
-    <para>The columns in the file are as follows.</para>
-
-    <variablelist>
-      <varlistentry>
-        <term><emphasis role="bold">ACTION</emphasis></term>
-
-        <listitem>
-          <para>Defines the type of rule to generate. Choices are:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">MASQUERADE[+]</emphasis>[([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
-
-              <listitem>
-                <para>Causes matching outgoing packages to have their source
-                IP address set to the primary IP address of the interface
-                specified in the DEST column. if
-                <replaceable>lowport</replaceable>-<replaceable>highport</replaceable>
-                is given, that port range will be used to assign a source
-                port. If option <option>random</option> is used then port
-                mapping will be randomized. MASQUERADE should only be used
-                when the DEST interface has a dynamic IP address. Otherwise,
-                SNAT should be used and should specify the interface's static
-                address.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
-              role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
-              role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
-              role="bold">detect</emphasis>|</term>
-
-              <listitem>
-                <para>If you specify an address here, matching packets will
-                have their source address set to that address. If
-                ADD_SNAT_ALIASES is set to Yes or yes in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
-                then Shorewall will automatically add this address to the
-                INTERFACE named in the first column.</para>
-
-                <para>You may also specify a range of up to 256 IP addresses
-                if you want the SNAT address to be assigned from that range in
-                a round-robin fashion by connection. The range is specified by
-                <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
-                You may follow the port range with<emphasis role="bold">
-                :random</emphasis> in which case assignment of ports from the
-                list will be random. <emphasis role="bold">random</emphasis>
-                may also be specified by itself in this column in which case
-                random local port assignments are made for the outgoing
-                connections.</para>
-
-                <para>Example: 206.124.146.177-206.124.146.180</para>
-
-                <para>You may follow the port range (or <emphasis
-                role="bold">:random</emphasis>) with <emphasis
-                role="bold">:persistent</emphasis>. This is only useful when
-                an address range is specified and causes a client to be given
-                the same source/destination IP pair. This feature replaces the
-                SAME modifier which was removed from Shorewall in version
-                4.4.0.</para>
-
-                <para>You may also use the special value
-                <option>detect</option> which causes Shorewall to determine
-                the IP addresses configured on the interface named in the DEST
-                column and substitute them in this column.</para>
-
-                <para>Finally, you may also specify a comma-separated list of
-                ranges and/or addresses in this column.</para>
-
-                <para>DNS Names names are not allowed.</para>
-
-                <para>Normally, Netfilter will attempt to retain the source
-                port number. You may cause netfilter to remap the source port
-                by following an address or range (if any) by ":" and a port
-                range with the format
-                <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If
-                this is done, you must specify "tcp", "udp", "dccp" or "stcp"
-                in the PROTO column.</para>
-
-                <para>Examples:</para>
-
-                <programlisting>        192.0.2.4:5000-6000
-        :4000-5000</programlisting>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">CONTINUE</emphasis>[+]</term>
-
-              <listitem>
-                <para>Causes matching packets to be exempted from any
-                following rules in the file.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)]</term>
-
-              <listitem>
-                <para>where <replaceable>action</replaceable> is an action
-                declared in <ulink
-                url="shorewall-actions.html">shorewall-actions(5)</ulink> with
-                the <option>nat</option> option. See <ulink
-                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
-                further information.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>Normally Masq/SNAT rules are evaluated after those for
-          one-to-one NAT (defined in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
-          want the rule to be applied before one-to-one NAT rules, follow the
-          action name with "+": This feature should only be required if you
-          need to insert rules in this file that preempt entries in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
-        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
-
-        <listitem>
-          <para>Set of hosts that you wish to masquerade. You can specify this
-          as an <emphasis>address</emphasis> (net or host) or as an
-          <emphasis>interface</emphasis> (use of an
-          <emphasis>interface</emphasis> is deprecated). If you give the name
-          of an interface, the interface must be up before you start the
-          firewall and the Shorewall rules compiler will warn you of that
-          fact. (Shorewall will use your main routing table to determine the
-          appropriate addresses to masquerade).</para>
-
-          <para>The preferred way to specify the SOURCE is to supply one or
-          more host or network addresses separated by comma. You may use ipset
-          names preceded by a plus sign (+) to specify a set of hosts.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">DEST</emphasis> - {[<emphasis
-        role="bold">+</emphasis>]<emphasis>interface</emphasis>[<emphasis
-        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
-        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]}</term>
-
-        <listitem>
-          <para>Outgoing <emphasis>interface</emphasis>. This is usually your
-          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
-          may add ":" and a <emphasis>digit</emphasis> to indicate that you
-          want the alias added with that name (e.g., eth0:0). This will allow
-          the alias to be displayed with ifconfig. <emphasis role="bold">That
-          is the only use for the alias name; it may not appear in any other
-          place in your Shorewall configuration.</emphasis></para>
-
-          <para>Each interface must match an entry in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          Shorewall allows loose matches to wildcard entries in <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          For example, <filename class="devicefile">ppp0</filename> in this
-          file will match a <ulink
-          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          entry that defines <filename
-          class="devicefile">ppp+</filename>.</para>
-
-          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
-          internet provider share a single interface</ulink>, the provider is
-          specified by including the provider name or number in
-          parentheses:</para>
-
-          <programlisting>        eth0(Avvanta)</programlisting>
-
-          <para>In that case, you will want to specify the interface's address
-          for that provider as the SNAT parameter.</para>
-
-          <para>The interface may be qualified by adding the character ":"
-          followed by a comma-separated list of destination host or subnet
-          addresses to indicate that you only want to change the source IP
-          address for packets being sent to those particular destinations.
-          Exclusion is allowed (see <ulink
-          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
-          as are ipset names preceded by a plus sign '+';</para>
-
-          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
-          entry then include the ":" but omit the digit:</para>
-
-          <programlisting>        eth0(Avvanta):
-        eth2::192.0.2.32/27</programlisting>
-
-          <para>Comments may be attached to Netfilter rules generated from
-          entries in this file through the use of ?COMMENT lines. These lines
-          begin with ?COMMENT; the remainder of the line is treated as a
-          comment which is attached to subsequent rules until another ?COMMENT
-          line is found or until the end of the file is reached. To stop
-          adding comments to rules, use a line containing only
-          ?COMMENT.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
-        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
-
-        <listitem>
-          <para>If you wish to restrict this entry to a particular protocol
-          then enter the protocol name (from protocols(5)) or number
-          here.</para>
-
-          <para>Beginning with Shorewall 4.5.12, this column can accept a
-          comma-separated list of protocols.</para>
-
-          <para>Beginning with Shorewall 4.6.0, an
-          <replaceable>ipset</replaceable> name can be specified in this
-          column. This is intended to be used with
-          <firstterm>bitmap:port</firstterm> ipsets.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PORT</emphasis> (Optional) -
-        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
-
-        <listitem>
-          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
-          SCTP (132) or UDPLITE (136) then you may list one or more port
-          numbers (or names from services(5)) or port ranges separated by
-          commas.</para>
-
-          <para>Port ranges are of the form
-          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
-
-          <para>Beginning with Shorewall 4.6.0, an
-          <replaceable>ipset</replaceable> name can be specified in this
-          column. This is intended to be used with
-          <firstterm>bitmap:port</firstterm> ipsets.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
-        [<emphasis>option</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
-
-        <listitem>
-          <para>If you specify a value other than "-" in this column, you must
-          be running kernel 2.6 and your kernel and iptables must include
-          policy match support.</para>
-
-          <para>Comma-separated list of options from the following. Only
-          packets that will be encrypted via an SA that matches these options
-          will have their source address changed.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><emphasis
-              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
-
-              <listitem>
-                <para>where <emphasis>number</emphasis> is specified using
-                setkey(8) using the 'unique:<emphasis>number</emphasis> option
-                for the SPD level.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
-
-              <listitem>
-                <para>where <emphasis>number</emphasis> is the SPI of the SA
-                used to encrypt/decrypt packets.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">proto=</emphasis><emphasis
-              role="bold">ah</emphasis>|<emphasis
-              role="bold">esp</emphasis>|<emphasis
-              role="bold">ipcomp</emphasis></term>
-
-              <listitem>
-                <para>IPSEC Encapsulation Protocol</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
-
-              <listitem>
-                <para>sets the MSS field in TCP packets</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">mode=</emphasis><emphasis
-              role="bold">transport</emphasis>|<emphasis
-              role="bold">tunnel</emphasis></term>
-
-              <listitem>
-                <para>IPSEC mode</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
-
-              <listitem>
-                <para>only available with mode=tunnel</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
-
-              <listitem>
-                <para>only available with mode=tunnel</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">strict</emphasis></term>
-
-              <listitem>
-                <para>Means that packets must match all rules.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">next</emphasis></term>
-
-              <listitem>
-                <para>Separates rules; can only be used with strict</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">yes</emphasis></term>
-
-              <listitem>
-                <para>When used by itself, causes all traffic that will be
-                encrypted/encapsulated to match the rule.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
-        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
-        role="bold">:C</emphasis>]</term>
-
-        <listitem>
-          <para>Defines a test on the existing packet or connection mark. The
-          rule will match only if the test returns true.</para>
-
-          <para>If you don't want to define a test but need to specify
-          anything in the following columns, place a "-" in this field.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>!</term>
-
-              <listitem>
-                <para>Inverts the test (not equal)</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>value</emphasis></term>
-
-              <listitem>
-                <para>Value of the packet or connection mark.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>mask</emphasis></term>
-
-              <listitem>
-                <para>A mask to be applied to the mark before testing.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">:C</emphasis></term>
-
-              <listitem>
-                <para>Designates a connection mark. If omitted, the packet
-                mark's value is tested.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
-        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
-        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
-
-        <listitem>
-          <para>This column was formerly labelled USER/GROUP.</para>
-
-          <para>Only locally-generated connections will match if this column
-          is non-empty.</para>
-
-          <para>When this column is non-empty, the rule matches only if the
-          program generating the output is running under the effective
-          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
-          specified (or is NOT running under that id if "!" is given).</para>
-
-          <para>Examples:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>joe</term>
-
-              <listitem>
-                <para>program must be run by joe</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>:kids</term>
-
-              <listitem>
-                <para>program must be run by a member of the 'kids'
-                group</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>!:kids</term>
-
-              <listitem>
-                <para>program must not be run by a member of the 'kids'
-                group</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>+upnpd</term>
-
-              <listitem>
-                <para>#program named upnpd</para>
-
-                <important>
-                  <para>The ability to specify a program name was removed from
-                  Netfilter in kernel version 2.6.14.</para>
-                </important>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
-          rule without requiring <command>shorewall restart</command>.</para>
-
-          <para>The rule is enabled if the value stored in
-          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
-          is 1. The rule is disabled if that file contains 0 (the default). If
-          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0.</para>
-
-          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
-          '@{0}' are replaced by the name of the chain to which the rule is a
-          added. The <replaceable>switch-name</replaceable> (after '@...'
-          expansion) must begin with a letter and be composed of letters,
-          decimal digits, underscores or hyphens. Switch names must be 30
-          characters or less in length.</para>
-
-          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
-          turn a switch <emphasis role="bold">on</emphasis>:</para>
-
-          <simplelist>
-            <member><command>echo 1 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
-
-          <simplelist>
-            <member><command>echo 0 &gt;
-            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
-          </simplelist>
-
-          <para>Switch settings are retained over <command>shorewall
-          restart</command>.</para>
-
-          <para>Beginning with Shorewall 4.5.10, when the
-          <replaceable>switch-name</replaceable> is followed by
-          <option>=0</option> or <option>=1</option>, then the switch is
-          initialized to off or on respectively by the
-          <command>start</command> command. Other commands do not affect the
-          switch setting.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
-
-        <listitem>
-          <para>(Optional) Added in Shorewall 4.5.6. This column may be
-          included and may contain one or more addresses (host or network)
-          separated by commas. Address ranges are not allowed. When this
-          column is supplied, rules are generated that require that the
-          original destination address matches one of the listed addresses. It
-          is useful for specifying that SNAT should occur only for connections
-          that were acted on by a DNAT when they entered the firewall.</para>
-
-          <para>This column was formerly labelled ORIGINAL DEST.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">PROBABILITY</emphasis> -
-        [<replaceable>probability</replaceable>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.0.0. When non-empty, requires the
-          <firstterm>Statistics Match</firstterm> capability in your kernel
-          and ip6tables and causes the rule to match randomly but with the
-          given <replaceable>probability</replaceable>. The
-          <replaceable>probability</replaceable> is a number 0 &lt;
-          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
-          at up to 8 decimal points of precision.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>Examples</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>Example 1:</term>
-
-        <listitem>
-          <para>You have a simple masquerading setup where eth0 connects to a
-          DSL or cable modem and eth1 connects to your local network with
-          subnet 192.168.0.0/24.</para>
-
-          <para>Your entry in the file will be:</para>
-
-          <programlisting>        #ACTION    SOURCE              DEST
-        MASQUERADE 192.168.0.0/24      eth0</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 2:</term>
-
-        <listitem>
-          <para>You add a router to your local network to connect subnet
-          192.168.1.0/24 which you also want to masquerade. You then add a
-          second entry for eth0 to this file:</para>
-
-          <programlisting>        #ACTION    SOURCE              DEST
-        MASQUERADE 192.168.0.0/24      eth0
-        MASQUERADE 192.168.1.0/24      eth0</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 3:</term>
-
-        <listitem>
-          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
-          to use source address 206.124.146.176 which is NOT the primary
-          address of eth0. You want 206.124.146.176 to be added to eth0 with
-          name eth0:0.</para>
-
-          <programlisting>        #ACTION                 SOURCE          DEST
-        SNAT(206.124.146.176)   192.168.1.0/24  eth0:0</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 4:</term>
-
-        <listitem>
-          <para>You want all outgoing SMTP traffic entering the firewall from
-          172.20.1.0/29 to be sent from eth0 with source IP address
-          206.124.146.177. You want all other outgoing traffic from
-          172.20.1.0/29 to be sent from eth0 with source IP address
-          206.124.146.176.</para>
-
-          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
-        eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
-        eth0         172.20.1.0/29    206.124.146.176</programlisting>
-
-          <programlisting>        #ACTION                 SOURCE          DEST        PROTO     PORT
-        SNAT(206.124.146.177)   172.20.1.0/29   eth0        tcp       smtp
-        SNAT(206.124.146.176)   172.20.1.0/29   eth0</programlisting>
-
-          <warning>
-            <para>The order of the above two rules is significant!</para>
-          </warning>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 5:</term>
-
-        <listitem>
-          <para>Connections leaving on eth0 and destined to any host defined
-          in the ipset <emphasis>myset</emphasis> should have the source IP
-          address changed to 206.124.146.177.</para>
-
-          <programlisting>        #ACTION                 SOURCE          DEST
-        SNAT(206.124.146.177)   -               eth0+myset[dst]</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 6:</term>
-
-        <listitem>
-          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
-          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
-          (Shorewall 4.5.9 and later).</para>
-
-          <programlisting>/etc/shorewall/tcrules:
-
-       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
-       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
-
-/etc/shorewall/snat:
-
-       #ACTION                 SOURCE          DEST
-       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { mark=1:C }
-       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { mark=2:C }
-       SNAT(1.1.1.9)           192.168.1.0/24  eth0  { mark=3:C }</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Example 7:</term>
-
-        <listitem>
-          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
-          70.90.191.123. You want to use the iptables statistics match to
-          masquerade outgoing connections evenly between these two
-          addresses.</para>
-
-          <programlisting>/etc/shorewall/snat:
-
-       #ACTION                 SOURCE           DEST
-       SNAT(70.90.191.121)     -                eth1 { probability=.50 }
-       SNAT(70.90.191.123)     -                eth1</programlisting>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <para>/etc/shorewall/snat</para>
-  </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para><ulink
-    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
-    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
-  </refsect1>
-</refentry>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -533,6 +533,22 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.16. Prior to the availability of BEGIN
+          PERL....END PERL in configuration files, the only way to execute a
+          chain-specific script was to create a script file with the same name
+          as the chain and place it in a directory on the CONFIG_PATH. That
+          facility has the drawback that the compiler will attempt to run a
+          non-script file just because it has the same name as a chain. To
+          disable this facility, set CHAIN_SCRIPTS=No. If not specified or
+          specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -752,7 +768,8 @@
        role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>||<emphasis
        role="bold">ipset</emphasis>[<emphasis
-        role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
+        role="bold">-only</emphasis>][,<emphasis
+        role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>

        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
@@ -768,61 +785,12 @@
          (<replaceable>log_level</replaceable>), if any, at which blacklisted
          traffic is to be logged may also be specified. The default set name
          is SW_DBL4 and the default log level is <option>none</option> (no
-          logging). If <option>ipset-only</option> is given, then chain-based
+          logging). if <option>ipset-only</option> is given, then chain-based
          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified.</para>
-
-          <para>Possible <replaceable>option</replaceable>s are:</para>
-
-          <variablelist>
-            <varlistentry>
-              <term>src-dst</term>
-
-              <listitem>
-                <para>Normally, only packets whose source address matches an
-                entry in the ipset are dropped. If <option>src-dst</option> is
-                included, then packets whose destination address matches an
-                entry in the ipset are also dropped.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>disconnect</option></term>
-
-              <listitem>
-                <para>The <option>disconnect</option> option was added in
-                Shorewall 5.0.13 and requires that the conntrack utility be
-                installed on the firewall system. When an address is
-                blacklisted using the <command>blacklist</command> command,
-                all connections originating from that address are
-                disconnected. if the <option>src-dst</option> option was also
-                specified, then all connections to that address are also
-                disconnected.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.0.13. Normally, Shorewall creates
-                the dynamic blacklisting ipset with timeout 0 which means that
-                entries are permanent. If you want entries in the set that are
-                not accessed for a period of time to be deleted from the set,
-                you may specify that period using this option. Note that the
-                <command>blacklist</command> command can override the ipset's
-                timeout setting.</para>
-
-                <important>
-                  <para>Once the dynamic blacklisting ipset has been created,
-                  changing this option setting requires a complete restart of
-                  the firewall; <command>shorewall restart</command> if
-                  RESTART=restart, otherwise <command>shorewall stop
-                  &amp;&amp; shorewall start</command></para>
-                </important>
-              </listitem>
-            </varlistentry>
-          </variablelist>
+          had been specified. Normally, only packets whose source address
+          matches an entry in the ipsec are dropped. If
+          <option>src-dst</option> is included, then packets whose destination
+          address matches an entry in the ipset are also dropped.</para>

          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
@@ -895,21 +863,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis
-        role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
-
-        <listitem>
-          <para>This option was added in Shorewall 5.0.13 and may be used on
-          an administrative system in directories containing the
-          configurations of remote firewalls. The contents of the variable are
-          the default value for the <replaceable>system</replaceable>
-          parameter to the <command>remote-start</command>,
-          <command>remote-reload</command> and
-          <command>remote-restart</command> commands.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -1071,12 +1024,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
          set INLINE_MATCHES=Yes in order to be able to specify your own
-          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
-          Beginning with 5.0.0, you may simply preface your text with a pair
-          of semicolons (";;"). If alternate input is also specified in the
-          rule, it should appear before the semicolons and may be separated
-          from normal column input by a single semicolon or enclosed in curly
-          braces ("{....}").</para>
+          iptables text in a rule. You may simply preface that text with a
+          pair of semicolons (";;"). If alternate input is also specified in
+          the rule, it should appear before the semicolons and may be
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>

@@ -2135,27 +2086,36 @@ LOG:info:,bar                        net                    fw</programlisting>
          <command>load</command> and <command>reload</command> commands.
          Beginning with release 3.9.5, you may define an alternative means
          for accessing the remote firewall system. In that release, two new
-          options were added to shorewall.conf:</para>
+          options were added to shorewall.conf:<simplelist>
+              <member>RSH_COMMAND</member>

-          <simplelist>
-            <member>RSH_COMMAND</member>
+              <member>RCP_COMMAND</member>
+            </simplelist>The default values for these are as
+          follows:<simplelist>
+              <member>RSH_COMMAND: ssh ${root}@${system} ${command}</member>

-            <member>RCP_COMMAND</member>
-          </simplelist>
+              <member>RCP_COMMAND: scp ${files}
+              ${root}@${system}:${destination}</member>
+            </simplelist>Shell variables that will be set when the commands
+          are invoked are as follows:<simplelist>
+              <member><replaceable>root</replaceable> - root user. Normally
+              <option>root</option> but may be overridden using the '-r'
+              option.</member>

-          <para>The default values for these are as follows:</para>
+              <member><replaceable>system</replaceable> - The name/IP address
+              of the remote firewall system.</member>

-          <programlisting>RSH_COMMAND: ssh ${root}@${system} ${command}
-RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
+              <member><replaceable>command</replaceable> - For RSH_COMMAND,
+              the command to be executed on the firewall system.</member>

-          <para>Shell variables that will be set when the commands are invoked
-          are as follows:</para>
+              <member><replaceable>files</replaceable> - For RCP_COMMAND, a
+              space-separated list of files to be copied to the remote
+              firewall system.</member>

-          <programlisting><replaceable>root</replaceable>        - root user. Normally <option>root</option> but may be overridden using the '-r' option.
-<replaceable>system</replaceable>      - The name/IP address of the remote firewall system.
-<replaceable>command</replaceable>     - For RSH_COMMAND, the command to be executed on the firewall system.
-<replaceable>files</replaceable>       - For RCP_COMMAND, a space-separated list of files to be copied to the remote firewall system.
-<replaceable>destination</replaceable> - The directory on the remote system that the files are to be copied into.</programlisting>
+              <member><replaceable>destination</replaceable> - The directory
+              on the remote system that the files are to be copied
+              into.</member>
+            </simplelist></para>
        </listitem>
      </varlistentry>

@@ -2570,19 +2530,9 @@ INLINE          -       -       -       ;; -j REJECT
          <para>This parameter should be set to the name of a file that the
          firewall should create if it starts successfully and remove when it
          stops. Creating and removing this file allows Shorewall to work with
-          your distribution's initscripts. For OpenSuSE, this should be set to
-          /var/lock/subsys/shorewall (var/lock/subsys/shorewall-lite if
-          building for export). For Gentoo, it should be set to
-          /run/lock/shorewall (/run/lock/shorewall-lite). For Redhat and
-          derivatives as well as Debian and derivatives, the pathname should
-          be omitted.</para>
-
-          <important>
-            <para>Beginning with Shorewall 5.1.0, this setting is ignored when
-            SERVICEDIR is non-empty in
-            <filename>${SHAREDIR}/shorewall/shorewallrc</filename> (usually
-            <filename>/usr/share/shorewall/shorewallrc</filename>).</para>
-          </important>
+          your distribution's initscripts. For RedHat and OpenSuSE, this
+          should be set to /var/lock/subsys/shorewall. For Debian, the value
+          is /var/lock/shorewall and in LEAF it is /var/run/shorewall.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
--- a/Shorewall/modules.essential
+++ b/Shorewall/modules.essential
@@ -25,8 +25,6 @@ loadmodule ip_conntrack
 loadmodule nf_conntrack
 loadmodule nf_conntrack_ipv4
 loadmodule iptable_nat
-loadmodule nf_nat
-loadmodule nf_nat_ipv4
 loadmodule iptable_raw
 loadmodule xt_state
 loadmodule xt_tcpudp
--- a/Shorewall/modules.xtables
+++ b/Shorewall/modules.xtables
@@ -31,7 +31,6 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
-loadmodule xt_nat
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -32,8 +32,11 @@ PRODUCT=shorewall
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall
+g_confdir="$CONFDIR"/shorewall
+g_readrc=1

-. ${g_basedir}/lib.cli
+. $g_sharedir/lib.cli

 shorewall_cli $@
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -28,7 +28,6 @@

 VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall
-Product=Shorewall

 usage() # $1 = exit status
 {
@@ -128,6 +127,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall6-lite/Makefile
+++ b/Shorewall6-lite/Makefile
@@ -0,0 +1,18 @@
+# Shorewall6 Lite Makefile to restart if firewall script is newer than last restart
+VARDIR=$(shell /sbin/shorewall6-lite show vardir)
+SHAREDIR=/usr/share/shorewall6-lite
+RESTOREFILE?=.restore
+
+all: $(VARDIR)/$(RESTOREFILE)
+
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
+	@/sbin/shorewall6-lite -q save >/dev/null; \
+	if \
+	    /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
+	then \
+	    /sbin/shorewall6-lite -q save >/dev/null; \
+	else \
+	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; exit 1; \
+	fi
+
+# EOF
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -13,7 +13,7 @@

 . /lib/lsb/init-functions

-SRWL='/sbin/shorewall6-lite -6'
+SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}

@@ -85,7 +85,7 @@ fi

 # start the firewall
 shorewall6_start () {
-  printf "Starting \"Shorewall6 Lite firewall\": "
+  echo -n "Starting \"Shorewall6 Lite firewall\": "
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
@@ -93,10 +93,10 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
  if [ "$SAFESTOP" = 1 ]; then
-      printf "Stopping \"Shorewall6 Lite firewall\": "
+      echo -n "Stopping \"Shorewall6 Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
-      printf "Clearing all \"Shorewall6 Lite firewall\" rules: "
+      echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -104,14 +104,14 @@ shorewall6_stop () {

 # restart the firewall
 shorewall6_restart () {
-  printf "Restarting \"Shorewall6 Lite firewall\": "
+  echo -n "Restarting \"Shorewall6 Lite firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

 # refresh the firewall
 shorewall6_refresh () {
-  printf "Refreshing \"Shorewall6 Lite firewall\": "
+  echo -n "Refreshing \"Shorewall6 Lite firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc

-prog="shorewall -6l"
+prog="shorewall6-lite"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi

 start() {
-    printf $"Starting Shorewall: "
+    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }

 stop() {
-    printf $"Stopping Shorewall: "
+    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    printf $"Restarting Shorewall: "
+    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	dce3e740a4	Correct indentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-09 11:13:01 -07:00
Tom Eastep	09c528468b	Correct typo in lib.private Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-09 10:59:00 -07:00
Tom Eastep	6b20fb42d4	Change order of options in .conf files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-03 11:23:51 -07:00
Roberto C. Sánchez	d2cd9b5b71	Fix typos	2016-10-03 09:51:50 -07:00
Tom Eastep	05dc3db3c1	Correct DYNAMIC_BLACKLISTING documentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-10-03 09:09:57 -07:00