Fix link

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct typo in manpages
2016-05-01 10:44:12 -07:00 · 2016-05-01 10:44:01 -07:00 · 2016-04-28 16:42:52 -07:00 · 2016-04-28 16:42:32 -07:00
186 changed files with 9419 additions and 9962 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -235,8 +235,7 @@ for on in \
    SPARSE \
    ANNOTATED \
    VARLIB \
-    VARDIR \
+    VARDIR
    DEFAULT_PAGER
 do
    echo "$on=${options[${on}]}"
    echo "$on=${options[${on}]}" >> shorewallrc
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -209,8 +209,7 @@ for ( qw/ HOST
 	  SPARSE
 	  ANNOTATED
 	  VARLIB
-	  VARDIR
+	  VARDIR / ) {
          DEFAULT_PAGER / ) {
    my $val = $options{$_} || '';
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -365,12 +365,6 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
 # Install the CLI
 #
 install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
 echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -386,31 +380,6 @@ for f in lib.* ; do
    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done
 if [ $SHAREDIR != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
 fi
 #
 # Install the Man Pages
 #
 if [ -n "$MANDIR" ]; then
    cd manpages
    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
    for f in *.8; do
 	gzip -9c $f > $f.gz
 	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
    cd ..
    echo "Man Pages Installed"
 fi
 #
 # Symbolically link 'functions' to lib.base
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,22 +20,412 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library is a compatibility wrapper around lib.core.
+# This library contains the code common to all Shorewall components except the
 # generated scripts.
 #
-if [ -z "$PRODUCT" ]; then
+SHOREWALL_LIBVERSION=40509
 [ -n "${g_program:=shorewall}" ]
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc
-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
-    if [ -z "$SHOREWALL_LIBVERSION" ]; then
+g_basedir=${SHAREDIR}/shorewall
-	. ${g_basedir}/lib.core
+
 case $g_program in
    shorewall)
 	g_product="Shorewall"
 	g_family=4
 	g_tool=iptables
 	g_lite=
 	;;
    shorewall6)
 	g_product="Shorewall6"
 	g_family=6
 	g_tool=ip6tables
 	g_lite=
 	;;
    shorewall-lite)
 	g_product="Shorewall Lite"
 	g_family=4
 	g_tool=iptables
 	g_lite=Yes
 	;;
    shorewall6-lite)
 	g_product="Shorewall6 Lite"
 	g_family=6
 	g_tool=ip6tables
 	g_lite=Yes
 	;;
 esac
 if [ -z "${VARLIB}" ]; then
    VARLIB=${VARDIR}
    VARDIR=${VARLIB}/$g_program
 elif [ -z "${VARDIR}" ]; then
    VARDIR="${VARLIB}/${PRODUCT}"
 fi
 #
 # Fatal Error
 #
 fatal_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 2
 }
 #
 # Not configured Error
 #
 not_configured_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 6
 }
 #
 # Conditionally produce message
 #
 progress_message() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 1 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message2() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message3() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -ge 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 #
 # Undo the effect of 'separate_list()'
 #
 combine_list()
 {
    local f
    local o
    o=
    for f in $* ; do
        o="${o:+$o,}$f"
    done
    echo $o
 }
 #
 # Validate an IP address
 #
 valid_address() {
    local x
    local y
    local ifs
    ifs=$IFS
    IFS=.
    for x in $1; do
 	case $x in
 	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
 		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
                ;;
 	    *)
 	        IFS=$ifs
 		return 2
 		;;
 	esac
    done
    IFS=$ifs
    return 0
 }
 #
 # Miserable Hack to work around broken BusyBox ash in OpenWRT
 #
 addr_comp() {
    test $(bc <<EOF
 $1 > $2
 EOF
 ) -eq 1
 }
 #
 # Enumerate the members of an IP range -- When using a shell supporting only
 # 32-bit signed arithmetic, the range cannot span 128.0.0.0.
 #
 # Comes in two flavors:
 #
 # ip_range() - produces a mimimal list of network/host addresses that spans
 #              the range.
 #
 # ip_range_explicit() - explicitly enumerates the range.
 #
 ip_range() {
    local first
    local last
    local l
    local x
    local y
    local z
    local vlsm
    case $1 in
 	!*)
 	    #
 	    # Let iptables complain if it's a range
 	    #
 	    echo $1
 	    return
 	    ;;
 	[0-9]*.*.*.*-*.*.*.*)
            ;;
 	*)
 	    echo $1
 	    return
 	    ;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
-    set_default_product
+    l=$(( $last + 1 ))
-    setup_product_environment
+    while addr_comp $l $first; do
-fi
+	vlsm=
 	x=31
 	y=2
 	z=1
 	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
 	    vlsm=/$x
 	    x=$(( $x - 1 ))
 	    z=$y
 	    y=$(( $y * 2 ))
 	done
 	echo $(encodeaddr $first)$vlsm
 	first=$(($first + $z))
    done
 }
 ip_range_explicit() {
    local first
    local last
    case $1 in
    [0-9]*.*.*.*-*.*.*.*)
 	;;
    *)
 	echo $1
 	return
 	;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    while ! addr_comp $first $last; do
 	echo $(encodeaddr $first)
 	first=$(($first + 1))
    done
 }
 [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Netmask to VLSM
 #
 ip_vlsm() {
    local mask
    mask=$(decodeaddr $1)
    local vlsm
    vlsm=0
    local x
    x=$(( 128 << 24 )) # 0x80000000
    while [ $(( $x & $mask )) -ne 0 ]; do
 	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
 	vlsm=$(($vlsm + 1))
    done
    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
 	echo "Invalid net mask: $1" >&2
    else
 	echo $vlsm
    fi
 }
 #
 # Set default config path
 #
 ensure_config_path() {
    local F
    F=${g_sharedir}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
    fi
    if [ -n "$g_shorewalldir" ]; then
 	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
    fi
 }
 #
 # Get fully-qualified name of file
 #
 resolve_file() # $1 = file name
 {
    local pwd
    pwd=$PWD
    case $1 in
 	/*)
 	    echo $1
 	    ;;
 	.)
 	    echo $pwd
 	    ;;
 	./*)
 	    echo ${pwd}${1#.}
 	    ;;
 	..)
 	    cd ..
 	    echo $PWD
 	    cd $pwd
 	    ;;
 	../*)
 	    cd ..
 	    resolve_file ${1#../}
 	    cd $pwd
 	    ;;
 	*)
 	    echo $pwd/$1
 	    ;;
    esac
 }
 #
 # Determine how to do "echo -e"
 #
 find_echo() {
    local result
    result=$(echo "a\tb")
    [ ${#result} -eq 3 ] && { echo echo; return; }
    result=$(echo -e "a\tb")
    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
    result=$(which echo)
    [ -n "$result" ] && { echo "$result -e"; return; }
    echo echo
 }
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 #
 #     None - No mktemp
 #     BSD  - BSD mktemp (Mandrake)
 #     STD  - mktemp.org mktemp
 #
 find_mktemp() {
    local mktemp
    mktemp=`mywhich mktemp 2> /dev/null`
    if [ -n "$mktemp" ]; then
 	if qt mktemp -V ; then
 	    MKTEMP=STD
 	else
 	    MKTEMP=BSD
 	fi
    else
 	MKTEMP=None
    fi
 }
 #
 # create a temporary file. If a directory name is passed, the file will be created in
 # that directory. Otherwise, it will be created in a temporary directory.
 #
 mktempfile() {
    [ -z "$MKTEMP" ] && find_mktemp
    if [ $# -gt 0 ]; then
 	case "$MKTEMP" in
 	    BSD)
 		mktemp $1/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -p $1 shorewall.XXXXXX
 		;;
 	    None)
 		> $1/shorewall-$$ && echo $1/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    else
 	case "$MKTEMP" in
 	    BSD)
 		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -t shorewall.XXXXXX
 		;;
 	    None)
 		rm -f ${TMPDIR:-/tmp}/shorewall-$$
 		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    fi
 }
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -712,9 +712,9 @@ find_file()
 set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
-	echo "$1 $(date) from $2" > ${VARDIR}/state
+	echo "$1 ($(date)) from $2" > ${VARDIR}/state
    else
-	echo "$1 $(date)" > ${VARDIR}/state
+	echo "$1 ($(date))" > ${VARDIR}/state
    fi
 }
@@ -776,7 +776,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                return 0
-	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
+	    elif ! qt ps p ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -788,8 +788,10 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock ${lockf}
+            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
-            chmod u=r ${lockf}
+            chmod u+w ${lockf}
            echo $$ > ${lockf}
            chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -811,7 +813,6 @@ mutex_on()
 #
 mutex_off()
 {
    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,440 +0,0 @@
 #
 # Shorewall 5.0 -- /usr/share/shorewall/lib.core
 #
 #     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # This library contains the code common to all Shorewall components except the
 # generated scripts.
 #
 SHOREWALL_LIBVERSION=50100
 #
 # Fatal Error
 #
 fatal_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 2
 }
 setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product
    g_basedir=${SHAREDIR}/shorewall
    g_sharedir="$SHAREDIR"/$PRODUCT
    g_confdir="$CONFDIR"/$PRODUCT
    case $PRODUCT in
 	shorewall)
 	    g_product="Shorewall"
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=
 	    ;;
 	shorewall6)
 	    g_product="Shorewall6"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=
 	    ;;
 	shorewall-lite)
 	    g_product="Shorewall Lite"
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=Yes
 	    ;;
 	shorewall6-lite)
 	    g_product="Shorewall6 Lite"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=Yes
 	    ;;
 	*)
 	    fatal_error "Unknown PRODUCT ($PRODUCT)"
 	    ;;
    esac
    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
    #
    # We need to do this again, now that we have the correct product
    #
    [ -n "$1" ] && . ${g_basedir}/shorewallrc
    if [ -z "${VARLIB}" ]; then
 	VARLIB=${VARDIR}
 	VARDIR=${VARLIB}/${PRODUCT}
    elif [ -z "${VARDIR}" ]; then
 	VARDIR="${VARLIB}/${PRODUCT}"
    fi
 }
 set_default_product() {
    case $(basename $0) in
 	shorewall6)
 	    PRODUCT=shorewall6
 	    ;;
 	shorewall4)
 	    PRODUCT=shorewall
 	    ;;
 	shorewall-lite)
 	    PRODUCT=shorewall-lite
 	    ;;
 	shorewall6-lite)
 	    PRODUCT=shorewall6-lite
 	    ;;
 	*)
 	    if [ -f ${g_basedir}/version ]; then
 		PRODUCT=shorewall
 	    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
 		PRODUCT=shorewall-lite
 	    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
 		PRODUCT=shorewall6-lite
 	    else
 		fatal_error "No Shorewall firewall product is installed"
 	    fi
 	    ;;
    esac
 }
 # Not configured Error
 #
 not_configured_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 6
 }
 #
 # Conditionally produce message
 #
 progress_message() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 1 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message2() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message3() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -ge 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 #
 # Undo the effect of 'separate_list()'
 #
 combine_list()
 {
    local f
    local o
    o=
    for f in $* ; do
        o="${o:+$o,}$f"
    done
    echo $o
 }
 #
 # Validate an IP address
 #
 valid_address() {
    local x
    local y
    local ifs
    ifs=$IFS
    IFS=.
    for x in $1; do
 	case $x in
 	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
 		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
                ;;
 	    *)
 	        IFS=$ifs
 		return 2
 		;;
 	esac
    done
    IFS=$ifs
    return 0
 }
 #
 # Miserable Hack to work around broken BusyBox ash in OpenWRT
 #
 addr_comp() {
    test $(bc <<EOF
 $1 > $2
 EOF
 ) -eq 1
 }
 #
 # Enumerate the members of an IP range -- When using a shell supporting only
 # 32-bit signed arithmetic, the range cannot span 128.0.0.0.
 #
 # Comes in two flavors:
 #
 # ip_range() - produces a mimimal list of network/host addresses that spans
 #              the range.
 #
 # ip_range_explicit() - explicitly enumerates the range.
 #
 ip_range() {
    local first
    local last
    local l
    local x
    local y
    local z
    local vlsm
    case $1 in
 	!*)
 	    #
 	    # Let iptables complain if it's a range
 	    #
 	    echo $1
 	    return
 	    ;;
 	[0-9]*.*.*.*-*.*.*.*)
            ;;
 	*)
 	    echo $1
 	    return
 	    ;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    l=$(( $last + 1 ))
    while addr_comp $l $first; do
 	vlsm=
 	x=31
 	y=2
 	z=1
 	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
 	    vlsm=/$x
 	    x=$(( $x - 1 ))
 	    z=$y
 	    y=$(( $y * 2 ))
 	done
 	echo $(encodeaddr $first)$vlsm
 	first=$(($first + $z))
    done
 }
 ip_range_explicit() {
    local first
    local last
    case $1 in
    [0-9]*.*.*.*-*.*.*.*)
 	;;
    *)
 	echo $1
 	return
 	;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    while ! addr_comp $first $last; do
 	echo $(encodeaddr $first)
 	first=$(($first + 1))
    done
 }
 [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Netmask to VLSM
 #
 ip_vlsm() {
    local mask
    mask=$(decodeaddr $1)
    local vlsm
    vlsm=0
    local x
    x=$(( 128 << 24 )) # 0x80000000
    while [ $(( $x & $mask )) -ne 0 ]; do
 	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
 	vlsm=$(($vlsm + 1))
    done
    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
 	echo "Invalid net mask: $1" >&2
    else
 	echo $vlsm
    fi
 }
 #
 # Set default config path
 #
 ensure_config_path() {
    local F
    F=${g_sharedir}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
    fi
    if [ -n "$g_shorewalldir" ]; then
 	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
    fi
 }
 #
 # Get fully-qualified name of file
 #
 resolve_file() # $1 = file name
 {
    local pwd
    pwd=$PWD
    case $1 in
 	/*)
 	    echo $1
 	    ;;
 	.)
 	    echo $pwd
 	    ;;
 	./*)
 	    echo ${pwd}${1#.}
 	    ;;
 	..)
 	    cd ..
 	    echo $PWD
 	    cd $pwd
 	    ;;
 	../*)
 	    cd ..
 	    resolve_file ${1#../}
 	    cd $pwd
 	    ;;
 	*)
 	    echo $pwd/$1
 	    ;;
    esac
 }
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 #
 #     None - No mktemp
 #     BSD  - BSD mktemp (Mandrake)
 #     STD  - mktemp.org mktemp
 #
 find_mktemp() {
    local mktemp
    mktemp=`mywhich mktemp 2> /dev/null`
    if [ -n "$mktemp" ]; then
 	if qt mktemp -V ; then
 	    MKTEMP=STD
 	else
 	    MKTEMP=BSD
 	fi
    else
 	MKTEMP=None
    fi
 }
 #
 # create a temporary file. If a directory name is passed, the file will be created in
 # that directory. Otherwise, it will be created in a temporary directory.
 #
 mktempfile() {
    [ -z "$MKTEMP" ] && find_mktemp
    if [ $# -gt 0 ]; then
 	case "$MKTEMP" in
 	    BSD)
 		mktemp $1/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -p $1 shorewall.XXXXXX
 		;;
 	    None)
 		> $1/shorewall-$$ && echo $1/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    else
 	case "$MKTEMP" in
 	    BSD)
 		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -t shorewall.XXXXXX
 		;;
 	    None)
 		rm -f ${TMPDIR:-/tmp}/shorewall-$$
 		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    fi
 }
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -19,4 +19,3 @@ SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X
 DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -20,4 +20,3 @@ SERVICEFILE=                           #Name of the file to install in $SYSTEMD.
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
 DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -19,4 +19,3 @@ SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin
 DEFAULT_PAGER=			      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -21,4 +21,3 @@ SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (s
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -21,4 +21,3 @@ SERVICEDIR=				#Directory where .service files are installed (systems running sy
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -21,4 +21,3 @@ SYSCONFDIR=                             #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -21,4 +21,3 @@ SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.se
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/lib                             #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -21,4 +21,3 @@ SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -22,4 +22,3 @@ SYSCONFDIR=                                #Name of the directory where SysV ini
 ANNOTATED=                                 #If non-empty, install annotated configuration files
 VARLIB=/var/lib                            #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
 DEFAULT_PAGER=				   #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -7,18 +7,17 @@ PREFIX=/usr                                           #Top-level directory for s
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/lib/perl5/site-perl              #Directory to install Shorewall Perl module directory
+PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
 SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
-INITFILE=                                             #Name of the product's SysV init script
+INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=/usr/lib/systemd/system                    #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
-SERVICEFILE=$PRODUCT.service          		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                                       #Directory where persistent product data is stored.
 VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
 DEFAULT_PAGER=				   	      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -81,6 +81,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall compile
+	    ${SBINDIR}/$PRODUCT compile
 	elif [ $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
@@ -130,7 +128,7 @@ for PRODUCT in $PRODUCTS; do
    setstatedir
    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
    fi
 done
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -33,11 +33,9 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ ! -x $STATEDIR/firewall ]; then
+    if [ ! -x "$STATEDIR/firewall" ]; then
-	if [ $PRODUCT = shorewall ]; then
+	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
-	    ${SBINDIR}/shorewall compile
+	    ${SBINDIR}/$PRODUCT $OPTIONS compile
 	elif [ $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall compile
+	    ${SBINDIR}/$PRODUCT compile
 	elif [ $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -30,7 +30,7 @@
 # Required-Stop:     $local_fs
 # X-Stop-After:      $network
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time prior to
 #                    bringing up the network
@@ -73,10 +73,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall compile
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -104,7 +102,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR
-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
@@ -125,7 +123,7 @@ shorewall_start () {
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-      printf "Restoring ipsets: "
+      echo -n "Restoring ipsets: "
      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -142,7 +140,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR
-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,10 +44,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
-	${SBINDIR}/shorewall compile
+	${SBINDIR}/$PRODUCT $OPTIONS compile -c
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -64,7 +62,7 @@ start () {
 	return 6 #Not configured
    fi
-    printf "Initializing \"Shorewall-based firewalls\": "
+    echo -n "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -99,7 +97,7 @@ stop () {
    local PRODUCT
    local STATEDIR
-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	setstatedir
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,10 +75,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall compile
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -89,7 +87,7 @@ start () {
    local PRODUCT
  local STATEDIR
-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -114,7 +112,7 @@ stop () {
    local PRODUCT
    local STATEDIR
-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -81,7 +81,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR
-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR
-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,10 +79,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall compile
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -93,7 +91,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR
-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -114,7 +112,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR
-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -164,10 +164,10 @@ if [ $# -eq 0 ]; then
    #
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
-	file=./shorewallrc
+	file=~/.shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=~/.shorewallrc
+	file=./.shorewallrc
     else
 	fatal_error "No configuration file specified and ~/.shorewallrc not found"
    fi
@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then
    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir -p ${DESTDIR}${ETC}/default
+	    mkdir ${DESTDIR}${ETC}/default
 	fi
 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
    fi
 else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
+	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,10 +33,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall compile
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -64,7 +62,7 @@ shorewall_start () {
    local PRODUCT
    local STATEDIR
-    printf "Initializing \"Shorewall-based firewalls\": "
+    echo -n "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -92,7 +90,7 @@ shorewall_stop () {
    local PRODUCT
    local STATEDIR
-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -126,6 +126,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -0,0 +1,18 @@
 # Shorewall Lite Makefile to restart if firewall script is newer than last restart
 VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore
 all: $(VARDIR)/$(RESTOREFILE)
 $(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
 	then \
 	    /sbin/shorewall-lite -q save >/dev/null; \
 	else \
 	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
 	fi
 # EOF
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall-lite
@@ -13,7 +13,7 @@
 . /lib/lsb/init-functions
-SRWL='/sbin/shorewall -l'
+SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
@@ -85,18 +85,17 @@ fi
 # start the firewall
 shorewall_start () {
-  printf "Starting \"Shorewall firewall\": "
+  echo -n "Starting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
 # stop the firewall
 shorewall_stop () {
  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
      printf "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
      printf "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -104,14 +103,14 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
-  printf "Restarting \"Shorewall firewall\": "
+  echo -n "Restarting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
 # refresh the firewall
 shorewall_refresh () {
-  printf "Refreshing \"Shorewall firewall\": "
+  echo -n "Refreshing \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc
-prog="shorewall -l"
+prog="shorewall-lite"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 start() {
-    printf $"Starting Shorewall: "
+    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 stop() {
-    printf $"Stopping Shorewall: "
+    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    printf $"Restarting Shorewall: "
+    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"
 start() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
 }
 boot() {
@@ -78,17 +78,17 @@ boot() {
 }
 restart() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
 }
 reload() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
 }
 stop() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
 }
 status() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -114,7 +114,7 @@ require()
 #
 cd "$(dirname $0)"
-if [ -f shorewall-lite.service ]; then
+if [ -f shorewall-lite ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
 else
@@ -331,6 +331,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
    make_directory ${DESTDIR}${SBINDIR} 755
    make_directory ${DESTDIR}${INITDIR} 755
 else
@@ -361,9 +362,9 @@ else
 fi
 #
-# Check for ${SHAREDIR}/$PRODUCT/version
+# Check for ${SBINDIR}/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -371,15 +372,17 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${VARDIR}
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
@@ -430,6 +433,15 @@ elif [ $HOST = gentoo ]; then
    # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
    perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
 #
 # Install the  Makefile
 #
 install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
 [ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
 echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 #
 # Install the default config path file
 #
@@ -486,7 +498,7 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages
-    mkdir -p ${DESTDIR}${MANDIR}/man5/
+    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
    for f in *.5; do
 	gzip -c $f > $f.gz
@@ -494,8 +506,6 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done
    mkdir -p ${DESTDIR}${MANDIR}/man8/
    for f in *.8; do
 	gzip -c $f > $f.gz
 	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
@@ -530,11 +540,6 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
 #
 #  Creatae the symbolic link for the CLI
 #
 ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
@@ -545,11 +550,12 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi
    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,20 +45,19 @@
 #    require Shorewall to be installed.
-PRODUCT=shorewall-lite
+g_program=shorewall-lite
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
-g_basedir=${SHAREDIR}/shorewall
+g_sharedir="$SHAREDIR"/shorewall-lite
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
-
+. /usr/share/shorewall-lite/configpath
 setup_product_environment
 . ${SHAREDIR}/shorewall-lite/configpath
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -0,0 +1,42 @@
 #!/bin/sh
 #
 #     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
 PRODUCT=shorewall-lite
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_program=$PRODUCT
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 shorewall_cli $@
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -125,6 +125,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -0,0 +1,23 @@
 #
 # Shorewall -- /etc/shorewall/Makefile
 #
 # Reload Shorewall if config files are updated.
 SWBIN	?= /sbin/shorewall -q
 CONFDIR	?= /etc/shorewall
 SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
 .PHONY: clean
 $(SWSTATE): $(CONFDIR)/*
 	@$(SWBIN) save >/dev/null; \
 	RESULT=$$($(SWBIN) reload 2>&1); \
 	if [ $$? -eq 0 ]; then \
 	    $(SWBIN) save >/dev/null; \
 	else \
 	    echo "$${RESULT}" >&2; \
 	    false; \
 	fi
 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {
    emit "exec 3>\${VARDIR}/.arptables-input";
-    my $date = compiletime;
+    my $date = localtime;
    unless ( $test ) {
 	emit_unindented '#';
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
 #
 sub preview_arptables_load() {
-    my $date = compiletime;
+    my $date = localtime;
    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -120,6 +120,7 @@ our @EXPORT = ( qw(
 		    %chain_table
 		    %targets
 		    $raw_table
 		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
@@ -196,6 +197,7 @@ our %EXPORT_TAGS = (
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       ensure_raw_chain
 				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
@@ -264,12 +266,10 @@ our %EXPORT_TAGS = (
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
 				       interface_address
 				       get_interface_address
 				       get_interface_addresses
 				       get_interface_bcasts
 				       get_interface_acasts
 				       interface_gateway
 				       get_interface_gateway
 				       get_interface_mac
 				       have_global_variables
@@ -337,7 +337,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               digest       => SHA1 digest of the string representation of the chain's rules for use in optimization
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
-#                                                               Suppresses adding additional rules to the end of the chain
+#                                                               Suppresses adding additional rules to the chain end of the chain
 #                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                               chainnumber  => Numeric enumeration of the builtin chains (mangle table only).
 #                                               allowedchains
@@ -416,6 +416,7 @@ our $VERSION = 'MODULEVERSION';
 #
 our %chain_table;
 our $raw_table;
 our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
@@ -756,11 +757,13 @@ sub initialize( $$$ ) {
    ( $family, my $hard, $export ) = @_;
    %chain_table = ( raw    =>  {},
 		     rawpost => {},
 		     mangle =>  {},
 		     nat    =>  {},
 		     filter =>  {} );
    $raw_table     = $chain_table{raw};
    $rawpost_table = $chain_table{rawpost};
    $nat_table     = $chain_table{nat};
    $mangle_table  = $chain_table{mangle};
    $filter_table  = $chain_table{filter};
@@ -805,6 +808,7 @@ sub initialize( $$$ ) {
 		     DNAT         => 1,
 		     MASQUERADE   => 1,
 		     NETMAP       => 1,
 		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
 		     RAWDNAT      => 1,
 		     REDIRECT     => 1,
@@ -1190,16 +1194,9 @@ sub compatible( $$ ) {
 	}
    }
    #
-    # Don't combine chains where each specifies
+    # Don't combine chains where each specifies '-m policy'
    #    -m policy
    # or when one specifies
    #    -m multiport
    # and the other specifies
    #    --dport or --sport or -m multiport
    #
-    return ! ( $ref1->{policy} && $ref2->{policy} ||
+    return ! ( $ref1->{policy} && $ref2->{policy} );
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
 		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
 #
@@ -1219,7 +1216,6 @@ sub merge_rules( $$$ ) {
 	if ( exists $fromref->{$option} ) {
 	    push( @{$toref->{matches}}, $option ) unless exists $toref->{$option};
 	    $toref->{$option} = $fromref->{$option};
 	    $toref->{simple} = 0;
 	}
    }
@@ -1341,14 +1337,7 @@ sub push_rule( $$ ) {
    push @{$chainref->{rules}}, $ruleref;
    $chainref->{referenced} = 1;
    $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
-
+    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] $ruleref->{comment}" ) if $debug;
    if ( $debug ) {
 	if ( $ruleref->{comment} ) {
 	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] -m comment --comment \"$ruleref->{comment}\"" );
 	} else {
 	    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" );
 	}
    }
    $chainref->{complete} = 1 if $complete;
@@ -2721,6 +2710,24 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
 	$chainref->{optflags}   |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
 	if ( $config{CHAIN_SCRIPTS} ) {
 	    unless ( $chain eq 'accounting' ) {
 		my $file = find_file $chain;
 		if ( -f $file ) {
 		    progress_message "Running $file...";
 		    my ( $level, $tag ) = ( '', '' );
 		    unless ( my $return = eval `cat $file` ) {
 			fatal_error "Couldn't parse $file: $@" if $@;
 			fatal_error "Couldn't do $file: $!"    unless defined $return;
 			fatal_error "Couldn't run $file"       unless $return;
 		    }
 		}
 	    }
 	}
    }
    $chainref;
@@ -2733,13 +2740,11 @@ sub accounting_chainrefs() {
    grep $_->{accounting} , values %$filter_table;
 }
-sub ensure_mangle_chain($;$$) {
+sub ensure_mangle_chain($) {
-    my ( $chain, $number, $restriction ) = @_;
+    my $chain = $_[0];
    my $chainref = ensure_chain 'mangle', $chain;
-    $chainref->{referenced}  = 1;
+    $chainref->{referenced} = 1;
    $chainref->{chainnumber} = $number if $number;
    $chainref->{restriction} = $restriction if $restriction;
    $chainref;
 }
@@ -2759,6 +2764,14 @@ sub ensure_raw_chain($) {
    $chainref;
 }
 sub ensure_rawpost_chain($) {
    my $chain = $_[0];
    my $chainref = ensure_chain 'rawpost', $chain;
    $chainref->{referenced} = 1;
    $chainref;
 }
 #
 # Add a builtin chain
 #
@@ -2915,13 +2928,13 @@ sub initialize_chain_table($) {
 	#   As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
 	#
 	%targets = ('ACCEPT'          => STANDARD,
-		    'ACCEPT+'         => STANDARD + NONAT,
+		    'ACCEPT+'         => STANDARD  + NONAT,
 		    'ACCEPT!'         => STANDARD,
 		    'ADD'             => STANDARD + SET,
-		    'AUDIT'           => STANDARD + AUDIT + OPTIONS,
+		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'A_ACCEPT'        => STANDARD + AUDIT,
+		    'A_ACCEPT'        => STANDARD  + AUDIT,
-		    'A_ACCEPT+'       => STANDARD + NONAT + AUDIT,
+		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
-		    'A_ACCEPT!'       => STANDARD + AUDIT,
+		    'A_ACCEPT!'       => STANDARD  + AUDIT,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'NONAT'           => STANDARD + NONAT  + NATONLY,
@@ -2957,6 +2970,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -2979,13 +2994,13 @@ sub initialize_chain_table($) {
 	#   As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
 	#
 	%targets = ('ACCEPT'          => STANDARD,
-		    'ACCEPT+'         => STANDARD + NONAT,
+		    'ACCEPT+'         => STANDARD  + NONAT,
 		    'ACCEPT!'         => STANDARD,
-		    'A_ACCEPT+'       => STANDARD + NONAT + AUDIT,
+		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
-		    'A_ACCEPT!'       => STANDARD + AUDIT,
+		    'A_ACCEPT!'       => STANDARD  + AUDIT,
-		    'AUDIT'           => STANDARD + AUDIT + OPTIONS,
+		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
-		    'A_ACCEPT'        => STANDARD + AUDIT,
+		    'A_ACCEPT'        => STANDARD  + AUDIT,
-		    'NONAT'           => STANDARD + NONAT + NATONLY,
+		    'NONAT'           => STANDARD  + NONAT + NATONLY,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
@@ -3019,6 +3034,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3162,17 +3179,17 @@ sub delete_references( $ ) {
 #
 sub calculate_digest( $ ) {
    my $chainref = shift;
-    my $rules = '';
+    my $digest = '';
    for ( @{$chainref->{rules}} ) {
-	if ( $rules ) {
+	if ( $digest ) {
-	    $rules .= ' |' . format_rule( $chainref, $_, 1 );
+	    $digest .= ' |' . format_rule( $chainref, $_, 1 );
 	} else {
-	    $rules = format_rule( $chainref, $_, 1 );
+	    $digest = format_rule( $chainref, $_, 1 );
 	}
    }
-    $chainref->{digest} = sha1_hex $rules;
+    $chainref->{digest} = sha1_hex $digest;
 }
 #
@@ -3322,7 +3339,7 @@ sub check_optimization( $ ) {
 # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
 #
 sub optimize_level0() {
-    for my $table ( qw/raw mangle nat filter/ ) {
+    for my $table ( qw/raw rawpost mangle nat filter/ ) {
 	my $tableref = $chain_table{$table};
 	next unless $tableref;
@@ -3461,7 +3478,7 @@ sub optimize_level4( $$ ) {
 				$progress = 1;
 			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 				#
-				# This case requires a new rule merging algorithm. Ignore this chain from
+				# This case requires a new rule merging algorithm. Ignore this chain for
 				# now on.
 				#
 				$chainref->{optflags} |= DONT_OPTIMIZE;
@@ -3469,7 +3486,7 @@ sub optimize_level4( $$ ) {
 				#
 				# Replace references to this chain with the target and add the matches
 				#
-				$progress = 1 if replace_references1( $chainref, $firstrule );
+				$progress = 1 if replace_references1 $chainref, $firstrule;
 			    }
 			}
 		    } else {
@@ -3515,7 +3532,7 @@ sub optimize_level4( $$ ) {
 				#empty builtin chain -- change it's policy
 				#
 				$chainref->{policy} = $target;
-				trace( $chainref, 'P', undef, $target ) if $debug;
+				trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug;
 				$count++;
 			    }
@@ -3572,7 +3589,7 @@ sub optimize_level4( $$ ) {
    if ( my $chains  = @chains ) {
 	$passes++;
-	progress_message "\n Table $table pass $passes, $chains short chains, level 4c...";
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";
 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
@@ -3669,12 +3686,7 @@ sub optimize_level8( $$$ ) {
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
-		    replace_references( $chainref1,
+		    replace_references $chainref1, $chainref->{name}, undef, '', '', 1;
 					$chainref->{name},
 					undef,   # Target Opts
 					'',      # Comment
 					'',      # Origin
 					1 );     # Recalculate digests of modified chains
 		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
 			#
@@ -4000,7 +4012,7 @@ sub delete_duplicates {
 	my $docheck;
 	my $duplicate = 0;
-	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
+	if ( $baseref->{mode} == CAT_MODE ) {
 	    my $ports1;
 	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
 	    my $rulenum  = @_;
@@ -4241,6 +4253,7 @@ sub valid_tables() {
    my @table_list;
    push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
    push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
    push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    push @table_list, 'filter'; #MUST BE LAST!!!
@@ -5165,7 +5178,7 @@ sub do_time( $ ) {
 	    $result .= "--monthday $days ";
 	} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
 	    $result .= "--$1 $2 ";
-	} elsif ( $element =~ /^(utc|localtz|kerneltz|contiguous)$/ ) {
+	} elsif ( $element =~ /^(utc|localtz|kerneltz)$/ ) {
 	    $result .= "--$1 ";
 	} else {
 	    fatal_error "Invalid time element ($element)";
@@ -5207,8 +5220,6 @@ sub do_user( $ ) {
    if ( supplied $2 ) {
 	$user  = $2;
 	$user =~ s/:$//;
 	if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
 	    if ( supplied $2 ) {
 		fatal_error "Invalid User Range ($user)" unless $3 >= $1;
@@ -5748,12 +5759,12 @@ sub have_ipset_rules() {
    $ipset_rules;
 }
-sub get_interface_address( $;$ );
+sub get_interface_address( $ );
-sub get_interface_gateway ( $;$$ );
+sub get_interface_gateway ( $;$ );
-sub record_runtime_address( $$;$$ ) {
+sub record_runtime_address( $$;$ ) {
-    my ( $addrtype, $interface, $protect, $provider ) = @_;
+    my ( $addrtype, $interface, $protect ) = @_;
    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
@@ -5767,9 +5778,9 @@ sub record_runtime_address( $$;$$ ) {
    my $addr;
    if ( $addrtype eq '&' ) {
-	$addr = get_interface_address( $interface, $provider );
+	$addr = get_interface_address( $interface );
    } else {
-	$addr = get_interface_gateway( $interface, $protect, $provider );
+	$addr = get_interface_gateway( $interface, $protect );
    }
    $addr . ' ';
@@ -5794,18 +5805,12 @@ sub conditional_rule( $$ ) {
 		if ( $type eq '&' ) {
 		    $variable = get_interface_address( $interface );
 		    add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
 		    incr_cmd_level $chainref;
 		} else {
 		    $variable = get_interface_gateway( $interface );
-
+		    add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
 		    if ( $variable =~ /^\$/ ) {
 			add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
 			incr_cmd_level $chainref;
 		    } else {
 			return 0;
 		    }
 		}
 		incr_cmd_level $chainref;
 		return 1;
 	    }
 	} elsif ( $type eq '%' && $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
@@ -6766,8 +6771,8 @@ sub interface_address( $ ) {
 #
 # Record that the ruleset requires the first IP address on the passed interface
 #
-sub get_interface_address ( $;$ ) {
+sub get_interface_address ( $ ) {
-    my ( $logical, $provider ) = @_;
+    my ( $logical ) = $_[0];
    my $interface = get_physical( $logical );
    my $variable = interface_address( $interface );
@@ -6777,8 +6782,6 @@ sub get_interface_address ( $;$ ) {
    $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
    set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
    "\$$variable";
 }
@@ -6839,21 +6842,14 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $;$$ ) {
+sub get_interface_gateway ( $;$ ) {
-    my ( $logical, $protect, $provider ) = @_;
+    my ( $logical, $protect ) = @_;
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
    my $gateway  = get_interface_option( $interface, 'gateway' );
    $global_variables |= ALL_COMMANDS;
    if ( $gateway ) {
 	fatal_error q(A gateway variable cannot be used for a provider interface with GATEWAY set to 'none' in the providers file)   if $gateway eq 'none';
 	fatal_error q(A gateway variable cannot be used for a provider interface with an empty GATEWAY column in the providers file) if $gateway eq 'omitted';
 	return $gateway if $gateway ne 'detect';
    }
    if ( interface_is_optional $logical ) {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
@@ -6861,8 +6857,6 @@ sub get_interface_gateway ( $;$$ ) {
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }
    set_interface_option($interface, 'used_gateway_variable', 1) unless $provider;
    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }
@@ -7265,7 +7259,6 @@ sub isolate_dest_interface( $$$$ ) {
    my ( $diface, $dnets );
    if ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) {
 	my $niladdr = NILIP;
 	#
 	# DETECT_DNAT_IPADDRS=Yes and we're generating the nat rule
 	#
@@ -7282,14 +7275,14 @@ sub isolate_dest_interface( $$$$ ) {
 	    push_command( $chainref , "for address in $list; do" , 'done' );
-	    push_command( $chainref , "if [ \$address != $niladdr ]; then" , 'fi' ) if $optional;
+	    push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;
 	    $rule .= '-d $address ';
 	} else {
 	    my $interface = $interfaces[0];
 	    my $variable  = get_interface_address( $interface );
-	    push_command( $chainref , "if [ $variable != $niladdr ]; then" , 'fi') if interface_is_optional( $interface );
+	    push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi') if interface_is_optional( $interface );
 	    $rule .= "-d $variable ";
 	}
@@ -7590,7 +7583,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule1( $$$$$$$$$$$$;$ )
+sub expand_rule( $$$$$$$$$$$$;$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7607,6 +7600,8 @@ sub expand_rule1( $$$$$$$$$$$$;$ )
 	$logname,      # Name of chain to name in log messages
       ) = @_;
    return if $chainref->{complete};
    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
    my  $chain = $actparams{chain} || $chainref->{name};
@@ -7841,78 +7836,6 @@ sub expand_rule1( $$$$$$$$$$$$;$ )
    $diface;
 }
 sub expand_rule( $$$$$$$$$$$$;$$$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
 	$prerule,      # Matches that go at the front of the rule
 	$rule,         # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
 	$source,       # SOURCE
 	$dest,         # DEST
 	$origdest,     # ORIGINAL DEST
 	$target,       # Target ('-j' part of the rule - may be empty)
 	$loglevel ,    # Log level (and tag)
 	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
 	$exceptionrule,# Caller's matches used in exclusion case
 	$usergenerated,# Rule came from the IP[6]TABLES target
 	$logname,      # Name of chain to name in log messages
 	$device,       # TC Device Name
 	$classid,      # TC Class Id
       ) = @_;
    return if $chainref->{complete};
    my ( @source, @dest );
    $source = '' unless defined $source;
    $dest   = '' unless defined $dest;
    if ( $source =~ /\(.+\)/ ) {
 	@source = split_list3( $source, 'SOURCE' );
    } else {
 	@source = ( $source );
    }
    if ( $dest =~ /\(.+\)/ ) {
 	@dest = split_list3( $dest, 'DEST' );
    } else {
 	@dest = ( $dest );
    }
    for $source ( @source ) {
 	if ( $source =~ /^(.+?):\((.+)\)$/ ) {
 	    $source = join( ':', $1, $2 );
 	} elsif ( $source =~ /^\((.+)\)$/ ) {
 	    $source = $1;
 	}
 	for $dest ( @dest ) {
 	    if ( $dest =~ /^(.+?):\((.+)\)$/ ) {
 		$dest = join( ':', $1, $2 );
 	    } elsif ( $dest =~ /^\((.+)\)$/ ) {
 		$dest = $1;
 	    }
 	    if ( ( my $result = expand_rule1( $chainref ,
 					      $restriction ,
 					      $prerule ,
 					      $rule ,
 					      $source ,
 					      $dest ,
 					      $origdest ,
 					      $target ,
 					      $loglevel ,
 					      $disposition ,
 					      $exceptionrule ,
 					      $usergenerated ,
 					      $logname ,
 		   ) ) && $device ) {
 		fatal_error "Class Id $classid is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
 	    }
 	}
    }
 }
 #
 # Returns true if the passed interface is associated with exactly one zone
 #
@@ -8328,65 +8251,37 @@ EOF
 sub ensure_ipsets( @ ) {
    my $set;
    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
 	shift;
 	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
    if ( @_ > 1 ) {
 	push_indent;
-
+	emit( "for set in @_; do" );
-	if ( $family == F_IPV4 ) {
+	$set = '$set';
-	    emit(  q(    #),
+    } else {
-		   q(    # Set the timeout for the dynamic blacklisting ipset),
+	$set = $_[0];
 		   q(    #),
 		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
 		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
 	}
 	pop_indent;
 	emit( qq(    fi\n) );
    }
-    if ( @_ ) {
+    if ( $family == F_IPV4 ) {
-	if ( @_ > 1 ) {
+	if ( have_capability 'IPSET_V5' ) {
-	    push_indent;
+	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-	    emit( "for set in @_; do" );
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-	    $set = '$set';
+		   qq(        \$IPSET -N $set hash:net family inet timeout 0 counters) ,
 		   qq(    fi) );
 	} else {
-	    $set = $_[0];
+	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-	}
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
-
+		   qq(        \$IPSET -N $set iphash) ,
 	if ( $family == F_IPV4 ) {
 	    if ( have_capability 'IPSET_V5' ) {
 		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
 		       qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
 		       qq(        \$IPSET create $set hash:net family inet timeout 0${counters}) ,
 		       qq(    fi) );
 	    } else {
 		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
 		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
 		       qq(        \$IPSET -N $set iphash) ,
 		       qq(    fi) );
 	    }
 	} else {
 	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
 		   qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
 		   qq(        \$IPSET create $set hash:net family inet6 timeout 0${counters}) ,
 		   qq(    fi) );
 	}
    } else {
 	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
 	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
 	       qq(        \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
 	       qq(    fi) );
    }
-	if ( @_ > 1 ) {
+    if ( @_ > 1 ) {
-	    emit 'done';
+	emit 'done';
-	    pop_indent;
+	pop_indent;
 	}
    }
 }
@@ -8564,21 +8459,10 @@ sub create_load_ipsets() {
 	       'if [ "$COMMAND" = start ]; then' );         ##################### Start Command ##################
 	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
-	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then' );
+	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then',
-
+		  '        zap_ipsets',
-	    if ( my $set = $globals{DBL_IPSET} ) {
+		  '        $IPSET -R < ${VARDIR}/ipsets.save',
-		emit( '        #',
+		  '    fi' );
 		      '        # Update the dynamic blacklisting ipset timeout value',
 		      '        #',
 		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
 		      '        zap_ipsets',
 		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
 		      '    fi' );
 	    } else {
 		emit( '        zap_ipsets',
 		      '        $IPSET -R < ${VARDIR}/ipsets.save',
 		      '    fi' );
 	    }
 	}
 	if ( @ipsets ) {
@@ -8691,7 +8575,7 @@ sub create_netfilter_load( $ ) {
    enter_cat_mode;
-    my $date = compiletime;
+    my $date = localtime;
    unless ( $test ) {
 	emit_unindented '#';
@@ -8799,7 +8683,7 @@ sub preview_netfilter_load() {
    enter_cat_mode1;
-    my $date = compiletime;
+    my $date = localtime;
    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
@@ -8921,7 +8805,7 @@ sub create_chainlist_reload($) {
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;
 	    $chains{$table} = {} unless $chains{$table};
@@ -8950,7 +8834,7 @@ sub create_chainlist_reload($) {
 	enter_cat_mode;
-	for $table ( qw(raw nat mangle filter) ) {
+	for $table ( qw(raw rawpost nat mangle filter) ) {
 	    my $tableref=$chains{$table};
 	    next unless $tableref;
@@ -9035,7 +8919,7 @@ sub create_stop_load( $ ) {
    enter_cat_mode;
    unless ( $test ) {
-	my $date = compiletime;
+	my $date = localtime;
 	emit_unindented '#';
 	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
 	emit_unindented '#';
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.runtime and lib.common to the generated script.
+#    Copy lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -90,12 +90,12 @@ sub generate_script_1( $ ) {
 	if ( $test ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    my $date = compiletime;
+	    my $date = localtime;
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
+	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
-	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
 	}
    }
@@ -596,21 +596,6 @@ EOF
 }
 #
 # Generate info_command()
 #
 sub compile_info_command() {
    my $date = compiletime;
    emit( "\n",
 	  "#",
 	  "# Echo the date and time when this script was compiled along with the Shorewall version",
 	  "#",
 	  "info_command() {" ,
 	  qq(    echo "compiled $date by Shorewall version $globals{VERSION}") ,
 	  "}\n" );
 }   
 #
 #  The Compiler.
 #
@@ -701,7 +686,7 @@ sub compiler {
    #
    # Allow user to load Perl modules
    #
-    run_user_exit 'compile';
+    run_user_exit1 'compile';
    #
    # Create a temp file to hold the script
    #
@@ -804,8 +789,33 @@ sub compiler {
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
-
+    #
    # Generate a function to bring up each provider
    #
    process_providers( $tcinterfaces );
    #
    # [Re-]establish Routing
    #
    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
 	       'setup_routing_and_traffic_shaping() {'
 	    );
 	push_indent;
    }
    setup_providers;
    #
    # TCRules and Traffic Shaping
    #
    setup_tc( $update );
    if ( $scriptfilename || $debug ) {
 	pop_indent;
 	emit "}\n"; # End of setup_routing_and_traffic_shaping()
    }
    $have_arptables = process_arprules if $family == F_IPV4;
@@ -816,9 +826,13 @@ sub compiler {
    #
    process_tos;
    #
-    # Setup Masquerade/SNAT
+    # ECN
    #
-    setup_snat( $update );
+    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    #
    # Setup Masquerading/SNAT
    #
    setup_masq;
    #
    # Setup Nat
    #
@@ -860,37 +874,6 @@ sub compiler {
    #
    setup_accounting if $config{ACCOUNTING};
    enable_script;
    #
    # Generate a function to bring up each provider
    #
    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
 	       'setup_routing_and_traffic_shaping() {'
 	    );
 	push_indent;
    }
    setup_providers;
    #
    # TCRules and Traffic Shaping
    #
    setup_tc( $update );
    if ( $scriptfilename || $debug ) {
 	pop_indent;
 	emit "}\n"; # End of setup_routing_and_traffic_shaping()
    }
    #
    # ECN
    #
    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    disable_script;
    if ( $scriptfilename ) {
 	#
 	# Compiling a script - generate the zone by zone matrix
@@ -939,10 +922,6 @@ sub compiler {
 	#
 	compile_updown;
 	#
 	# Echo the compilation time and date
 	#
 	compile_info_command unless $test;
 	#
 	# Copy the footer to the script
 	#
 	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -84,8 +84,6 @@ our @EXPORT = qw(
 		 require_capability
 		 report_used_capabilities
 		 kernel_version
                 compiletime
                );
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -130,11 +128,9 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_list
 				       split_list1
 				       split_list2
 				       split_list3
 				       split_line
 				       split_line1
 				       split_line2
 				       split_rawline2
 				       first_entry
 				       open_file
 				       close_file
@@ -155,6 +151,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       propagateconfig
 				       append_file
 				       run_user_exit
 				       run_user_exit1
 				       run_user_exit2
 				       generate_aux_config
 				       format_warning
 				       no_comment
@@ -165,7 +163,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       directive_callback
 		                       add_ipset
 		                       all_ipsets
                                       transfer_permissions
 				       $product
 				       $Product
@@ -174,7 +171,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
 				       $rawcurrentline
 				       $currentfilename
 				       $debug
 				       $file_format
@@ -389,6 +385,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
 		 RAWPOST_TABLE   => 'Rawpost Table',
 		 CONDITION_MATCH => 'Condition Match',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
@@ -411,8 +408,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IFACE_MATCH     => 'Iface Match',
                 TCPMSS_TARGET   => 'TCPMSS Target',
                 WAIT_OPTION     => 'iptables --wait option',
                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                 NETMAP_TARGET   => 'NETMAP Target',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -566,7 +561,6 @@ our $usedcaller;
 our $inline_matches;
 our $currentline;            # Current config file line image
 our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
 our $currentfilename;        # File NAME
 our $currentlinenumber;      # Line number
@@ -580,7 +574,6 @@ our $max_format;             # Max format value
 our $comment;                # Current COMMENT
 our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
 our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive
@@ -643,7 +636,6 @@ our %eliminated = ( LOGRATE          => 1,
 		    WIDE_TC_MARKS    => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -689,8 +681,6 @@ our %ipsets; # All required IPsets
 #
 our %filecache;
 our $compiletime;
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -736,7 +726,6 @@ sub initialize( $;$$) {
    # Contents of last COMMENT line.
    #
    $comment       = '';
    $sr_comment    = '';
    $warningcount  = 0;
    #
    # Misc Globals
@@ -748,8 +737,8 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.9-Beta2",
+		    VERSION                 => "5.0.1",
-		    CAPVERSION              => 50100 ,
+		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -758,8 +747,6 @@ sub initialize( $;$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
 		    DBL_IPSET               => '',
 		    DBL_TIMEOUT             => 0,
 		    POSTROUTING             => 'POSTROUTING',
 		  );
    #
@@ -891,6 +878,7 @@ sub initialize( $;$$) {
 	  WARNOLDCAPVERSION => undef,
 	  DEFER_DNS_RESOLUTION => undef,
 	  USE_RT_NAMES => undef,
 	  CHAIN_SCRIPTS => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
@@ -901,9 +889,6 @@ sub initialize( $;$$) {
 	  DOCKER => undef ,
 	  PAGER => undef ,
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -980,6 +965,7 @@ sub initialize( $;$$) {
 	       CONNMARK_MATCH => undef,
 	       XCONNMARK_MATCH => undef,
 	       RAW_TABLE => undef,
 	       RAWPOST_TABLE => undef,
 	       IPP2P_MATCH => undef,
 	       OLD_IPP2P_MATCH => undef,
 	       CLASSIFY_TARGET => undef,
@@ -1035,8 +1021,6 @@ sub initialize( $;$$) {
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1187,12 +1171,6 @@ sub initialize( $;$$) {
    %shorewallrc1 = %shorewallrc unless $shorewallrc1;
    add_variables %shorewallrc1;
    $compiletime = `date`;
    chomp $compiletime;
    $compiletime =~ s/ +/ /g;
 }
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
@@ -1205,10 +1183,6 @@ sub all_ipsets() {
    sort keys %ipsets;
 }
 sub compiletime() {
    $compiletime;
 }
 #
 # Create 'currentlineinfo'
 #
@@ -2001,21 +1975,6 @@ sub find_writable_file($) {
    "$config_path[0]$filename";
 }
 #
 # Determine if a value has been supplied
 #
 sub supplied( $ ) {
    my $val = shift;
    defined $val && $val ne '';
 }
 sub passed( $ ) {
    my $val = shift;
    defined $val && $val ne '' && $val ne '-';
 }
 #
 # Split a comma-separated list into a Perl array
 #
@@ -2074,7 +2033,7 @@ sub split_list1( $$;$ ) {
 sub split_list2( $$ ) {
    my ($list, $type ) = @_;
-    fatal_error "Invalid $type ($list)" if $list =~ /^:/;
+    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
    my @list1 = split /:/, $list;
    my @list2;
@@ -2111,7 +2070,6 @@ sub split_list2( $$ ) {
 		fatal_error "Invalid $type ($list)" if $opencount < 0;
 	    }
 	} elsif ( $element eq '' ) {
 	    fatal_error "Invalid $type ($list)" unless supplied $_;
 	    push @list2 , $_;
 	} else {
 	    $element = join ':', $element , $_;
@@ -2182,47 +2140,6 @@ sub split_list3( $$ ) {
    @list2;
 }
 #
 # This version spits a list on white-space with optional leading comma. It prevents double-quoted
 # strings from being split.
 #
 sub split_list4( $ ) {
    my ($list ) = @_;
    my @list1 = split( /,?\s+/, $list );
    my @list2;
    my $element   = '';
    my $opencount = 0;
    return @list1 unless $list =~ /"/;
    @list1 = split( /(,?\s+)/, $list );
    for ( my $i = 0; $i < @list1; $i += 2 ) {
 	my $e = $list1[$i];
 	if ( $e =~ /[^\\]"/ ) {
 	    if ( $e =~ /[^\\]".*[^\\]"/ ) {
 		fatal_error 'Unescaped embedded quote (' . join( $list1[$i - 1], $element, $e ) . ')' if $element ne '';
 		push @list2, $e;
 	    } elsif ( $element ne '' ) {
 		fatal_error 'Quoting Error (' . join( $list1[$i - 1], $element, $e ) . ')' unless $e =~ /"$/;
 		push @list2, join( $list1[$i - 1], $element, $e );
 		$element = '';
 	    } else {
 		$element = $e;
 	    }
 	} elsif ( $element ne '' ) {
 	    $element = join( $list1[$i - 1], $element, $e );
 	} else {
 	    push @list2, $e;
 	}
    }
    fatal_error "Mismatched_quotes ($list)" if $element ne '';
    @list2;
 }
 #
 # Splits the columns of a config file record
 #
@@ -2277,7 +2194,20 @@ sub split_columns( $ ) {
    @list2;
 }
-sub clear_comment();
+#
 # Determine if a value has been supplied
 #
 sub supplied( $ ) {
    my $val = shift;
    defined $val && $val ne '';
 }
 sub passed( $ ) {
    my $val = shift;
    defined $val && $val ne '' && $val ne '-';
 }
 #
 # Pre-process a line from a configuration file.
@@ -2302,8 +2232,6 @@ sub split_line2( $$;$$$ ) {
    }
    $inline_matches = '';
    clear_comment if $sr_comment;
    #
    # First, see if there are double semicolons on the line; what follows will be raw iptables input
    #
@@ -2410,62 +2338,24 @@ sub split_line2( $$;$$$ ) {
 	$pairs =~ s/^\s*//;
 	$pairs =~ s/\s*$//;
-	my @pairs = split_list4( $pairs );
+	my @pairs = split( /,?\s+/, $pairs );
 	for ( @pairs ) {
 	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
 	    my ( $column, $value ) = ( lc( $1 ), $2 );
-
+	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
-	    if ( $value =~ /"$/ ) {
+	    $column = $columnsref->{$column};
-		fatal_error "Invalid value ( $value )" unless $value =~ /^"(.*)"$/;
+	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
-		$value = $1;
+	    $value = $1 if $value =~ /^"([^"]+)"$/;
-	    }
+	    fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
-
+	    fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
-	    if ( $column eq 'comment' ) {
+	    $line[$column] = $value;
 		if ( $comments_allowed ) {
 		    if ( have_capability( 'COMMENTS' ) ) {
 			$comment = $value;
 			$sr_comment = 1;
 		    } else {
 			warning_message '"comment" ignored -- requires comment support in iptables/Netfilter' unless $warningcount++;
 		    }
 		} else {
 		    fatal_error '"comment" is not allowed in this file';
 		}
 	    } else {
 		fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
 		$column = $columnsref->{$column};
 		fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
 		$value = $1 if $value =~ /^"([^"]+)"$/;
 		$value =~ s/\\"/"/g;
 		fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
 		$line[$column] = $value;
 	    }
 	}
    }
    @line;
 }
 #
 # Same as above, only it splits the raw current line
 #
 sub split_rawline2( $$;$$$ ) {
    my $savecurrentline = $currentline;
    $currentline = $rawcurrentline;
    #
    # Delete trailing comment
    #
    $currentline =~ s/\s*#.*//;
    my @result = &split_line2( @_ );
    $currentline = $savecurrentline;
    @result;
 }
 sub split_line1( $$;$$ ) {
    &split_line2( @_, undef );
 }
@@ -2489,7 +2379,6 @@ sub no_comment() {
 sub clear_comment() {
    $comment   = '';
    $nocomment = 0;
    $sr_comment = '';
 }
 #
@@ -2585,8 +2474,7 @@ sub push_include() {
 			  $max_format,
 			  $comment,
 			  $nocomment,
-			  $section_function,
+			  $section_function ];
 			  $sr_comment ];
 }
 #
@@ -2610,8 +2498,7 @@ sub pop_include() {
 	  $max_format,
 	  $comment,
 	  $nocomment,
-	  $section_function,
+	  $section_function ) = @$arrayref;
 	  $sr_comment ) = @$arrayref;
    } else {
 	$currentfile       = undef;
 	$currentlinenumber = 'EOF';
@@ -2656,54 +2543,18 @@ sub directive_error( $$$ ) {
    fatal_error $_[0];
 }
-sub directive_warning( $$$$ ) {
+sub directive_warning( $$$ ) {
-    if ( shift ) {
+    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+    ( my $warning, $currentfilename, $currentlinenumber ) = @_;
-	( my $warning, $currentfilename, $currentlinenumber ) = @_;
+    warning_message $warning;
-	warning_message $warning;
+    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
 	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
    } else {
 	our @localtime;
 	handle_first_entry if $first_entry;
 	$| = 1; #Reset output buffering (flush any partially filled buffers).
 	if ( $log ) {
 	    @localtime = localtime;
 	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   WARNING: $_[0]\n";
 	}
 	print STDERR "   WARNING: $_[0]\n";
 	$| = 0; #Re-allow output buffering
    }
 }
-sub directive_info( $$$$ ) {
+sub directive_info( $$$ ) {
-    if ( shift ) {
+    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+    ( my $info, $currentfilename, $currentlinenumber ) = @_;
-	( my $info, $currentfilename, $currentlinenumber ) = @_;
+    info_message $info;
-	info_message $info;
+    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
 	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
    } else {
 	our @localtime;
 	handle_first_entry if $first_entry;
 	$| = 1; #Reset output buffering (flush any partially filled buffers).
 	if ( $log ) {
 	    @localtime = localtime;
 	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   INFO: $_[0]\n";
 	}
 	print STDERR "   INFO: $_[0]\n";
 	$| = 0; #Re-allow output buffering
    }
 }
 #
@@ -2852,7 +2703,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -2960,14 +2811,14 @@ sub process_compiler_directive( $$$$ ) {
 			      delete $actparams{$var}
 			  }
 		      } else {
-			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
 		      } else {
-			  directive_warning( 'Yes', "Shell variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
 		      }
 		  }
 	      }
@@ -2980,9 +2831,8 @@ sub process_compiler_directive( $$$$ ) {
 			  if ( have_capability( 'COMMENTS' ) ) {
 			      ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
 			      $comment =~ s/\s*$//;
 			      $sr_comment = '';
 			  } else {
-			      directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
+			      directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
 			  }
 		      }
 		  } else {
@@ -3001,8 +2851,7 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 	  WARNING => sub() {
-	      directive_warning( $config{VERBOSE_MESSAGES} ,
+	      directive_warning( evaluate_expression( $expression ,
 		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
@@ -3011,28 +2860,7 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 	  INFO => sub() {
-	      directive_info( $config{VERBOSE_MESSAGES} ,
+	      directive_info( evaluate_expression( $expression ,
 			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
 			      $filename ,
 			      $linenumber ) unless $omitting;
 	  } ,
 	  'WARNING!' => sub() {
 	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
 		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
 				 $filename ,
 				 $linenumber ) unless $omitting;
 	  } ,
 	  'INFO!' => sub() {
 	      directive_info( ! $config{VERBOSE_MESSAGES} ,
 			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
@@ -3050,9 +2878,9 @@ sub process_compiler_directive( $$$$ ) {
    if ( $directive_callback ) {
        $directive_callback->( $keyword, $line ) 
    } else {
        $omitting;
    }
    $omitting;
 }
 #
@@ -3334,7 +3162,6 @@ sub push_open( $;$$$$ ) {
    push @openstack, \@a;
    @includestack = ();
    $currentfile = undef;
    $sr_comment = '';
    open_file( $file , $max, $comments_allowed || $ca, $nc , $cf );
 }
@@ -3428,7 +3255,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
    my $multiline = shift;
-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
    $directive_callback->( 'PERL', $currentline ) if $directive_callback;
@@ -3760,7 +3587,6 @@ sub read_a_line($) {
 	    if ( $omitting ) {
 		print "OMIT=> $_\n" if $debug;
 		$directive_callback->( 'OMITTED', $_ ) if ( $directive_callback );
 		next;
 	    }
@@ -3815,10 +3641,6 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
 	    # Save Raw Image
 	    #
 	    $rawcurrentline = $currentline;
 	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
 	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
@@ -3847,7 +3669,7 @@ sub read_a_line($) {
 		fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
 		fatal_error "This file does not allow ?SECTION" unless $section_function;
 		$section_function->($sectionname);
-		$directive_callback->( 'SECTION', $rawcurrentline ) if $directive_callback;
+		$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
 		next LINE;
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
@@ -3886,10 +3708,8 @@ sub process_shorewallrc( $$ ) {
 	    $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
 	}
    } elsif ( supplied $shorewallrc{VARLIB} ) {
-	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
+	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product" unless supplied $shorewallrc{VARDIR};
    }
    $shorewallrc{DEFAULT_PAGER} = '' unless supplied $shorewallrc{DEFAULT_PAGER};
 }
 #
@@ -4001,10 +3821,9 @@ my %logoptions = ( tcp_sequence         => '--log-tcp-sequence',
 sub validate_level( $;$ ) {
    my ( $rawlevel, $option ) = @_;
-    my $level;
+    my $level    = uc $rawlevel;
-    if ( supplied ( $rawlevel ) ) {
+    if ( supplied ( $level ) ) {
 	$level = uc $rawlevel;
 	$level =~ s/!$//;
 	my $value = $level;
 	my $qualifier;
@@ -4319,22 +4138,6 @@ sub Masquerade_Tgt() {
    $result;
 }
 sub Netmap_Target() {
    have_capability( 'NAT_ENABLED' ) || return '';
    my $result = '';
    my $address = $family == F_IPV4 ? '1.2.3.0/24' : '2001::/64';
    if ( qt1( "$iptables $iptablesw -t nat -N $sillyname" ) ) {
 	$result = qt1( "$iptables $iptablesw -t nat -A $sillyname -j NETMAP --to $address" );
 	qt1( "$iptables $iptablesw -t nat -F $sillyname" );
 	qt1( "$iptables $iptablesw -t nat -X $sillyname" );
    }
    $result;
 }
 sub Udpliteredirect() {
    have_capability( 'NAT_ENABLED' ) || return '';
@@ -4533,6 +4336,10 @@ sub Raw_Table() {
    qt1( "$iptables $iptablesw -t raw -L -n" );
 }
 sub Rawpost_Table() {
    qt1( "$iptables $iptablesw -t rawpost -L -n" );
 }
 sub Old_IPSet_Match() {
    my $ipset  = $config{IPSET} || 'ipset';
    my $result = 0;
@@ -4585,11 +4392,11 @@ sub IPSet_Match() {
 }
 sub IPSet_Match_Nomatch() {
-    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_NOMATCH};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_NOMATCH};
 }
 sub IPSet_Match_Counters() {
-    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
 }
 sub IPSET_V5() {
@@ -4860,10 +4667,6 @@ sub Tcpmss_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
 }
 sub Cpu_Fanout() {
    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4880,7 +4683,6 @@ our %detect_capability =
      CONNMARK => \&Connmark,
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
      CPU_FANOUT => \&Cpu_Fanout,
      CT_TARGET => \&Ct_Target,
      DSCP_MATCH => \&Dscp_Match,
      DSCP_TARGET => \&Dscp_Target,
@@ -4924,7 +4726,6 @@ our %detect_capability =
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
      NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
      NETMAP_TARGET => \&Netmap_Target,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
      NFACCT_MATCH => \&NFAcct_Match,
      NFQUEUE_TARGET => \&Nfqueue_Target,
@@ -4940,6 +4741,7 @@ our %detect_capability =
      POLICY_MATCH => \&Policy_Match,
      PPTP_HELPER => \&PPTP_Helper,
      RAW_TABLE => \&Raw_Table,
      RAWPOST_TABLE => \&Rawpost_Table,
      REALM_MATCH => \&Realm_Match,
      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
@@ -5067,6 +4869,7 @@ sub determine_capabilities() {
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
 	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
@@ -5107,8 +4910,6 @@ sub determine_capabilities() {
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5214,19 +5015,6 @@ sub update_default($$) {
    $config{$var} = $val unless defined $config{$var};
 }
 #
 # Transfer the permissions from an old .bak file to a newly-created file
 #
 sub transfer_permissions( $$ ) {
    my ( $old, $new ) = @_;
    my @stat = stat $old;
    if ( @stat ) {
 	fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new );
    }
 }
 sub update_config_file( $ ) {
    my ( $annotate ) = @_;
@@ -5281,9 +5069,7 @@ sub update_config_file( $ ) {
    update_default( 'USE_DEFAULT_RT', 'No' );
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
-    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
+    update_default( 'PAGER',          '' );
    update_default( 'LOGFORMAT',      'Shorewall:%s:%s:' );
    update_default( 'LOGLIMIT',       '' );
    my $fn;
@@ -5378,7 +5164,6 @@ EOF
 	if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
 	    progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
 	    transfer_permissions( "$configfile.bak", $configfile );
 	} else {
 	    if ( rename "$configfile.bak", $configfile ) {
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
@@ -5893,24 +5678,6 @@ sub get_configuration( $$$$ ) {
 	$ENV{PATH} = $default_path;
    }
    fatal_error "Shorewall-core does not appear to be installed" unless open_file "$globals{SHAREDIRPL}coreversion";
    fatal_error "$globals{SHAREDIRPL}coreversion is empty" unless read_a_line( PLAIN_READ );
    close_file;
    warning_message "Version Mismatch: Shorewall-core is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
    if ( $family == F_IPV6 ) {
 	open_file( "$globals{SHAREDIR}/version" ) || fatal_error "Unable to open $globals{SHAREDIR}/version";
 	fatal_error "$globals{SHAREDIR}/version is empty" unless read_a_line( PLAIN_READ );
 	close_file;
 	warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
    }
    my $have_capabilities;
    if ( $export || $> != 0 ) {
@@ -6232,6 +5999,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
    default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';
    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6304,27 +6072,9 @@ sub get_configuration( $$$$ ) {
    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
-	    ( $key , my @options ) = split_list( $key, 'option' );
+	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
 	    my $options = '';
 	    for ( @options ) {
 		if ( $simple_options{$_} ) {
 		    $options = join( ',' , $options, $_ );
 		} elsif ( $_ =~ s/^timeout=(\d+)$// ) {
 		    $globals{DBL_TIMEOUT} = $1;
 		} else {
 		    fatal_error "Invalid ipset option ($_)";
 		}
 	    }
 	    $globals{DBL_OPTIONS} = $options;
 	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
 	    if ( supplied( $set ) ) {
 		fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
@@ -6332,7 +6082,7 @@ sub get_configuration( $$$$ ) {
 		$set = 'SW_DBL' . $family;
 	    }
-	    add_ipset( $globals{DBL_IPSET} = $set );
+	    add_ipset( $set );
 	    $level = validate_level( $level );
@@ -6343,10 +6093,8 @@ sub get_configuration( $$$$ ) {
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 	} else {
-	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
+	    default_yes_no( 'DYNAMIC_BLACKLIST'     , 'Yes' );
 	}
    } else {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
    }
    default_yes_no 'REQUIRE_INTERFACE'          , '';
@@ -6361,8 +6109,6 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
    default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
    default_yes_no 'MINIUPNPD'                  , '';
    default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
    default_yes_no 'ZERO_MARKS'                 , '';
    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
@@ -6748,7 +6494,32 @@ sub append_file( $;$$ ) {
    $result;
 }
 #
 # Run a Perl extension script
 #
 sub run_user_exit( $ ) {
    my $chainref = $_[0];
    my $file = find_file $chainref->{name};
    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
 	progress_message2 "Running $file...";
 	my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
 	unless (my $return = eval $command ) {
 	    fatal_error "Couldn't parse $file: $@" if $@;
 	    unless ( defined $return ) {
 		fatal_error "Couldn't do $file: $!" if $!;
 		fatal_error "Couldn't do $file";
 	    }
 	    fatal_error "$file returned a false value";
 	}
    }
 }
 sub run_user_exit1( $ ) {
    my $file = find_file $_[0];
    if ( -f $file ) {
@@ -6780,6 +6551,37 @@ sub run_user_exit( $ ) {
    }
 }
 sub run_user_exit2( $$ ) {
    my ($file, $chainref) = ( find_file $_[0], $_[1] );
    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
 	progress_message2 "Running $file...";
 	#
 	# File may be empty -- in which case eval would fail
 	#
 	push_open $file;
 	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	    close_file;
 	    pop_open;
 	    unless (my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
 		unless ( defined $return ) {
 		    fatal_error "Couldn't do $file: $!" if $!;
 		    fatal_error "Couldn't do $file";
 		}
 		fatal_error "$file returned a false value";
 	    }
 	}
 	pop_open;
    }
 }
 #
 # Generate the aux config file for Shorewall Lite
 #
@@ -6806,7 +6608,7 @@ sub generate_aux_config() {
    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
 	conditionally_add_option $option;
    }
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -432,18 +432,13 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    my $pair = $portpair;
    #
    # Accept '-' as a port-range separator
    #
    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
-    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
-    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
-    my @ports = split /:/, $pair, 2;
+    my @ports = split /:/, $portpair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
@@ -472,7 +467,7 @@ sub validate_portpair1( $$ ) {
    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
-    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
    my @ports = split /-/, $portpair, 2;
@@ -483,10 +478,9 @@ sub validate_portpair1( $$ ) {
    if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
    } else {
 	$what = 'port';
 	fatal_error 'Invalid port number (0)' unless $portpair;
    }
    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
@@ -503,7 +497,7 @@ sub validate_port_list( $$ ) {
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );
-    if ( @list > 1 && $list =~ /[:-]/ ) {
+    if ( @list > 1 && $list =~ /:/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -200,7 +200,6 @@ sub remove_blacklist( $ ) {
    if ( $changed ) {
 	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
 	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
 	transfer_permissions( "$fn.bak", $fn );
 	progress_message2 "\u$file file $fn saved in $fn.bak"
    }
 }
@@ -216,7 +215,6 @@ sub convert_blacklist() {
    my $audit       = $disposition =~ /^A_/;
    my $target      = $disposition;
    my $orig_target = $target;
    my $warnings    = 0;
    my @rules;
    if ( @$zones || @$zones1 ) {
@@ -238,22 +236,12 @@ sub convert_blacklist() {
 	    return 0;
 	}
 	directive_callback(
 	    sub ()
 	    {
 		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
 	    }
 	    );
 	first_entry "Converting $fn...";
 	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) =
-		split_rawline2( 'blacklist file',
+		split_line( 'blacklist file',
-				{ networks => 0, proto => 1, port => 2, options => 3 },
+			    { networks => 0, proto => 1, port => 2, options => 3 } );
 				{},
 				4,
 		);
 	    if ( $options eq '-' ) {
 		$options = 'src';
@@ -311,21 +299,18 @@ sub convert_blacklist() {
 	    }
 	}
 	directive_callback(0);
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
-	    my $date = compiletime;
+	    my $date = localtime;
 	    if ( -f $fn1 ) {
 		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	    } else {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
-# Shorewall - Blacklist Rules File
+# Shorewall version 5.0 - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -407,9 +392,8 @@ sub convert_routestopped() {
    if ( my $fn = open_file 'routestopped' ) {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
-	my $seq      = 0;
+	my $seq  = 0;
-	my $warnings = 0;
+	my $date = localtime;
 	my $date = compiletime;
 	my ( $stoppedrules, $fn1 );
@@ -417,10 +401,9 @@ sub convert_routestopped() {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
-# Shorewall - Stopped Rules File
+# Shorewall version 5 - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
@@ -436,16 +419,9 @@ sub convert_routestopped() {
 EOF
 	}
 	directive_callback(
 	    sub ()
 	    {
 		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
 	    }
 	    );
 	first_entry(
 		    sub {
-			my $date = compiletime;
+			my $date = localtime;
 			progress_message2 "$doing $fn...";
 			print( $stoppedrules
 			       "#\n" ,
@@ -457,16 +433,13 @@ EOF
 	while ( read_a_line ( NORMAL_READ ) ) {
 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_rawline2( 'routestopped file',
+		split_line( 'routestopped file',
-				{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 },
+			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
 				{},
 				6,
 				0,
 		);
 	    my $interfaceref;
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';
 	    my $routeback = 0;
@@ -480,6 +453,8 @@ EOF
 	    $hosts = ALLIP if $hosts eq '-';
 	    for my $host ( split /,/, $hosts ) {
 		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
 		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
@@ -523,8 +498,6 @@ EOF
 	    push @allhosts, @hosts;
 	}
 	directive_callback(0);
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;
@@ -676,15 +649,9 @@ sub create_docker_rules() {
 	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
 	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
 	my $outputref;
 	add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $outputref );
 	add_ijump( $outputref, j => 'DOCKER' );
 	decr_cmd_level( $outputref );
 	add_commands( $outputref, 'fi' );
    }
    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
@@ -712,8 +679,7 @@ sub add_common_rules ( $ ) {
    my $dbl_ipset;
    my $dbl_level;
    my $dbl_tag;
-    my $dbl_src_target;
+    my $dbl_target;
    my $dbl_dst_target;
    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -774,42 +740,8 @@ sub add_common_rules ( $ ) {
 	}
 	if ( $dbl_ipset ) {
-	    if ( $val = $globals{DBL_TIMEOUT} ) {
+	    if ( $dbl_level ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+		my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
 		log_rule_limit( $dbl_level,
 				$chainref,
 				'dbl_log',
 				'DROP',
 				$globals{LOGLIMIT},
 				$dbl_tag,
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
 		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 		if ( $dbl_src_target eq 'dbl_src' ) {
 		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
 		    log_rule_limit( $dbl_level,
 				    $chainref,
 				    'dbl_log',
 				    'DROP',
 				    $globals{LOGLIMIT},
 				    $dbl_tag,
 				    'add',
 				    '',
 				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
 		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
 		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 		} else {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
 		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -822,7 +754,7 @@ sub add_common_rules ( $ ) {
 				$origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 	    } else {
-		$dbl_src_target = $dbl_dst_target = 'DROP'; 
+		$dbl_target = 'DROP'; 
 	    }
 	}
    }
@@ -928,30 +860,13 @@ sub add_common_rules ( $ ) {
 		}
 	    }
-	    if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
+	    if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
-
+		add_ijump_extended( $filter_table->{input_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		my ( $in, $out ) = split /:/, $setting;
+		add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
 		if ( $in  == 1 ) {
 		    #
 		    # src
 		    #
 		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		} elsif ( $in == 2 ) {
 		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 		if ( $out == 2 ) {
 		    #
 		    # dst
 		    #
 		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
 		}
 	    }
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
@@ -1028,7 +943,7 @@ sub add_common_rules ( $ ) {
 	    );
    }
-    run_user_exit 'initdone';
+    run_user_exit1 'initdone';
    if ( $upgrade ) {
 	convert_blacklist;
@@ -1454,6 +1369,8 @@ sub setup_mac_lists( $ ) {
 		}
 	    }
 	    run_user_exit2( 'maclog', $chainref );
 	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
@@ -1679,6 +1596,12 @@ sub add_interface_jumps {
 	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
 	if ( have_capability 'RAWPOST_TABLE' ) {
 	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
 	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
 	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
 	}
 	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
    }
    #
@@ -2756,9 +2679,6 @@ EOF
    pop_indent;
    emit '
    rm -f ${VARDIR}/*.address
    rm -f ${VARDIR}/*.gateway
    run_stopped_exit';
    my @ipsets = all_ipsets;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,8 +36,8 @@ use Shorewall::Providers qw( provider_realm );
 use strict;
 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_nat setup_netmap add_addresses );
+our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();
 Exporter::export_ok_tags('rules');
@@ -62,7 +62,7 @@ sub initialize($) {
 #
 sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
    my $pre_nat;
    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
@@ -70,12 +70,10 @@ sub process_one_masq1( $$$$$$$$$$$ )
    my $baserule = '';
    my $inlinematches = '';
    my $prerule       = '';
    my $savelist;
    #
    # Leading '+'
    #
    $pre_nat = 1 if $interfacelist =~ s/^\+//;
    #
    # Check for INLINE
    #
@@ -85,8 +83,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
    } else {
 	$inlinematches = get_inline_matches(0);
    }	
    $savelist = $interfacelist;
    #
    # Handle early matches
    #
@@ -153,12 +149,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
    $baserule .= do_user( $user )                    if $user ne '-';
    $baserule .= do_probability( $probability )      if $probability ne '-';
    my $target;
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-
+	my $target = 'MASQUERADE ';
 	$target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -200,7 +193,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	# Parse the ADDRESSES column
 	#
 	if ( $addresses ne '-' ) {
 	    my $saveaddresses = $addresses;
 	    if ( $addresses eq 'random' ) {
 		require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
 		$randomize = '--random ';
@@ -232,7 +224,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		    my $addrlist = '';
 		    my @addrs = split_list $addresses, 'address';
-		    fatal_error "Only one ADDRESS may be specified" if @addrs > 1;
+		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
 		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -248,7 +240,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			    # Address Variable
 			    #
 			    $target = 'SNAT ';
 			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 				#
 				# User-defined address variable
@@ -278,20 +269,14 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr, 2;
+				my ($ipaddr, $rest) = split ':', $addr;
 				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $ipaddr, 0;
 				}
-
+				validate_portpair1( $proto, $rest ) if supplied $rest;
-				if ( supplied $rest ) {
+				$addrlist .= "--to-source $addr ";
 				    validate_portpair1( $proto, $rest );
 				    $addrlist .= "--to-source $addr ";
 				} else {
 				    $addrlist .= "--to-source $ipaddr";
 				}
 				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
 				my $ports = $addr;
@@ -352,7 +337,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	    $target .= $randomize;
 	    $target .= $persistent;
 	    $addresses = $saveaddresses;
 	} else {
 	    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )  if $family == F_IPV6;
 	    $add_snat_aliases = 0;
@@ -402,250 +386,32 @@ sub process_one_masq1( $$$$$$$$$$$ )
 }
-sub convert_one_masq1( $$$$$$$$$$$$ )
+sub process_one_masq( )
 {
-    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 	split_line2( 'masq file',
 		     { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
 		     {},    #Nopad
 		     undef, #Columns
 		     1 );   #Allow inline matches
-    my $pre_nat;
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
-    my $destnets = '';
+
-    my $savelist;
+    for my $proto ( split_list $protos, 'Protocol' ) {
-    #
+	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
    # Leading '+'
    #
    $pre_nat = ( $interfacelist =~ s/^\+// );
    #
    # Check for INLINE
    #
    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
 	$interfacelist = $1;
    }
    $savelist = $interfacelist;
    #
    # Parse the remaining part of the INTERFACE column
    #
    if ( $family == F_IPV4 ) {
 	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
 	    $destnets = $2;
 	    $interfacelist = $1;
 	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
 	    $destnets = $2;
 	    $interfacelist = $1;
 	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
 	    $interfacelist = $1;
 	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
 	    my ( $one, $two ) = ( $1, $2 );
 	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
 		$interfacelist = $one;
 		$destnets = $two;
 	    }
 	}
    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
 	$interfacelist = $1;
 	$destnets      = $2;
    }
    #
    # If there is no source or destination then allow all addresses
    #
    $networks = ALLIP if $networks eq '-';
    $destnets = ALLIP if $destnets eq '-';
    my $target;
    #
    # Parse the ADDRESSES column
    #
    if ( $addresses ne '-' ) {
 	my $saveaddresses = $addresses;
 	if ( $addresses ne 'random' ) {
 	    $addresses =~ s/:persistent$//;
 	    $addresses =~ s/:random$//;
 	    if ( $addresses eq 'detect' ) {
 		$target = 'SNAT';
 	    } elsif ( $addresses eq 'NONAT' ) {
 		$target = 'CONTINUE';
 	    } elsif ( $addresses ) {
 		if ( $addresses =~ /^:/ ) {
 		    $target = 'MASQUERADE';
 		} else {
 		    $target = 'SNAT';
 		}
 	    }
 	}
 	$addresses = $saveaddresses;
    } else {
 	$target = 'MASQUERADE';
    }
    if ( $snat ) {
 	$target .= '+' if $pre_nat;
 	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
 	    $addresses =~ s/^://;
 	    $target .= '(' . $addresses . ')';
 	}
 	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
 	#
 	# Supress superfluous trailing dashes
 	#
 	$line =~ s/(?:\t-)+$//;
 	my $raw_matches = fetch_inline_matches;
 	$line .= join( '', ' ;;', $raw_matches ) if $raw_matches ne ' ';
 	print $snat "$line\n";
    }
    progress_message "   Masq record \"$rawcurrentline\" Converted";
 }
-sub process_one_masq( $ )
+#
 # Process the masq file
 #
 sub setup_masq()
 {
    my ( $snat ) = @_;
    if ( $snat ) {
 	unless ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
 	    #
 	    # Line was not blank or all comment
 	    #
 	    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 		split_rawline2( 'masq file',
 				{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
 				{},    #Nopad
 				undef, #Columns
 				1 );   #Allow inline matches
 	    if ( $interfacelist ne '-' ) { 
 		for my $proto ( split_list $protos, 'Protocol' ) {
 		    convert_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
 		}
 	    }
 	}
    } else {
 	my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 	    split_line2( 'masq file',
 			 { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
 			 {},    #Nopad
 			 undef, #Columns
 			 1 );   #Allow inline matches
 	fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
 	for my $proto ( split_list $protos, 'Protocol' ) {
 	    process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
 	}
    }
 }
 sub open_snat_for_output( $ ) {
    my ($fn ) = @_;
    my ( $snat, $fn1 );
    if ( -f ( $fn1 = find_writable_file( 'snat' ) ) ) {
 	open( $snat , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
    } else {
 	open( $snat , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
 	#
 	# Transfer permissions from the existing masq file to the new snat file
 	#
 	transfer_permissions( $fn, $fn1 );
 	if ( $family == F_IPV4 ) {
 	    print $snat <<'EOF';
 #
 # Shorewall - SNAT/Masquerade File
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See http://shorewall.net/manpages/shorewall-snat.html for additional information
 EOF
 	} else {
 	    print $snat <<'EOF';
 #
 # Shorewall6 - SNAT/Masquerade File
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
 # See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
 EOF
 	}
 	print $snat <<'EOF';
 ###################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
 EOF
    }
    return ( $snat, $fn1 );
 }
 #
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );
-	my $have_masq_rules;
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
-	directive_callback(
+	process_one_masq while read_a_line( NORMAL_READ );
 	    sub ()
 	    {
 		if ( $_[0] eq 'OMITTED' ) {
 		    #
 		    # Convert the raw rule
 		    #
 		    process_one_masq( $snat) if $snat;
 		} else {
 		    print $snat "$_[1]\n"; 0;
 		}
 	    }
 	    );
 	first_entry(
 	    sub {
 		my $date = compiletime;
 		progress_message2 "Converting $fn...";
 		print( $snat
 		       "#\n" ,
 		       "# Rules generated from masq file $fn by Shorewall $globals{VERSION} - $date\n" ,
 		       "#\n" );
 	    }
 	    );
 	while ( read_a_line( NORMAL_READ ) ) {
 	    #
 	    # Process the file normally
 	    #
 	    process_one_masq(0);
 	    #
 	    # Now Convert it
 	    #
 	    process_one_masq($snat);
 	    $have_masq_rules++;
 	}
 	if ( $have_masq_rules ) {
 	    progress_message2 "Converted $fn to $fn1";
 	    if ( rename $fn, "$fn.bak" ) {
 		progress_message2 "$fn renamed $fn.bak";
 	    } else {
 		fatal_error "Cannot Rename $fn to $fn.bak: $!";
 	    }
 	} else {
 	    if ( unlink $fn ) {
 		warning_message "Empty masq file ($fn) removed";
 	    } else {
 		warning_message "Unable to remove empty masq file $fn: $!";
 	    }
 	}
 	close $snat, directive_callback( 0 );
    }
 }
@@ -790,39 +556,88 @@ sub setup_netmap() {
 		my @rule = do_iproto( $proto, $dport, $sport );
-		my @rulein;
+		unless ( $type =~ /:/ ) {
-		my @ruleout;
+		    my @rulein;
 		    my @ruleout;
-		$net1 = validate_net $net1, 0;
+		    $net1 = validate_net $net1, 0;
-		$net2 = validate_net $net2, 0;
+		    $net2 = validate_net $net2, 0;
-		if ( $interfaceref->{root} ) {
+		    if ( $interfaceref->{root} ) {
-		    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-		} else {
+		    } else {
-		    @rulein  = imatch_source_dev( $interface );
+			@rulein  = imatch_source_dev( $interface );
-		    @ruleout = imatch_dest_dev( $interface );
+			@ruleout = imatch_dest_dev( $interface );
-		    $interface = $interfaceref->{name};
+			$interface = $interfaceref->{name};
-		}
+		    }
-		require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';
+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
-		if ( $type eq 'DNAT' ) {
+		    if ( $type eq 'DNAT' ) {
-		    dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
-				      j => 'NETMAP' ,
+					  j => 'NETMAP' ,
-				      "--to $net2",
+					  "--to $net2",
-				      $net1 ,
+					  $net1 ,
-				      @rulein  ,
+					  @rulein  ,
-				      imatch_source_net( $net3 ) );
+					  imatch_source_net( $net3 ) );
-		} elsif ( $type eq 'SNAT' ) {
+		    } elsif ( $type eq 'SNAT' ) {
-		    source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
-				       j => 'NETMAP' ,
+					   j => 'NETMAP' ,
-				       "--to $net2" ,
+					   "--to $net2" ,
-				       $net1 ,
+					   $net1 ,
-				       @ruleout ,
+					   @ruleout ,
-				       imatch_dest_net( $net3 ) );
+					   imatch_dest_net( $net3 ) );
 		    } else {
 			fatal_error "Invalid type ($type)";
 		    }
 		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
 		    my ( $target , $chain ) = ( $1, $2 );
 		    my $table = 'raw';
 		    my @match;
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 		    $net2 = validate_net $net2, 0;
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );
 			$interface = $interfaceref->{name};
 		    }
 		    if ( $chain eq 'P' ) {
 			$chain = prerouting_chain $interface;
 			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
 		    } elsif ( $chain eq 'O' ) {
 			$chain = output_chain $interface;
 		    } else {
 			$chain = postrouting_chain $interface;
 			$table = 'rawpost';
 		    }
 		    my $chainref = ensure_chain( $table, $chain );
 		    if ( $target eq 'DNAT' ) {
 			dest_iexclusion( $chainref ,
 					 j => 'RAWDNAT' ,
 					 "--to-dest $net2" ,
 					 $net1 ,
 					 imatch_source_net( $net3 ) ,
 					 @rule ,
 					 @match
 				       );
 		    } else {
 			source_iexclusion( $chainref ,
 					   j  => 'RAWSNAT' ,
 					   "--to-source $net2" ,
 					   $net1 ,
 					   imatch_dest_net( $net3 ) ,
 					   @rule ,
 					   @match );
 		    }
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
-		    fatal_error "Invalid type ($type)";
+		    fatal_error "Invalid TYPE ($type)";
 		}
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -125,13 +125,6 @@ sub setup_route_marking() {
    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
    #
    # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
    #
    if ( $config{ZERO_MARKS} ) {
 	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
    }
    if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
@@ -220,14 +213,7 @@ sub copy_table( $$$ ) {
 	       '            esac',
 	     );
    } else {
-	emit ( '            case $net in',
+	emit ( "            run_ip route add table $number \$net \$route $realm" );
 	       '                fe80:*)',
 	       '                    ;;',
 	       '                *)',
 	       "                    run_ip route add table $number \$net \$route $realm",
 	       '                    ;;',
 	       '            esac',
 	     );
    }
    emit ( '            ;;',
@@ -298,14 +284,7 @@ sub copy_and_edit_table( $$$$$ ) {
 		'                    esac',
 	     );
    } else {
-	emit (  '                    case $net in',
+	emit (  "                    run_ip route add table $id \$net \$route $realm" );
 		'                        fe80:*)',
 		'                            ;;',
 		'                        *)',
 		"                            run_ip route add table $id \$net \$route $realm",
 		'                            ;;',
 		'                    esac',
 	     );
    }
    emit (  '                    ;;',
@@ -323,14 +302,27 @@ sub balance_default_route( $$$$ ) {
    emit '';
    if ( $first_default_route ) {
-	if ( $gateway ) {
+	if ( $family == F_IPV4 ) {
-	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    if ( $gateway ) {
 		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	    } else {
 		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	    }
 	} else {
-	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
 	    # IPv6 doesn't support multi-hop routes
 	    #
 	    if ( $gateway ) {
 		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
 		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
 	    }
 	}
 	$first_default_route = 0;
    } else {
 	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -347,14 +339,27 @@ sub balance_fallback_route( $$$$ ) {
    emit '';
    if ( $first_fallback_route ) {
-	if ( $gateway ) {
+	if ( $family == F_IPV4 ) {
-	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    if ( $gateway ) {
 		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	    } else {
 		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	    }
 	} else {
-	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
 	    # IPv6 doesn't support multi-hop routes
 	    #
 	    if ( $gateway ) {
 		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
 		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
 	    }
 	}
 	$first_fallback_route = 0;
    } else {
 	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -486,14 +491,12 @@ sub process_a_provider( $ ) {
    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, 1 );
+	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gatewaycase = 'none';
 	$gateway = '';
 	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -507,15 +510,12 @@ sub process_a_provider( $ ) {
 	}
 	$gatewaycase = 'specified';
 	set_interface_option( $interface, 'gateway', $gateway );
    } else {
 	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
 	set_interface_option( $interface, 'gateway', $pseudo ? 'detect' : 'omitted' );
    }
    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
    if ( $pseudo ) {	
@@ -535,6 +535,7 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
@@ -557,6 +558,7 @@ sub process_a_provider( $ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
 		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
@@ -684,7 +686,6 @@ sub process_a_provider( $ ) {
 			   interface         => $interface ,
 			   physical          => $physical ,
 			   optional          => $optional ,
 			   wildcard          => $interfaceref->{wildcard} || 0,
 			   gateway           => $gateway ,
 			   gatewaycase       => $gatewaycase ,
 			   shared            => $shared ,
@@ -744,9 +745,9 @@ sub emit_started_message( $$$$$ ) {
    my ( $spaces, $level, $pseudo, $name, $number ) = @_;
    if ( $pseudo ) {
-	emit qq(${spaces}progress_message${level} "Optional interface $name Started");
+	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
    } else {
-	emit qq(${spaces}progress_message${level} "Provider $name ($number) Started");
+	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
    }
 }
@@ -800,10 +801,6 @@ sub add_a_provider( $$ ) {
 	push_indent;
 	emit( "if interface_is_up $physical; then" );
 	push_indent;
 	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
@@ -813,19 +810,22 @@ sub add_a_provider( $$ ) {
 	}
 	if ( $gateway ) {
-	    $address = get_interface_address( $interface, 1 ) unless $address;
+	    $address = get_interface_address $interface unless $address;
 	    emit( qq([ -z "$address" ] && return\n) );
 	    if ( $hostroute ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		} else {
 		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
 		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
 		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
 		}
 	    }
-	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
 	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 	if ( ! $noautosrc ) {
@@ -854,10 +854,8 @@ sub add_a_provider( $$ ) {
 	    }
 	}
-	pop_indent;
+	emit( qq(\n),
-
+	      qq(rm -f \${VARDIR}/${physical}_enabled) );
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 	pop_indent;
@@ -939,11 +937,17 @@ CEOF
    }
    if ( $gateway ) {
-	$address = get_interface_address( $interface, 1 ) unless $address;
+	$address = get_interface_address $interface unless $address;
 	if ( $hostroute ) {
-	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+	    if ( $family == F_IPV4 ) {
-	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
 		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	    } else {
 		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
 		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
 		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
 	    }
 	}
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -957,8 +961,13 @@ CEOF
 	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
+	    if ( $family == F_IPV4 ) {
-	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+		emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
 		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
 		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    }
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
@@ -1034,12 +1043,23 @@ CEOF
 	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;
-	    if ( $gateway ) {
+	    if ( $family == F_IPV4 ) {
-		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+		if ( $gateway ) {
 		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
 		} else {
 		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
 		}
 	    } else {
-		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+		#
 		# IPv6 doesn't support multi-hop routes
 		#
 		if ( $gateway ) {
 		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
 		} else {
 		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
 		}
 	    }
-	} else {
+	    	} else {
 	    $weight = 1;
 	}
@@ -1049,40 +1069,19 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
-	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
+	emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
 	emit_started_message( '', 2, $pseudo, $table, $number );
 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
 	    emit( '',
 		  'if [ -n "$g_forcereload" ]; then',
 		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
 		  '    COMMAND=reload',
 		  '    detect_configuration',
 		  '    define_firewall',
 		  'fi' );
 	}
 	pop_indent;
 	unless ( $pseudo ) {
 	    emit( 'else' );
 	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
-	    emit( qq(    rm -f \${VARDIR}/${physical}_disabled) ) if $persistent;
+	    emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
 	    emit_started_message( '    ', '', $pseudo, $table, $number );
 	}
 	emit "fi\n";
 	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 	    my $variable = interface_address( $interface );
 	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
 	}
 	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
 	    my $variable = interface_gateway( $interface );
 	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
 	}
    } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
@@ -1107,17 +1106,6 @@ CEOF
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
 	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 	    my $variable = interface_address( $interface );
 	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
 	}
 	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
 	    my $variable = interface_gateway( $interface );
 	    emit( qq(\necho "\$$variable" > \${VARDIR}/${physical}.gateway) );
 	}
    } else {
 	if ( $shared ) {
 	    emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" );
@@ -1161,7 +1149,7 @@ CEOF
 		$via = "dev $physical";
 	    }
-	    $via .= " weight $weight" unless $weight < 0;
+	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
 	    $via .= " $realm"         if $realm;
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1183,7 +1171,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
+		   "    rm -f \${VARDIR}/${physical}_enabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1256,7 +1244,7 @@ sub add_an_rtrule1( $$$$$ ) {
    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
    } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address( '&', $source, undef, 1 );
+	$source = 'from ' . record_runtime_address '&', $source;
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -1510,17 +1498,11 @@ sub finish_providers() {
    if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
 	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
-	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
+	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
-		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
 		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
 		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
 		    '    fi',
 		    '' );
 	}
 	if ( $config{USE_DEFAULT_RT} ) {
@@ -1574,11 +1556,10 @@ sub finish_providers() {
    if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
@@ -1695,7 +1676,7 @@ EOF
 		emit ( "    if [ ! -f \${VARDIR}/undo_${provider}_routing ]; then",
 		       "        start_interface_$provider" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit ( "    if [ -f \${VARDIR}/$providerref->{physical}_disabled ]; then",
+		emit ( "    if [ ! -f \${VARDIR}/$providerref->{physical}_enabled ]; then",
 		       "        start_provider_$provider" );
 	    } else {
 		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
@@ -1746,7 +1727,7 @@ EOF
 	    if ( $providerref->{pseudo} ) {
 		emit( "    if [ -f \${VARDIR}/undo_${provider}_routing ]; then" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit( "    if [ ! -f \${VARDIR}/$providerref->{physical}_disabled ]; then" );
+		emit( "    if [ -f \${VARDIR}/$providerref->{physical}_enabled ]; then" );
 	    } else {
 		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
 	    }
@@ -2132,31 +2113,9 @@ sub provider_realm( $ ) {
 #
 sub handle_optional_interfaces( $ ) {
-    my @interfaces;
+    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
    my $wildcards;
-    #
+    if ( @$interfaces ) {
    # First do the provider interfacess. Those that are real providers will never have wildcard physical
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
    # wildcard physical names are also included in the providers table.
    #
    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
 	push @interfaces, $providerref->{interface};
 	$wildcards ||= $providerref->{wildcard};
    }
    #
    # Now do the optional wild interfaces
    #
    for my $interface ( grep interface_is_optional($_) && ! $provider_interfaces{$_}, all_real_interfaces ) {
 	push@interfaces, $interface;
 	unless ( $wildcards ) {
 	    my $interfaceref = find_interface($interface);
 	    $wildcards = 1 if $interfaceref->{wildcard};
 	}
    }
    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
@@ -2167,7 +2126,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
 	if ( $wildcards ) {
 	    #
@@ -2184,109 +2143,74 @@ sub handle_optional_interfaces( $ ) {
 	    emit '';
 	}
-	for my $interface ( @interfaces ) {
+	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
-	    if ( my $provider = $provider_interfaces{ $interface } ) {
+	    my $provider    = $provider_interfaces{$interface};
-		my $physical     = get_physical $interface;
+	    my $physical    = get_physical $interface;
-		my $base         = uc var_base( $physical );
+	    my $base        = uc var_base( $physical );
-		my $providerref  = $providers{$provider};
+	    my $providerref = $providers{$provider};
 		my $interfaceref = known_interface( $interface );
 		my $wildbase     = uc $interfaceref->{base};
-		emit( "$physical)" ), push_indent if $wildcards;
+	    emit( "$physical)" ), push_indent if $wildcards;
-		if ( $provider eq $physical ) {
+	    if ( $provider eq $physical ) {
-		    #
+		#
-		    # Just an optional interface, or provider and interface are the same
+		# Just an optional interface, or provider and interface are the same
-		    #
+		#
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		} else {
+	    } else {
-		    #
+		#
-		    # Provider
+		# Provider
-		    #
+		#
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		}
+	    }
 	    push_indent;
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
 		emit qq(if interface_is_usable $physical; then);
 	    }
 	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'fi' );
 	    pop_indent;
 	    emit( "fi\n" );
 	    emit( ';;' ), pop_indent if $wildcards;
 	}
 	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
 	    my $physical    = get_physical $interface;
 	    my $base        = uc var_base( $physical );
 	    my $case        = $physical;
 	    my $wild        = $case =~ s/\+$/*/;
 	    if ( $wildcards ) {
 		emit( "$case)" );
 		push_indent;
-		if ( $providerref->{gatewaycase} eq 'detect' ) {
+		if ( $wild ) {
-		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
 		} else {
 		    emit qq(if interface_is_usable $physical; then);
 		}
 		emit( '    HAVE_INTERFACE=Yes' ) if $require;
 		emit( "    SW_${base}_IS_USABLE=Yes" );
 		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
 		emit( 'fi' );
 		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
 		    my $variable = interface_address( $interface );
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.address ]; then",
 			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
 		    my $variable = interface_gateway( $interface );
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
 			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 		pop_indent;
 		emit( "fi\n" );
 		emit( ';;' ), pop_indent if $wildcards;
 	    } else {
 		my $physical    = get_physical $interface;
 		my $base        = uc var_base( $physical );
 		my $case        = $physical;
 		my $wild        = $case =~ s/\+$/*/;
 		my $variable    = interface_address( $interface );
 		if ( $wildcards ) {
 		    emit( "$case)" );
 		    push_indent;
-
+		    emit ( 'if interface_is_usable $interface; then' );
 		    if ( $wild ) {
 			emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
 			push_indent;
 			emit ( 'if interface_is_usable $interface; then' );
 		    } else {
 			emit ( "if interface_is_usable $physical; then" );
 		    }
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
 		}
 	    } else {
 		emit ( "if interface_is_usable $physical; then" );
 	    }
-		emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-		emit ( "    SW_${base}_IS_USABLE=Yes" ,
+	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		       'fi' );
+		   'fi' );
-		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
+	    if ( $wildcards ) {
-		    emit( '',
+		pop_indent, emit( 'fi' ) if $wild;
-			  "if [ -f \${VARDIR}/${physical}.address ]; then",
+		emit( ';;' );
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+		pop_indent;
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 		if ( $wildcards ) {
 		    pop_indent, emit( 'fi' ) if $wild;
 		    emit( ';;' );
 		    pop_indent;
 		}
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}
-	my ( $tgt, $options ) = split( ' ', $2, 2 );
+	my ( $tgt, $options ) = split( ' ', $2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
@@ -368,19 +368,12 @@ sub setup_conntrack($) {
    if ( $convert ) {
 	my $conntrack;
 	my $empty  = 1;
-	my $date = compiletime;
+	my $date = localtime;
 	my $fn1 = find_writable_file 'conntrack';
-	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
+	if ( $fn ) {
-
+	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
 	if ( -f $fn1 ) {
 	    open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
 	} else {
-	    open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
+	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
 	    #
 	    # Transfer permissions from the existing notrack file
 	    #
 	    transfer_permissions( $fn, $fn1 );
 	    print $conntrack <<'EOF';
 #
@@ -403,6 +396,8 @@ EOF
 	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );
 	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
 	while ( read_a_line( PLAIN_READ ) ) {
 	    #
 	    # Don't copy the header comments from the old notrack file
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -42,7 +42,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( process_tc setup_tc );
-our @EXPORT_OK = qw( initialize );
+our @EXPORT_OK = qw( process_tc_rule initialize );
 our $VERSION = 'MODULEVERSION';
 our %flow_keys = ( 'src'            => 1,
@@ -350,10 +350,9 @@ sub process_simple_device() {
    for ( my $i = 1; $i <= 3; $i++ ) {
 	my $prio = 16 | $i;
 	my $j    = $i + 3;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle $j flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
    }
@@ -827,7 +826,7 @@ sub validate_tc_class( ) {
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
 		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
-               fatal_error q(The 'occurs' option is not valid with 'default')      if defined($devref->{default}) && $devref->{default} == $classnumber;
+		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
 		warning_message "MARK ($mark) is ignored on an occurring class"     if $mark ne '-';
@@ -1308,8 +1307,6 @@ sub handle_ematch( $$ ) {
    $setname =~ s/\+//;
    add_ipset($setname);
    return "ipset\\($setname $options\\)";
 }
@@ -1520,7 +1517,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 	$rule .= ' and' if $have_rule;
 	if ( $source =~ /^\+/ ) {
-	    $rule .= join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
+	    $rule = join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
 	} else {
 	    my @parts = decompose_net_u32( $source );
@@ -1559,9 +1556,9 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 		    $rule .= ' and' if @parts;
 		}
 	    }
 	}
-	$have_rule = 1;
+	    $have_rule = 1;
 	}
    }
    if ( $have_rule ) {
@@ -2150,50 +2147,6 @@ sub process_secmark_rule() {
    }
 }
 sub convert_one_tos( $ ) {
    my ( $mangle ) = @_;
    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
 	split_rawline2( 'tos file entry',
 			{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 },
 			undef,
 			7 );
    my $chain_designator = 'P';
    decode_tos($tos, 1);
    my ( $srczone , $source , $remainder );
    if ( $family == F_IPV4 ) {
 	( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
 	fatal_error 'Invalid SOURCE' if defined $remainder;
    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
 	$srczone = $1;
 	$source  = $2;
    } else {
 	$srczone = $src;
    }
    if ( $srczone eq firewall_zone ) {
 	$chain_designator = 'O';
 	$src         = $source || '-';
    } else {
 	$src =~ s/^all:?//;
    }
    $dst =~ s/^all:?//;
    $src    = '-' unless supplied $src;
    $dst    = '-' unless supplied $dst;
    $proto  = '-' unless supplied $proto;
    $ports  = '-' unless supplied $ports;
    $sports = '-' unless supplied $sports;
    $mark   = '-' unless supplied $mark;
    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
 }
 sub convert_tos($$) {
    my ( $mangle, $fn1 ) = @_;
@@ -2211,28 +2164,9 @@ sub convert_tos($$) {
    }
    if ( my $fn = open_file 'tos' ) {
 	directive_callback(
 	    sub ()
 	    {
 		if ( $_[0] eq 'OMITTED' ) {
 		    #
 		    # Convert the raw rule
 		    #
 		    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
 			print $mangle "$_[1]\n";
 		    } else {
 			convert_one_tos( $mangle );
 			$have_tos = 1;
 		    }
 		} else {
 		    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
 		}
 	    }
 	    );
 	first_entry(
 		    sub {
-			my $date = compiletime;
+			my $date = localtime;
 			progress_message2 "Converting $fn...";
 			print( $mangle
 			       "#\n" ,
@@ -2243,11 +2177,47 @@ sub convert_tos($$) {
 	while ( read_a_line( NORMAL_READ ) ) {
 	    convert_one_tos( $mangle );
 	    $have_tos = 1;
 	}
-	directive_callback(0);
+	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
 		split_line( 'tos file entry',
 			    { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
 	    my $chain_designator = 'P';
 	    decode_tos($tos, 1);
 	    my ( $srczone , $source , $remainder );
 	    if ( $family == F_IPV4 ) {
 		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
 		fatal_error 'Invalid SOURCE' if defined $remainder;
 	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
 		$srczone = $1;
 		$source  = $2;
 	    } else {
 		$srczone = $src;
 	    }
 	    if ( $srczone eq firewall_zone ) {
 		$chain_designator = 'O';
 		$src         = $source || '-';
 	    } else {
 		$src =~ s/^all:?//;
 	    }
 	    $dst =~ s/^all:?//;
 	    $src    = '-' unless supplied $src;
 	    $dst    = '-' unless supplied $dst;
 	    $proto  = '-' unless supplied $proto;
 	    $ports  = '-' unless supplied $ports;
 	    $sports = '-' unless supplied $sports;
 	    $mark   = '-' unless supplied $mark;
 	    print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
 	}
 	if ( $have_tos ) {
 	    progress_message2 "Converted $fn to $fn1";
@@ -2264,23 +2234,16 @@ sub convert_tos($$) {
    }
 }
-sub open_mangle_for_output( $ ) {
+sub open_mangle_for_output() {
    my ($fn ) = @_;
    my ( $mangle, $fn1 );
    if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
 	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
    } else {
 	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
-	#
+	print $mangle <<'EOF';
 	# Transfer permissions from the existing tcrules file to the new mangle file
 	#
 	transfer_permissions( $fn, $fn1 );
 	if ( $family == F_IPV4 ) {
 	    print $mangle <<'EOF';
 #
-# Shorewall -- /etc/shorewall/mangle
+# Shorewall version 4 - Mangle File
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
@@ -2290,31 +2253,13 @@ sub open_mangle_for_output( $ ) {
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##############################################################################################################################################################
+####################################################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
 #                                                       PORT(S) PORT(S)
 EOF
 	} else {
 	    print $mangle <<'EOF';
 #
 # Shorewall6 -- /etc/shorewall6/mangle
 #
 # For information about entries in this file, type "man shorewall6-mangle"
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
 # http://shorewall.net/MultiISP.html
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ######################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
 EOF
 	}
 	return ( $mangle, $fn1 );
    }
    return ( $mangle, $fn1 );
 }
 #
@@ -2324,13 +2269,13 @@ sub setup_tc( $ ) {
    $convert = $_[0];
    if ( $config{MANGLE_ENABLED} ) {
-	ensure_mangle_chain( 'tcpre', PREROUTING, PREROUTE_RESTRICT );
+	ensure_mangle_chain 'tcpre';
-	ensure_mangle_chain( 'tcout', OUTPUT    , OUTPUT_RESTRICT );
+	ensure_mangle_chain 'tcout';
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    ensure_mangle_chain( 'tcfor',  FORWARD    , NO_RESTRICT );
+	    ensure_mangle_chain 'tcfor';
-	    ensure_mangle_chain( 'tcpost', POSTROUTING, POSTROUTE_RESTRICT );
+	    ensure_mangle_chain 'tcpost';
-	    ensure_mangle_chain( 'tcin',   INPUT      , INPUT_RESTRICT );
+	    ensure_mangle_chain 'tcin';
 	}
 	my @mark_part;
@@ -2381,30 +2326,13 @@ sub setup_tc( $ ) {
 		#
 		# We are going to convert this tcrules file to the equivalent mangle file
 		#
-		( $mangle, $fn1 ) = open_mangle_for_output( $fn );
+		( $mangle, $fn1 ) = open_mangle_for_output;
-		directive_callback(
+		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 		    sub ()
 		    {
 			if ( $_[0] eq 'OMITTED' ) {
 			    #
 			    # Convert the raw rule
 			    #
 			    if ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
 				print $mangle "$_[1]\n";
 			    } else {
 				process_tc_rule;
 				$have_tcrules++;
 			    }
 			} else {
 			    print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT';
 			}
 		    }
 		    );
 		first_entry(
 			    sub {
-				my $date = compiletime;
+				my $date = localtime;
 				progress_message2 "Converting $fn...";
 				print( $mangle
 				       "#\n" ,
@@ -2448,7 +2376,7 @@ sub setup_tc( $ ) {
 		    #
 		    # We are going to convert this tosfile to the equivalent mangle file
 		    #
-		    ( $mangle, $fn1 ) = open_mangle_for_output( $fn );
+		    ( $mangle, $fn1 ) = open_mangle_for_output;
 		    convert_tos( $mangle, $fn1 );
 		    close $mangle;
 		}
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -95,6 +95,7 @@ our @EXPORT = ( qw( NOTHING
                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    set_interface_provider
 		    interface_zone
 		    interface_zones
 		    verify_required_interfaces
@@ -194,6 +195,7 @@ our %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     wildcard    => undef|1 # Wildcard Name
 #                                     zones       => { zone1 => 1, ... }
 #                                     origin      => <where defined>
@@ -335,7 +337,6 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
 				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -386,7 +387,6 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -396,6 +396,7 @@ sub initialize( $$ ) {
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
@@ -1116,8 +1117,6 @@ sub process_interface( $$ ) {
    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
    if ( supplied $port ) {
@@ -1192,7 +1191,6 @@ sub process_interface( $$ ) {
    my %options;
    $options{port} = 1 if $port;
    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
    my $hostoptionsref = {};
@@ -1236,8 +1234,6 @@ sub process_interface( $$ ) {
 		    } else {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
 		} elsif ( $option eq 'nodbl' ) {
 		    $options{dbl} = '0:0';
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
@@ -1260,11 +1256,6 @@ sub process_interface( $$ ) {
 		    } else {
 			$options{arp_ignore} = 1;
 		    }
 		} elsif ( $option eq 'dbl' ) {
 		    my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
 		    fatal_error q(The 'dbl' option requires a value) unless defined $value;
 		    fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
 		} else {
 		    assert( 0 );
 		}
@@ -1315,7 +1306,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
+		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
@@ -1586,7 +1577,7 @@ sub known_interface($)
 					       name     => $i ,
 					       number   => $interfaceref->{number} ,
 					       physical => $physical ,
-					       base     => $interfaceref->{base} ,
+					       base     => var_base( $physical ) ,
 					       wildcard => $interfaceref->{wildcard} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };
@@ -1915,7 +1906,7 @@ sub verify_required_interfaces( $ ) {
    my $returnvalue = 0;
-    my $interfaces = find_interfaces_by_option( 'wait');
+    my $interfaces = find_interfaces_by_option 'wait';
    if ( @$interfaces ) {
 	my $first = 1;
@@ -1981,7 +1972,7 @@ sub verify_required_interfaces( $ ) {
    }
-    $interfaces = find_interfaces_by_option( 'required' );
+    $interfaces = find_interfaces_by_option 'required';
    if ( @$interfaces ) {
@@ -2169,7 +2160,7 @@ sub process_host( ) {
    #
    $interface = '%vserver%' if $type & VSERVER;
-    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
+    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
    progress_message "   Host \"$currentline\" validated";
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -41,7 +41,10 @@
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
-#         --update                    # Update configuration to current release
+#         --update                    # Update configuration to this release
 #         --tcrules                   # Create mangle from tcrules
 #         --routestopped              # Create stoppedrules from routestopped
 #         --notrack                   # Create conntrack from notrack
 #
 use strict;
 use FindBin;
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -38,11 +38,12 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
-g_basedir=${SHAREDIR}/shorewall
+g_program=$PRODUCT
 g_sharedir="$SHAREDIR/shorewall"
 g_confdir="$CONFDIR/$PRODUCT"
 g_readrc=1
-. $g_basedir/lib.cli
+. $g_sharedir/lib.cli
 setup_product_environment
 CONFIG_PATH="$2"
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -49,7 +49,7 @@
 #					generated this program
 #
 ################################################################################
-# Functions imported from /usr/share/shorewall/lib.runtime
+# Functions imported from /usr/share/shorewall/lib.core
 ################################################################################
 #		      Address family-neutral Functions
 ################################################################################
@@ -526,6 +526,13 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
    done
    qt1 $g_tool -t rawpost -F
    qt1 $g_tool -t rawpost    -X
    for chain in POSTROUTING; do
 	qt1 $g_tool -t rawpost -P $chain ACCEPT
    done
    qt1 $g_tool -t nat    -F
    qt1 $g_tool -t nat    -X
@@ -575,6 +582,9 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
 	    '*'rawpost)
 		table=rawpost
 		;;
 	    '*'mangle)
 		table=mangle
 		;;
@@ -589,15 +599,7 @@ debug_restore_input() {
 }
 interface_enabled() {
-    status=0
+    return $(cat ${VARDIR}/$1.status)
    if [ -f ${VARDIR}/${1}_disabled ]; then
 	status=1
    elif [ -f ${VARDIR}/${1}.status ]; then
 	status=$(cat ${VARDIR}/${1}.status)
    fi
    return $status
 }
 distribute_load() {
@@ -676,10 +678,8 @@ interface_is_usable() # $1 = interface
    if ! loopback_interface $1; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
-	    if [ "$COMMAND" != enable ]; then
+	    [ "$COMMAND" = enable ] || run_isusable_exit $1
-		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
+	    status=$?
 		status=$?
 	    fi
 	else
 	    status=1
 	fi
@@ -996,16 +996,9 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
    if [ -n "$route" ]; then
 	if echo $route | grep -qF ' nexthop '; then
-	    if interface_is_up $3; then
+	    gateway="nexthop $gateway"
-		gateway="nexthop $gateway"
+	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
-	    else
+	    run_ip route replace table $2 $route
 		gateway="nexthop $gateway dead"
 	    fi
 	    if eval echo $route \| fgrep -q \'$gateway\'; then
 		eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
 		run_ip route replace table $2 $route
 	    fi
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
@@ -1102,10 +1095,8 @@ interface_is_usable() # $1 = interface
    if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
-	    if [ "$COMMAND" != enable ]; then
+	    [ "$COMMAND" = enable ] || run_isusable_exit $1
-		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
+	    status=$?
 		status=$?
 	    fi
 	else
 	    status=1
 	fi
@@ -1119,7 +1110,7 @@ interface_is_usable() # $1 = interface
 #
 find_interface_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
 }
 #
@@ -1128,7 +1119,7 @@ find_interface_addresses() # $1 = interface
 find_interface_full_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -25,7 +25,6 @@ usage() {
    echo "   savesets <file>"
    echo "   call <function> [ <parameter> ... ]"
    echo "   version"
    echo "   info"
    echo
    echo "Options are:"
    echo
@@ -128,9 +127,6 @@ g_compiled=
 g_file=
 g_docker=
 g_dockernetwork=
 g_forcereload=
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
 initialize
@@ -473,10 +469,6 @@ case "$COMMAND" in
 	echo $SHOREWALL_VERSION
 	status=0
 	;;
    info)
 	[ $# -ne 1 ] && usage 2
 	info_command
 	;;
    help)
 	[ $# -ne 1 ] && usage 2
 	usage 0
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
+#  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
@@ -23,12 +23,6 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -47,11 +41,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
 MACLIST_LOG_LEVEL=info
@@ -75,7 +69,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -134,16 +128,20 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=No
 CLEAR_TC=Yes
@@ -174,8 +172,6 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -246,14 +242,10 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
@@ -291,3 +283,5 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -34,12 +34,6 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -58,11 +52,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
 MACLIST_LOG_LEVEL=info
@@ -86,7 +80,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -145,16 +139,20 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=No
 CLEAR_TC=Yes
@@ -185,8 +183,6 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -257,14 +253,10 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
@@ -302,3 +294,5 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -0,0 +1,19 @@
 #
 # Shorewall - Sample Masq file for three-interface configuration.
 # Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
 ################################################################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
 #											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			192.168.0.0/16
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -31,12 +31,6 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -55,11 +49,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
 MACLIST_LOG_LEVEL=info
@@ -83,7 +77,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -142,16 +136,20 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=Yes
 CLEAR_TC=Yes
@@ -182,8 +180,6 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -254,14 +250,10 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
@@ -299,3 +291,5 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -1,23 +0,0 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
 # Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See http://shorewall.net/manpages/shorewall-snat.html for more information
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
 #
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			192.168.0.0/16		eth0
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -0,0 +1,19 @@
 #
 # Shorewall - Sample Masq file for two-interface configuration.
 # Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
 ################################################################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
 #											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			192.168.0.0/16
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -34,12 +34,6 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
@@ -58,11 +52,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
 MACLIST_LOG_LEVEL=info
@@ -86,7 +80,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -145,16 +139,20 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=Yes
 CLEAR_TC=Yes
@@ -185,8 +183,6 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
@@ -257,14 +253,10 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
@@ -302,3 +294,5 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -1,23 +0,0 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
 # Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See http://shorewall.net/manpages/shorewall-snat.html for more information
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
 #
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			92.168.0.0/16		eth0
--- a/Shorewall/Actions/action.A_Drop
+++ b/Shorewall/Actions/action.A_Drop
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
--- a/Shorewall/Actions/action.AutoBL
+++ b/Shorewall/Actions/action.AutoBL
--- a/Shorewall/Actions/action.AutoBLL
+++ b/Shorewall/Actions/action.AutoBLL
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
--- a/Shorewall/Actions/action.Drop
+++ b/Shorewall/Actions/action.Drop
--- a/Shorewall/Actions/action.DropSmurfs
+++ b/Shorewall/Actions/action.DropSmurfs
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
--- a/Shorewall/Actions/action.GlusterFS
+++ b/Shorewall/Actions/action.GlusterFS
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
--- a/Shorewall/Actions/action.Reject
+++ b/Shorewall/Actions/action.Reject
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
--- a/Shorewall/Actions/action.mangletemplate
+++ b/Shorewall/Actions/action.mangletemplate
--- a/Shorewall/Actions/action.template
+++ b/Shorewall/Actions/action.template
--- a/Shorewall/configfiles/mangle
+++ b/Shorewall/configfiles/mangle
@@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
-##############################################################################################################################################################
+####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP	SWITCH
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -23,12 +23,6 @@ VERBOSITY=1
 PAGER=
 ###############################################################################
 #			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
@@ -47,11 +41,11 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
 MACLIST_LOG_LEVEL=info
@@ -134,16 +128,20 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 BASIC_FILTERS=No
 IGNOREUNKNOWNVARIABLES=No
 AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
@@ -174,15 +172,13 @@ FORWARD_CLEAR_MARK=
 HELPERS=
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=No
 IPSET_WARNINGS=Yes
-IP_FORWARDING=Keep
+IP_FORWARDING=On
 KEEP_RT_TABLES=No
@@ -208,7 +204,7 @@ MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
-OPTIMIZE=All
+OPTIMIZE=0
 OPTIMIZE_ACCOUNTING=No
@@ -246,14 +242,10 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
--- a/Shorewall/configfiles/snat
+++ b/Shorewall/configfiles/snat
@@ -1,9 +0,0 @@
 #
 # Shorewall -- /etc/shorewall/snat
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See http://shorewall.net/manpages/shorewall-snat.html for more information
 #
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -4,7 +4,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall
@@ -89,7 +89,7 @@ wait_for_pppd () {
 # start the firewall
 shorewall_start () {
-  printf "Starting \"Shorewall firewall\": "
+  echo -n "Starting \"Shorewall firewall\": "
  wait_for_pppd
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
@@ -97,11 +97,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
      printf "Stopping \"Shorewall firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
      printf "Clearing all \"Shorewall firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -109,21 +108,21 @@ shorewall_stop () {
 # reload the firewall
 shorewall_reload () {
-  printf "Reloading \"Shorewall firewall\": "
+  echo -n "Reloading \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RELOADOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
 # restart the firewall
 shorewall_restart () {
-  printf "Restarting \"Shorewall firewall\": "
+  echo -n "Restarting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
 # refresh the firewall
 shorewall_refresh () {
-  printf "Refreshing \"Shorewall firewall\": "
+  echo -n "Refreshing \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
@@ -146,7 +145,7 @@ case "$1" in
  restart)
     shorewall_restart
     ;;
-  force-reload|reload)
+  force0reload|reload)
     shorewall_reload
     ;;
  status)
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 start() {
-    printf $"Starting Shorewall: "
+    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 stop() {
-    printf $"Stopping Shorewall: "
+    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -66,7 +66,7 @@ stop() {
 }
 reload() {
-    printf $"Reloading Shorewall: "
+    echo -n $"Reloading Shorewall: "
    $shorewall $OPTIONS reload $RELOADOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -83,7 +83,7 @@ reload() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    printf $"Restarting Shorewall: "
+    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -103,7 +103,7 @@ require()
 cd "$(dirname $0)"
-if [ -f shorewall.service ]; then
+if [ -f shorewall ]; then
    PRODUCT=shorewall
    Product=Shorewall
 else
@@ -175,6 +175,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
@@ -380,9 +381,9 @@ fi
 echo "Installing $Product Version $VERSION"
 #
-# Check for /usr/share/$PRODUCT/version
+# Check for /sbin/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -393,6 +394,10 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreve
    exit 1
 fi
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/${PRODUCT}
 echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 # Install the Firewall Script
 #
@@ -691,15 +696,17 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/maclist ]; then
    echo "mac list file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/maclist"
 fi
-#
+if [ -f masq ]; then
-# Install the SNAT file
+    #
-#
+    # Install the Masq file
-run_install $OWNERSHIP -m 0644 snat           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+    #
-run_install $OWNERSHIP -m 0644 snat.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+    run_install $OWNERSHIP -m 0644 masq           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
    run_install $OWNERSHIP -m 0644 masq.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/snat ]; then
+    if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/masq ]; then
-    run_install $OWNERSHIP -m 0600 snat${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/snat
+	run_install $OWNERSHIP -m 0600 masq${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/masq
-    echo "SNAT file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/snat"
+	echo "Masquerade file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/masq"
    fi
 fi
 if [ -f arprules ]; then
@@ -1042,11 +1049,18 @@ fi
 cd ..
 #
 # Install the  Makefiles
 #
 run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/Makefile
 if [ -z "$SPARSE" ]; then
    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
    echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 fi
 #
 # Install the Action files
 #
 cd Actions
 for f in action.* ; do
    case $f in
 	*.deprecated)
@@ -1059,10 +1073,8 @@ for f in action.* ; do
 	    ;;
    esac
 done
-#
+
-# Now the Macros
+cd Macros
 #
 cd ../Macros
 for f in macro.* ; do
    case $f in
@@ -1094,10 +1106,7 @@ if [ $PRODUCT = shorewall6 ]; then
    # Symbolically link 'functions' to lib.base
    #
    ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
-    #
+    [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
    # And create a sybolic link for the CLI
    #
    ln -sf shorewall ${DESTDIR}${SBINDIR}/shorewall6
 fi
 if [ -d Perl ]; then
@@ -1172,7 +1181,7 @@ if [ -n "$MANDIR" ]; then
 cd manpages
-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
 for f in *.5; do
    gzip -9c $f > $f.gz
@@ -1180,8 +1189,6 @@ for f in *.5; do
    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done
 [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
 for f in *.8; do
    gzip -9c $f > $f.gz
    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
@@ -1208,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi
    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -48,10 +48,10 @@ get_config() {
    fi
    if [ "$(id -u)" -eq 0 ]; then
-	config=$(find_file ${PRODUCT}.conf)
+	config=$(find_file $g_program.conf)
    else
-	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
-	config="$g_shorewalldir/$PRODUCT.conf"
+	config="$g_shorewalldir/$g_program.conf"
    fi
    if [ -f $config ]; then
@@ -155,7 +155,7 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${PRODUCT}.conf"
+		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf"
 		    ;;
 		Yes|yes|YES)
 		    ;;
@@ -316,29 +316,53 @@ get_config() {
    g_loopback=$(find_loopback_interfaces)
-    [ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
+    if [ -n "$PAGER" -a -t 1 ]; then
 	case $PAGER in
 	    /*)
 		g_pager="$PAGER"
 		[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
 		;;
 	    *)
 		g_pager=$(mywhich pager 2> /dev/null)
 		[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
 		;;
 	esac
-    if [ -z "$g_nopager" ]; then
+	[ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 	if [ -n "$PAGER" -a -t 1 ]; then
 	    case $PAGER in
 		/*)
 		    g_pager="$PAGER"
 		    [ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
 		    ;;
 		*)
 		    g_pager=$(mywhich $PAGER 2> /dev/null)
 		    [ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
 		    ;;
 	    esac
-	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
+	g_pager="| $g_pager"
 	    g_pager="| $g_pager"
 	fi
    fi
    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	setup_dbl
+	case $DYNAMIC_BLACKLIST in
 	    [Nn]o)
 		DYNAMIC_BLACKLIST='';
 		;;
 	    [Yy]es)
 	        ;;
 	    ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
 		g_blacklistipset=SW_DBL$g_family
 		;;
 	    ipset:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    ipset-only,src-dst:[a-zA-Z]*)
 		g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
 		g_blacklistipset=${g_blacklistipset%%:*}
 		;;
 	    *)
 		fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
 		;;
 	esac
    fi
    lib=$(find_file lib.cli-user)
@@ -397,8 +421,8 @@ compiler() {
    pc=${LIBEXECDIR}/shorewall/compiler.pl
    if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$g_program ]; then
-	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
 	fi
    fi
    #
@@ -469,13 +493,13 @@ compiler() {
    case "$g_doing" in
 	Compiling|Checking)
-	    progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
+	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
 	Updating)
 	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
 	    ;;
 	*)
-	    [ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
+	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
 	    ;;
    esac
    #
@@ -580,7 +604,7 @@ start_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -596,8 +620,7 @@ start_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2
 	    [ -n "$g_fast" ]         && fatal_error "Directory may not be specified with the -f option"
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -611,7 +634,7 @@ start_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -640,6 +663,8 @@ compile_command() {
 		shift
 		option=${option#-}
 		[ -z "$option" ] && usage 1
 		while [ -n "$option" ]; do
 		    case $option in
 			e*)
@@ -676,7 +701,7 @@ compile_command() {
 			    option=
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -698,7 +723,7 @@ compile_command() {
 	    [ -d "$g_file" ] && fatal_error "$g_file is a directory"
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -712,7 +737,7 @@ compile_command() {
 	    g_file=$2
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac
@@ -766,7 +791,7 @@ check_command() {
 			    option=${option#i}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -782,7 +807,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -795,7 +820,7 @@ check_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -858,7 +883,7 @@ update_command() {
 			    option=${option#A}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -874,7 +899,7 @@ update_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -887,7 +912,7 @@ update_command() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -952,7 +977,7 @@ restart_command() {
 			    option=${option#C}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -968,7 +993,7 @@ restart_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -983,7 +1008,7 @@ restart_command() {
 	    AUTOMAKE=
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -1061,7 +1086,7 @@ refresh_command() {
 			    fi
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1144,7 +1169,7 @@ safe_commands() {
 			    shift;
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1160,7 +1185,7 @@ safe_commands() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	    [ -n "$g_shorewalldir" ] && usage 2
 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -1173,7 +1198,7 @@ safe_commands() {
 	    g_shorewalldir=$(resolve_file $1)
 	    ;;
 	*)
-	    too_many_arguments $2
+	    usage 1
 	    ;;
    esac
@@ -1229,13 +1254,13 @@ safe_commands() {
    if run_it ${VARDIR}/.$command $g_debugging $command; then
-	printf "Do you want to accept the new firewall configuration? [y/n] "
+	echo -n "Do you want to accept the new firewall configuration? [y/n] "
 	if read_yesno_with_timeout $timeout ; then
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" -o "$command" = "reload" ]; then
-		run_it ${VARDIR}/.safe -r restore
+		run_it ${VARDIR}/.safe restore
 	    else
 		run_it ${VARDIR}/.$command clear
 	    fi
@@ -1261,7 +1286,7 @@ try_command() {
    timeout=
    handle_directory() {
-	[ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+	[ -n "$g_shorewalldir" ] && usage 2
 	if [ ! -d $1 ]; then
 	    if [ -e $1 ]; then
@@ -1291,7 +1316,7 @@ try_command() {
 			    option=${option#n}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1305,7 +1330,7 @@ try_command() {
    case $# in
 	0)
-	    missing_argument
+	    usage 1
 	    ;;
 	1)
 	    handle_directory $1
@@ -1316,7 +1341,7 @@ try_command() {
 	    timeout=$2
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac
@@ -1419,7 +1444,6 @@ remote_reload_command() # $* = original arguments less the command.
    sharedir=${SHAREDIR}
    local litedir
    local exitstatus
    local program
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1447,12 +1471,6 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
 			D)
 			    [ $# -gt 1 ] || fatal_error "Missing directory name"
 			    g_shorewalldir=$2
 			    option=
 			    shift
 			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
@@ -1462,7 +1480,7 @@ remote_reload_command() # $* = original arguments less the command.
 			    option=${option#i}
 			    ;;
 			*)
-			    option_error $option
+			    usage 1
 			    ;;
 		    esac
 		done
@@ -1475,9 +1493,6 @@ remote_reload_command() # $* = original arguments less the command.
    done
    case $# in
 	0)
 	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
 	    ;;
 	1)
 	    g_shorewalldir="."
 	    system=$1
@@ -1487,7 +1502,7 @@ remote_reload_command() # $* = original arguments less the command.
 	    system=$2
 	    ;;
 	*)
-	    too_many_arguments $3
+	    usage 1
 	    ;;
    esac
@@ -1496,17 +1511,12 @@ remote_reload_command() # $* = original arguments less the command.
 	sbindir="$SBINDIR"
 	confdir="$CONFDIR"
 	libexec="$LIBEXECDIR"
 	litedir="${VARDIR}-lite"
 	. $sharedir/shorewall/shorewallrc
    else
-	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $g_basedir/shorewalrc" >&2
+	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $SHAREDIR/shorewall" >&2
 	sbindir="$SBINDIR"
 	confdir="$CONFDIR"
 	libexec="$LIBEXECDIR"
 	litedir="${VARDIR}-lite"
    fi
-    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
+    if [ -f $g_shorewalldir/${g_program}.conf ]; then
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
 	fi
@@ -1516,13 +1526,8 @@ remote_reload_command() # $* = original arguments less the command.
 	get_config No
 	g_haveconfig=Yes
 	if [ -z "$system" ]; then
 	    system=$FIREWALL
 	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
 	fi
    else
-	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
+	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
    fi
    if [ -z "$getcaps" ]; then
@@ -1547,14 +1552,12 @@ remote_reload_command() # $* = original arguments less the command.
    g_export=Yes
-    program=$sbindir/${PRODUCT}-lite
+    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
    #
    # Handle nonstandard remote VARDIR
    #
    temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
    [ -n "$temp" ] && litedir="$temp"
    [ -n "$litedir" ] || litedir=${VARLIB}/${g_program}-lite
    g_file="$g_shorewalldir/firewall"
    exitstatus=0
@@ -1565,29 +1568,30 @@ remote_reload_command() # $* = original arguments less the command.
 	    save=$(find_file save);
 	    if [ -f $save ]; then
-		progress_message3 "Copying $save to ${system}:${confdir}/${PRODUCT}-lite/"
+		progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/"
-		rcp_command $save ${confdir}/$PRODUCT/
+		rcp_command $save ${confdir}/shorewall-lite/
 		exitstatus=$?
 	    fi
 	    if [ $exitstatus -eq 0 ]; then
 		progress_message3 "Copy complete"
 		if [ $COMMAND = remote-reload ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp reload"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload"; then
 			progress_message3 "System $system reloaded"
 		    else
 			exitstatus=$?
 			savit=
 		    fi
 		elif [ $COMMAND = remote-restart ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp restart"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart"; then
 			progress_message3 "System $system restarted"
 		    else
 			exitstatus=$?
 			saveit=
 		    fi
-		elif rsh_command "$program $g_debugging $verbose $timestamp start"; then
+		elif rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start"; then
 		    progress_message3 "System $system started"
 		else
 		    exitstatus=$?
@@ -1595,7 +1599,7 @@ remote_reload_command() # $* = original arguments less the command.
 		fi
 		if [ -n "$saveit" ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp save"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save"; then
 			progress_message3 "Configuration on system $system saved"
 		    else
 			exitstatus=$?
@@ -1660,7 +1664,7 @@ export_command() # $* = original arguments less the command.
 	    target=$2
 	    ;;
 	*)
-	    fatal_error "Invalid command syntax (\"man shorewall\" for help)"
+	    fatal_error "Invalid command syntax (\"man $g_program\" for help)"
 	    ;;
    esac
@@ -1738,7 +1742,7 @@ compiler_command() {
 	    safe_commands $@
 	    ;;
 	*)
-	    fatal_error "Invalid command: $COMMAND"
+	    usage 1
 	    ;;
    esac
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -154,20 +154,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>nat</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.13. Specifies that this action is
                to be used in <ulink
                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
                than <ulink
                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
                <option>mangle</option> and <option>nat</option> options are
                mutually exclusive.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>noinline</option></term>
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -380,7 +380,7 @@
      </varlistentry>
      <varlistentry>
-        <term>SOURCE (format 3 prior to Shorewall 5.1.0) ‒
+        <term>SOURCE (format 3) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
        <listitem>
@@ -394,91 +394,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
+        <term>DEST ‒
        later) -
        {-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
        <listitem>
          <para>where <replaceable>source-spec</replaceable> is one of the
          following:</para>
          <variablelist>
            <varlistentry>
              <term><replaceable>interface</replaceable></term>
              <listitem>
                <para>Where interface is the logical name of an interface
                defined in <ulink
                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> may be:</para>
                <itemizedlist>
                  <listitem>
                    <para>A host or network IP address.</para>
                  </listitem>
                  <listitem>
                    <para>A MAC address in Shorewall format (preceded by a
                    tilde ("~") and using dash ("-") as a separator.</para>
                  </listitem>
                  <listitem>
                    <para>The name of an ipset preceded by a plus sign ("+").
                    See <ulink
                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
                  </listitem>
                </itemizedlist>
                <para><replaceable>exclusion</replaceable> is described in
                <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>This form combines the preceding two and requires that
                both the incoming interace and source address match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>exclusion</replaceable></term>
              <listitem>
                <para>See <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
                (5)</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple
          <replaceable>source-spec</replaceable>s separated by commas may be
          specified provided that the following alternative forms are
          used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>DEST (Prior to Shorewall 5.1.0) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
        <listitem>
@@ -490,89 +406,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
        <listitem>
          <para>where <replaceable>dest-spec</replaceable> is one of the
          following:</para>
          <variablelist>
            <varlistentry>
              <term><replaceable>interface</replaceable></term>
              <listitem>
                <para>Where interface is the logical name of an interface
                defined in <ulink
                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> may be:</para>
                <itemizedlist>
                  <listitem>
                    <para>A host or network IP address.</para>
                  </listitem>
                  <listitem>
                    <para>A MAC address in Shorewall format (preceded by a
                    tilde ("~") and using dash ("-") as a separator.</para>
                  </listitem>
                  <listitem>
                    <para>The name of an ipset preceded by a plus sign ("+").
                    See <ulink
                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
                  </listitem>
                </itemizedlist>
                <para><replaceable>exclusion</replaceable> is described in
                <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>This form combines the preceding two and requires that
                both the outgoing interace and destination address
                match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>exclusion</replaceable></term>
              <listitem>
                <para>See <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
                (5)</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple source-specs
          separated by commas may be specified provided that the following
          alternative forms are used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PROTO ‒
        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -306,72 +306,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.0.10. This option defined whether
                or not dynamic blacklisting is applied to packets entering the
                firewall through this interface and whether the source address
                and/or destination address is to be compared against the
                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
                <ulink
                url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
                The default is determine by the setting of
                DYNAMIC_BLACKLIST:</para>
                <variablelist>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=No</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">none</emphasis>
                      (e.g., no dynamic blacklist checking).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=Yes</term>
                    <listitem>
                      <para>Default is <emphasis role="bold">src</emphasis>
                      (e.g., the source IP address is checked).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src</emphasis>.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
                    <listitem>
                      <para>Default is <emphasis
                      role="bold">src-dst</emphasis> (e.g., the source IP
                      addresses in checked against the ipset on input and the
                      destination IP address is checked against the ipset on
                      packets originating from the firewall and leaving
                      through this interface).</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
                <para>The normal setting for this option will be <emphasis
                role="bold">dst</emphasis> or <emphasis
                role="bold">none</emphasis> for internal interfaces and
                <emphasis role="bold">src</emphasis> or <emphasis
                role="bold">src-dst</emphasis> for Internet-facing
                interfaces.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">destonly</emphasis></term>
@@ -414,7 +348,7 @@ loc     eth2            -</programlisting>
                      url="../bridge-Shorewall-perl.html">Shorewall-perl for
                      firewall/bridging</ulink>, then you need to include
                      DHCP-specific rules in <ulink
-                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
+                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
                      DHCP uses UDP ports 67 and 68.</para>
                    </note>
                  </listitem>
@@ -446,7 +380,7 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">loopback</emphasis></term>
+              <term>loopback</term>
              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -517,8 +451,8 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold"><emphasis
+              <term><emphasis
-              role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
+              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
@@ -559,10 +493,7 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Added in Shorewall 5.0.8. When specified, dynamic
-                blacklisting is disabled on the interface. Beginning with
+                blacklisting is disabled on the interface.</para>
                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
                equivalent to <emphasis
                role="bold">dbl=none</emphasis>.</para>
              </listitem>
            </varlistentry>
@@ -774,7 +705,7 @@ loc     eth2            -</programlisting>
                iptables and kernel. It provides a more efficient alternative
                to the <option>sfilter</option> option below. It performs a
                function similar to <option>routefilter</option> (see above)
-                but works with Multi-ISP configurations that do not use
+                but works with Multi-ISP configurations that do now use
                balanced routes.</para>
              </listitem>
            </varlistentry>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	cae7c5d300	Fix link Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-01 10:44:12 -07:00
Tom Eastep	bba851117a	Correct typo in manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-01 10:44:01 -07:00
Matt Darfeuille	91702f094d	patches and request Tom, Some patches for the trunk repo(fixes.patch): Patch1: Fix a typo in the path being printed for the standard actions file. Patch2: Will only install the shorewall's manpages if the variable MANDIR is none-empty(I did it only for the sake of completeness)! Patch3: Will only install the shorewall-lite's manpages if the variable MANDIR is none-empty. Patch4: Correct multiple product name's typos in shorewall-init/install.sh. Patch5: Remove ~/.shorewallrc when shorewall-core is uninstalled. And two other patches for the release repo(changelog-1.patch): Patch1: Changed restart to reload for the line: 'Update DHCP article(refresh -> restart). Patch2: Rephrased the line for the newly added ?WARNING and ?INFO directives. Request: Could the date of the compiled firewall script also be displayed when 'shorewall status' is executed? -Matt -------------- Enclosure number 2 ---------------- >From a5ae24bbe9b25aefdbcc4d7c8e5d013a36b03078 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <matdarf@gmail.com> Date: Sat, 23 Apr 2016 14:44:19 +0200 Subject: [PATCH 1/5] Fix typo in printed path for standard actions file Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-28 16:42:52 -07:00
Tom Eastep	49c94bc5ec	Fix Shorewall6 init.sh Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-28 16:42:32 -07:00