Clean up column/value pair editing.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Set $parmsmodified on ?reset
2017-03-22 09:47:48 -07:00 · 2017-03-18 12:39:33 -07:00
205 changed files with 19554 additions and 6109 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -2,7 +2,7 @@
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
@@ -190,7 +190,7 @@ for p in ${!params[@]}; do
 done
 echo '#'                                                                 > shorewallrc
-echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
+echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -173,12 +173,7 @@ my $outfile;
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
-if ( $ENV{SOURCE_DATE_EPOCH} ) {
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date  --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
 } else {
    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
 }
 print $outfile "# rc file: $rcfilename\n#\n";
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -335,8 +335,9 @@ for f in lib.* ; do
 done
 if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
 fi
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.base
+# Shorewall 5.0 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.cli.
+# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
 #
-#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=50106
+SHOREWALL_CAPVERSION=50100
 if [ -z "$g_basedir" ]; then
    #
@@ -47,10 +47,6 @@ startup_error() {
    exit 1
 }
 only_root() {
    [ "$(id -u)" != 0 ] && fatal_error "The '$COMMAND' command may only be run by root"
 }
 #
 # Display a chain if it exists
 #
@@ -1141,31 +1137,16 @@ show_a_macro() {
    cat ${directory}/macro.$1
 }
 #
-# Don't dump empty SPD entries or entries from the other address family
+# Don't dump empty SPD entries
 #
-spd_filter() {
+spd_filter()
-    #
+{
-    # af   = Address Family (4 or 6)
+    awk \
-    # afok = Address Family of entry matches af
+    'BEGIN            { skip=0; }; \
-    # p    = print the contents of A (entry is not empty)
+    /^src/            { skip=0; }; \
-    # i    = Number of lines stored in A
+    /^src 0.0.0.0\/0/ { skip=1; }; \
-    #
+    /^src ::\/0/      { skip=1; }; \
-    awk -v af=$g_family \
+                      { if ( skip == 0 ) print; };'
 	'function prnt(A,i,    j) { while ( j < i ) print A[j++]; };\
 \
 	 /^src / { if (p) prnt( A, i );\
 		   afok = 1;\
 		   p	= 0;\
 		   i	= 0;\
 		   if ( af == 4 )\
 		       { if ( /:/ )  afok = 0; }\
 		   else\
 		       { if ( /\./ ) afok = 0; }\
 		 };\
 		 { if ( afok ) A[i++] = $0; };\
 	 /tmpl/	 { p = afok; };\
 \
 	 END	 { if (p) prnt( A, i ); }'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1178,8 +1159,7 @@ heading() {
 show_ipsec() {
    heading "PFKEY SPD"
-    $IP -s -$g_family xfrm policy | spd_filter
+    $IP -s xfrm policy | spd_filter
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -1207,7 +1187,6 @@ show_command() {
    show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
 	if [ -n "$foo" ]; then
 	    macro=$(basename $macro)
 	    macro=${macro#*.}
 	    foo=${foo%.*}
 	    if [ ${#macro} -gt 5 ]; then
@@ -1302,47 +1281,37 @@ show_command() {
    [ -n "$g_debugging" ] && set -x
    COMMAND="$COMMAND $1"
    case "$1" in
 	connections)
 	    only_root
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	tos|mangle)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    only_root
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
 	    only_root
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
@@ -1366,7 +1335,6 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
@@ -1403,7 +1371,6 @@ show_command() {
 	    fi
 	    ;;
 	chain)
 	    only_root
 	    shift
 	    eval show_chain $@ $g_pager
 	    ;;
@@ -1411,31 +1378,26 @@ show_command() {
 	    echo $VARDIR;
 	    ;;
 	policies)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
 	    only_root
 	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1445,7 +1407,6 @@ show_command() {
 	    ;;
 	event)
 	    [ $# -gt 1 ] || too_many_arguments $2
 	    only_root
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
@@ -1453,18 +1414,14 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    setup_dbl
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 	    if chain_exists dynamic; then
@@ -1475,7 +1432,6 @@ show_command() {
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
 	*)
@@ -1524,8 +1480,6 @@ show_command() {
 		    ;;
 	    esac
 	    only_root
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
@@ -1843,7 +1797,7 @@ do_dump_command() {
    echo
-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -2575,114 +2529,109 @@ hits_command() {
    fi
 }
 #
 # Issue an error message and terminate if the firewall isn't started
 #
 require_started() {
    if ! product_is_started; then
 	error_message "ERROR: $g_product is not started"
 	exit 2
    fi
 }
 #
 # 'allow' command executor
 #
 allow_command() {
    local allowed
    local which
    which='-s'
    local range
    range='--src-range'
    local dynexists
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && missing_argument
-    if [ -n "$g_blacklistipset" ]; then
+    if product_is_started ; then
-	case ${IPSET:=ipset} in
+	local allowed
-	    */*)
+	local which
-		if [ ! -x "$IPSET" ]; then
+	which='-s'
-		    fatal_error "IPSET=$IPSET does not exist or is not executable"
+	local range
-		fi
+	range='--src-range'
-		;;
+	local dynexists
 	    *)
 		IPSET="$(mywhich $IPSET)"
 		[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
 		;;
 	esac
    fi
-    if chain_exists dynamic; then
+	if [ -n "$g_blacklistipset" ]; then
 	dynexists=Yes
    elif [ -z "$g_blacklistipset" ]; then
 	require_started
 	fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
    fi
-    [ -n "$g_nolock" ] || mutex_on
+	    case ${IPSET:=ipset} in
-
+		*/*)
-    while [ $# -gt 1 ]; do
+		    if [ ! -x "$IPSET" ]; then
-	shift
+			fatal_error "IPSET=$IPSET does not exist or is not executable"
 	allowed=''
 	case $1 in
 	    from)
 		which='-s'
 		range='--src-range'
 		continue
 		;;
 	    to)
 		which='-d'
 		range='--dst-range'
 		continue
 		;;
 	    *-*)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
 		    fi
-		fi
+		    ;;
-
+		*)
-		if [ -n "$dynexists" ]; then
+		    IPSET="$(mywhich $IPSET)"
-		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
-			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+		    ;;
-			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+	    esac
 			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 		    then
 			allowed=Yes
 		    fi
 		fi
 		;;
 	    *)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
 		    fi
 		fi
 		if [ -n "$dynexists" ]; then
 		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
 		        qt $g_tool -D dynamic $which $1 -j DROP      ||\
 			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
 			qt $g_tool -D dynamic $which $1 -j logreject
 		    then
 			allowed=Yes
 		    fi
 		fi
 		;;
 	esac
 	if [ -n "$allowed" ]; then
 	    progress_message2 "$1 Allowed"
 	else
 	    error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
 	fi
    done
-    [ -n "$g_nolock" ] || mutex_off
+	if chain_exists dynamic; then
 	    dynexists=Yes
 	elif [ -z "$g_blacklistipset" ]; then
 	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
 	fi
 	[ -n "$g_nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
 	    allowed=''
 	    case $1 in
 		from)
 		    which='-s'
 		    range='--src-range'
 		    continue
 		    ;;
 		to)
 		    which='-d'
 		    range='--dst-range'
 		    continue
 		    ;;
 		*-*)
 		    if [ -n "$g_blacklistipset" ]; then
 			if qt $IPSET -D $g_blacklistipset $1; then
 			    allowed=Yes
 			fi
 		    fi
 		    if [ -n "$dynexists" ]; then
 			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 			then
 			    allowed=Yes
 			fi
 		    fi
 		    ;;
 		*)
 		    if [ -n "$g_blacklistipset" ]; then
 			if qt $IPSET -D $g_blacklistipset $1; then
 			    allowed=Yes
 			fi
 		    fi
 		    if [ -n "$dynexists" ]; then
 			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
 			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
 			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
 			    qt $g_tool -D dynamic $which $1 -j logreject
 			then
 			    allowed=Yes
 			fi
 		    fi
 		    ;;
 	    esac
 	    if [ -n "$allowed" ]; then
 		progress_message2 "$1 Allowed"
 	    else
 		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
 	    fi
 	done
 	[ -n "$g_nolock" ] || mutex_off
    else
 	error_message "ERROR: $g_product is not started"
 	exit 2
    fi
 }
 #
@@ -2821,7 +2770,7 @@ determine_capabilities() {
    GOTO_TARGET=
    LOGMARK_TARGET=
    IPMARK_TARGET=
-    LOG_TARGET=
+    LOG_TARGET=Yes
    ULOG_TARGET=
    NFLOG_TARGET=
    PERSISTENT_SNAT=
@@ -2854,8 +2803,6 @@ determine_capabilities() {
    WAIT_OPTION=
    CPU_FANOUT=
    NETMAP_TARGET=
    NFLOG_SIZE=
    RESTORE_WAIT_OPTION=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -2879,11 +2826,9 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi
    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
    if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	g_tool="$g_tool --wait"
+	tool="$tool --wait"
    fi
    chain=fooX$$
@@ -3189,15 +3134,12 @@ determine_capabilities() {
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
+    qt $g_tool -A $chain -j LOG || LOG_TARGET=
    qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
    qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
    if qt $g_tool -A $chain -j NFLOG; then
 	NFLOG_TARGET=Yes
 	qt $g_tool -A $chain -j NFLOG --nflog-size 64 && NFLOG_SIZE=Yes
    fi
    if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -3353,11 +3295,9 @@ report_capabilities_unsorted() {
    if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
 	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
 	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    fi
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3365,7 +3305,6 @@ report_capabilities_unsorted() {
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3472,8 +3411,6 @@ report_capabilities_unsorted1() {
    report_capability1 WAIT_OPTION
    report_capability1 CPU_FANOUT
    report_capability1 NETMAP_TARGET
    report_capability1 NFLOG_SIZE
    report_capability1 RESTORE_WAIT_OPTION
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3778,7 +3715,7 @@ ipcalc_command() {
    valid_address $address || fatal_error "Invalid IP address: $address"
    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
    address=$address/$vlsm
@@ -4620,14 +4557,12 @@ shorewall_cli() {
    case "$COMMAND" in
 	start)
 	    only_root
 	    get_config Yes Yes
 	    shift
 	    start_command $@
 	    ;;
 	stop|clear)
 	    [ $# -ne 1 ] && too_many_arguments $2
 	    only_root
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4635,7 +4570,6 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
 	    only_root
 	    get_config
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4644,13 +4578,11 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
 	    only_root
 	    get_config Yes Yes
 	    shift
 	    restart_command $@
 	    ;;
 	disable|enable|reenable)
 	    only_root
 	    get_config Yes
 	    if product_is_started; then
 		run_it ${VARDIR}/firewall $g_debugging $@
@@ -4659,7 +4591,6 @@ shorewall_cli() {
 	    fi
 	    ;;
 	blacklist)
 	    only_root
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4668,7 +4599,6 @@ shorewall_cli() {
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    only_root
 	    get_config Yes
 	    run_command $@
 	    ;;
@@ -4678,20 +4608,18 @@ shorewall_cli() {
    	    show_command $@
 	    ;;
 	status)
-	    only_root
+	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
 	    shift
 	    status_command $@
 	    ;;
 	dump)
 	    only_root
 	    get_config Yes No Yes
    	    shift
    	    dump_command $@
 	    ;;
 	hits)
 	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
 	    only_root
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4702,63 +4630,53 @@ shorewall_cli() {
 	    version_command $@
 	    ;;
 	logwatch)
 	    only_root
 	    get_config Yes Yes Yes
 	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
 	    only_root
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
 	    only_root
 	    get_config
 	    allow_command $@
 	    ;;
 	add)
 	    only_root
 	    get_config
 	    shift
 	    add_command $@
 	    ;;
 	delete)
 	    only_root
 	    get_config
 	    shift
 	    delete_command $@
 	    ;;
 	save)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    save_command $@
 	    ;;
 	forget)
 	    only_root
 	    get_config
 	    forget_command $@
 	    ;;
@@ -4775,13 +4693,11 @@ shorewall_cli() {
 	    ipdecimal_command $@
 	    ;;
 	restore)
 	    only_root
 	    get_config
 	    shift
 	    restore_command $@
            ;;
 	call)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
@@ -4819,20 +4735,17 @@ shorewall_cli() {
 	    usage
 	    ;;
 	iptrace)
 	    only_root
 	    get_config
 	    shift
 	    iptrace_command $@
 	    ;;
 	noiptrace)
 	    only_root
 	    get_config
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || too_many_arguments $2
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,48 +269,53 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
    local modulename
    modulename=$1
    shift
    local moduleoptions
    moduleoptions=$*
    local modulefile
    local suffix
    if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		case $moduleloader in
+		shift
-		    insmod)
+
-			for directory in $moduledirectories; do
+		for suffix in $MODULE_SUFFIX ; do
-			    for modulefile in $directory/${modulename}.*; do
+		    for directory in $moduledirectories; do
-				if [ -f $modulefile ]; then
+			modulefile=$directory/${modulename}.${suffix}
-				    insmod $modulefile $moduleoptions
+
 				    return
 				fi
 			    done
 			done
 			;;
 		    *)
 			modprobe -q $modulename $moduleoptions
 			;;
 		esac
 	    fi
 	fi
    elif ! list_search $modulename $DONT_LOAD $MODULES; then
 	case $moduleloader in
 	    insmod)
 		for directory in $moduledirectories; do
 		    for modulefile in $directory/${modulename}.*; do
 			if [ -f $modulefile ]; then
-			    insmod $modulefile $moduleoptions
+			    case $moduleloader in
-			    return
+				insmod)
 				    insmod $modulefile $*
 				    ;;
 				*)
 				    modprobe $modulename $*
 				    ;;
 			    esac
 			    break 2
 			fi
 		    done
 		done
-		;;
+	    fi
-	    *)
+	fi
-		modprobe -q $modulename $moduleoptions
+    elif ! list_search $modulename $DONT_LOAD $MODULES; then
-		;;
+	shift
-	esac
+
 	for suffix in $MODULE_SUFFIX ; do
 	    for directory in $moduledirectories; do
 		modulefile=$directory/${modulename}.${suffix}
 		if [ -f $modulefile ]; then
 		    case $moduleloader in
 			insmod)
 			    insmod $modulefile $*
 			    ;;
 			*)
 			    modprobe $modulename $*
 			    ;;
 		    esac
 		    break 2
 		fi
 	    done
 	done
    fi
 }
@@ -333,6 +338,8 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi
    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -387,6 +394,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi
    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.core
+# Shorewall 5.0 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #
-SHOREWALL_LIBVERSION=50108
+SHOREWALL_LIBVERSION=50100
 #
 # Fatal Error
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -1,6 +1,6 @@
 #
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -1,6 +1,6 @@
 #
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -3173,8 +3173,6 @@
    <title>FILES</title>
    <para>/etc/shorewall/</para>
    <para>/etc/shorewall6/</para>
  </refsect1>
  <refsect1>
@@ -3184,18 +3182,13 @@
    url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
    <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
-    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.1
+#     Shorewall Packet Filtering Firewall Control Program - V5.0
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,10 +25,6 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
 #
 # Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
 # options
 #
 PRODUCT=shorewall
 #
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -73,16 +73,12 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
-        return 0
+	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-        if [ $PRODUCT = shorewall ]; then
+	return 0
            ${SBINDIR}/shorewall compile
        elif [ $PRODUCT = shorewall6 ]; then
            ${SBINDIR}/shorewall -6 compile
        else
            return 1
        fi
    fi
 }
@@ -112,14 +108,16 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-          #
+	  if [ -x ${STATEDIR}/firewall ]; then
-	  # Run in a sub-shell to avoid name collisions
+              #
-	  #
+	      # Run in a sub-shell to avoid name collisions
-	  (
+	      #
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+	      (
-		  ${STATEDIR}/firewall ${OPTIONS} stop
+		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-	      fi
+		      ${STATEDIR}/firewall ${OPTIONS} stop
-	  )
+		  fi
 	      )
 	  fi
      fi
  done
@@ -147,7 +145,9 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
 	      ${STATEDIR}/firewall ${OPTIONS} clear
 	  fi
      fi
  done
@@ -159,9 +159,8 @@ shorewall_stop () {
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
      fi
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,14 +44,12 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	return 0
    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 1
+	return 0
    fi
 }
@@ -68,20 +66,20 @@ start () {
    printf "Initializing \"Shorewall-based firewalls\": "
    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
 	ipset -R < "$SAVE_IPSETS"
    fi
    for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?
 	if [ $retval -eq 0 ]; then
-	    ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
+	    if [ -x "${STATEDIR}/firewall" ]; then
-	    retval=${PIPESTATUS[0]}
+		${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
-	    [ $retval -ne 0 ] && break
+		retval=${PIPESTATUS[0]}
 		[ $retval -ne 0 ] && break
 	    else
 		retval=6 #Product not configured
 		break
 	    fi
 	else
 	    retval=6 #Product not configured
 	    break
 	fi
    done
@@ -108,25 +106,20 @@ stop () {
 	retval=$?
 	if [ $retval -eq 0 ]; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
+	    if [ -x "${STATEDIR}/firewall" ]; then
-	    retval=${PIPESTATUS[0]}
+		${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
-	    [ $retval -ne 0 ] && break
+		retval=${PIPESTATUS[0]}
 		[ $retval -ne 0 ] && break
 	    else
 		retval=6 #Product not configured
 		break
 	    fi
 	else
 	    retval=6 #Product not configured
 	    break
 	fi
    done
    if [ $retval -eq 0 ]; then
 	if [ -n "$SAVE_IPSETS" ]; then
 	    mkdir -p $(dirname "$SAVE_IPSETS")
 	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
 		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
 	    else
 		rm -f "${SAVE_IPSETS}.tmp"
 	    fi
 	fi
 	rm -f $lockfile
 	success
    else
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,14 +75,12 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	return 0
    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 1
+	return 0
    fi
 }
@@ -94,8 +92,10 @@ start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 		  ${STATEDIR}/firewall ${OPTIONS} stop
 	      fi
 	  fi
      fi
  done
@@ -103,8 +103,6 @@ start () {
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
  return 0
 }
 boot () {
@@ -119,19 +117,17 @@ stop () {
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    if [ -x ${STATEDIR}/firewall ]; then
 		${STATEDIR}/firewall ${OPTIONS} clear
 	    fi
 	fi
    done
    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	else
 	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi
    return 0
 }
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -69,12 +69,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	return 0
    elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
-	return 1
+	return 0
    fi
 }
@@ -86,8 +84,10 @@ shorewall_start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 		  ${STATEDIR}/firewall ${OPTIONS} stop
 	      fi
 	  fi
      fi
  done
@@ -107,16 +107,16 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
 	      ${STATEDIR}/firewall ${OPTIONS} clear
 	  fi
      fi
  done
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,14 +79,12 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	return 0
    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 6
+	return 0
    fi
 }
@@ -98,8 +96,10 @@ shorewall_start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	  if [ -x $STATEDIR/firewall ]; then
-	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
 	      fi
 	  fi
      fi
  done
@@ -117,16 +117,16 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
 	      ${STATEDIR}/firewall ${OPTIONS} clear
 	  fi
      fi
  done
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi
 }
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,12 +33,12 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
        return 0
    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
 }
@@ -67,14 +67,16 @@ shorewall_start () {
    printf "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    #
+	    if [ -x ${STATEDIR}/firewall ]; then
-	    # Run in a sub-shell to avoid name collisions
+		#
-	    #
+		# Run in a sub-shell to avoid name collisions
-	    (
+		#
-		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		(
-		    ${STATEDIR}/firewall ${OPTIONS} stop
+		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		fi
+			${STATEDIR}/firewall ${OPTIONS} stop
-	    )
+		    fi
 		)
 	    fi
 	fi
    done
@@ -93,16 +95,16 @@ shorewall_stop () {
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    if [ -x ${STATEDIR}/firewall ]; then
 		${STATEDIR}/firewall ${OPTIONS} clear
 	    fi
 	fi
    done
    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	else
 	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,6 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
 #        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall/Actions/action.A_AllowICMPs.deprecated
+++ b/Shorewall/Actions/action.A_AllowICMPs.deprecated
@@ -1,9 +0,0 @@
 #
 # Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
 #
 # This action A_ACCEPTs needed ICMP types
 #
 ###############################################################################
 #ACTION		SOURCE		DEST	PROTO		DPORT
 AllowICMPs(A_ACCEPT)
--- a/Shorewall/Actions/action.A_Drop.deprecated
+++ b/Shorewall/Actions/action.A_Drop.deprecated
@@ -13,7 +13,6 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ?require AUDIT_TARGET
 ?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -1,11 +1,11 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_REJECT
+# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
@@ -11,8 +11,6 @@
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ?require AUDIT_TARGET
 ?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO
 #
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -7,38 +7,5 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 DEFAULTS ACCEPT
-
+@1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
-?if __IPV4
+@1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
    @1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
 ?else
 ?COMMENT Needed ICMP types (RFC4890)
    @1	-		-	ipv6-icmp	destination-unreachable
    @1	-		-	ipv6-icmp	packet-too-big
    @1	-		-	ipv6-icmp	time-exceeded
    @1	-		-	ipv6-icmp	parameter-problem
 # The following should have a ttl of 255 and must be allowed to transit a bridge
    @1	-		-	ipv6-icmp	router-solicitation
    @1	-		-	ipv6-icmp	router-advertisement
    @1	-		-	ipv6-icmp	neighbour-solicitation
    @1	-		-	ipv6-icmp	neighbour-advertisement
    @1	-		-	ipv6-icmp	137	# Redirect
    @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
    @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
 # The following should have a link local source address and must be allowed to transit a bridge
    @1	fe80::/10	-	ipv6-icmp	130	# Listener query
    @1	fe80::/10	-	ipv6-icmp	131	# Listener report
    @1	fe80::/10	-	ipv6-icmp	132	# Listener done
    @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
 # The following should be received with a ttl of 255 and must be allowed to transit a bridge
    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
 # The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
 ?endif
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -20,7 +20,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Broadcast[([<action>|[,{audit|-}])]
+# Broadcast[([<action>|-[,{audit|-}])]
 #
 # Default action is DROP
 #
@@ -29,37 +29,27 @@
 DEFAULTS DROP,-
 ?if __ADDRTYPE
-    @1	-	-	-	;; -m addrtype --dst-type BROADCAST
+@1	-	-	-	;; -m addrtype --dst-type BROADCAST
-    @1	-	-	-	;; -m addrtype --dst-type ANYCAST
+@1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
-    ?begin perl;
+?begin perl;
-    use strict;
+use Shorewall::IPAddrs;
-    use Shorewall::IPAddrs;
+use Shorewall::Config;
-    use Shorewall::Config;
+use Shorewall::Chains;
    use Shorewall::Chains;
-    my ( $action, $audit ) = get_action_params( 2 );
+my ( $action )         = get_action_params( 1 );
-    my $chainref           = get_action_chain;
+my $chainref           = get_action_chain;
-    my ( $level, $tag )    = get_action_logging;
+my ( $level, $tag )    = get_action_logging;
-    fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit';
+add_commands $chainref, 'for address in $ALL_BCASTS; do';
 incr_cmd_level $chainref;
 log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
 add_jump $chainref, $action, 0, "-d \$address ";
 decr_cmd_level $chainref;
 add_commands $chainref, 'done';
-    my $target             = require_audit ( $action , $audit );
+1;
-    if ( $family == F_IPV4 ) {
+?end perl;
        add_commands $chainref, 'for address in $ALL_BCASTS; do';
    } elsif ($family == F_IPV6 ) {
        add_commands $chainref, 'for address in $ALL_ACASTS; do';
    }
    incr_cmd_level $chainref;
    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
    add_jump $chainref, $target, 0, "-d \$address ";
    decr_cmd_level $chainref;
    add_commands $chainref, 'done';
    1;
    ?end perl;
 ?endif
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.FIN
+++ b/Shorewall/Actions/action.FIN
@@ -1,33 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.FIN
 #
 # FIN Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # FIN[([<action>])]
 #
 # Default action is ACCEPT
 #
 ###############################################################################
 DEFAULTS ACCEPT,-
@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN
--- a/Shorewall/Actions/action.GlusterFS
+++ b/Shorewall/Actions/action.GlusterFS
@@ -13,9 +13,9 @@
 DEFAULTS 2,0
 ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-    ?error Invalid value (@1) for the GlusterFS Bricks argument
+    ?error Invalid value for Bricks (@1)
 ?elsif @2 !~ /^[01]$/
-    ?error Invalid value (@2) for the GlusterFS IB argument
+    ?error Invalid value for IB (@2)
 ?endif
 #ACTION		SOURCE		DEST		PROTO	DPORT
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -107,11 +107,6 @@ if ( $command & $REAP_OPT ) {
 $duration .= '--rttl ' if $command & $TTL_OPT;
 if ( ( $targets{$action} || 0 ) & NATRULE ) {
    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
    $action = 'ACCEPT';
 }
 if ( $command & $RESET_CMD ) {
    require_capability 'MARK_ANYWHERE', '"reset"', 's';
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
@@ -4,7 +4,7 @@
 # Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -29,28 +29,22 @@
 DEFAULTS DROP,-
 ?if __ADDRTYPE
-    @1	-	-	-	;; -m addrtype --dst-type MULTICAST
+@1	-	-	-	;; -m addrtype --dst-type MULTICAST
 ?else
-    ?begin perl;
+?begin perl;
-    use strict;
+use Shorewall::IPAddrs;
-    use Shorewall::IPAddrs;
+use Shorewall::Config;
-    use Shorewall::Config;
+use Shorewall::Chains;
    use Shorewall::Chains;
-    my ( $action, $audit ) = get_action_params( 2 );
+my ( $action )         = get_action_params( 1 );
-    my $chainref           = get_action_chain;
+my $chainref           = get_action_chain;
-    my ( $level, $tag )    = get_action_logging;
+my ( $level, $tag )    = get_action_logging;
-    fatal_error "Invalid parameter to action Multicast" if supplied $audit && $audit ne 'audit';
+log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
-    my $target = require_audit ( $action , $audit );
+1;
    my $dest   = ( $family == F_IPV4 ) ? join( ' ', '-d', IPv4_MULTICAST . ' ' ) : join( ' ', '-d', IPv6_MULTICAST . ' ' );
-    log_rule_limit( $level, $chainref, 'Multicast' , $action, '', $tag, 'add', $dest ) if $level ne '';
+?end perl;
    add_jump $chainref, $target, 0, $dest;
    1;
    ?end perl;
 ?endif
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
@@ -41,11 +41,6 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 if ( ( $targets{$action} || 0 ) & NATRULE ) {
    perl_action_helper( "${action}-", "" );
    $action = 'ACCEPT';
 }
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
@@ -37,11 +37,6 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 if ( ( $targets{$action} || 0 ) & NATRULE ) {
    perl_action_helper( "${action}-", "" );
    $action = 'ACCEPT';
 }
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
@@ -26,4 +26,4 @@ $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p 6 --syn --sport 0
+$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.dropBcasts
+++ b/Shorewall/Actions/action.dropBcasts
@@ -1,39 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropBcasts
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropBcasts[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
 	?require AUDIT_TARGET
 	Broadcast(A_DROP)
    ?else
 	?error "Invalid argument (@1) to dropBcasts"
    ?endif
 ?else
    Broadcast(DROP)
 ?endif
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -15,7 +15,6 @@ PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
 PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
 PARAM	-	-	tcp	3520		# Remote Console (Redfish)
 PARAM	-	-	udp	623		# RMCP
 HTTP
 HTTPS
--- a/Shorewall/Macros/macro.RDP
+++ b/Shorewall/Macros/macro.RDP
@@ -6,5 +6,4 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389
--- a/Shorewall/Makefile-lite
+++ b/Shorewall/Makefile-lite
@@ -0,0 +1,82 @@
 #     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 ################################################################################
 # Place this file in each export directory. Modify each copy to set HOST
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
 #
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
 #
 ################################################################################
 #                             V A R I A B L E S
 #
 # Files in the export directory on which the firewall script does not depend
 #
 IGNOREFILES =  firewall% Makefile% trace% %~
 #
 # Remote Firewall system
 #
 HOST = gateway
 #
 # Save some typing
 #
 LITEDIR = /var/lib/shorewall-lite
 #
 # Set this if the remote system has a non-standard modules directory
 #
 MODULESDIR=
 #
 # Default target is the firewall script
 #
 ################################################################################
 #                                T A R G E T S
 #
 all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
 capabilities:
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
 # Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
 # 'filter-out' will be presented with the list of files in this directory rather than "*"
 #
 firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
 	shorewall compile -e . firewall
 #
 # Only reload on demand.
 #
 install: firewall
 	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
 	ssh root@$(HOST) "/sbin/shorewall-lite restart"
 #
 # Save running configuration
 #
 save:
 	ssh root@$(HOST) "/sbin/shorewall-lite save"
 #
 # Remove generated files
 #
 clean:
 	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -195,7 +195,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';
-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT_SECTION;
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
    my $prerule = '';
@@ -266,7 +266,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    if ( $source eq 'any' || $source eq 'all' ) {
        $source = ALLIP;
    } else {
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT_SECTION || ! $asection );
+	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
    }
    if ( have_bridges && ! $asection ) {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -32,7 +32,6 @@ require Exporter;
 use Scalar::Util 'reftype';
 use Digest::SHA qw(sha1_hex);
 use File::Basename;
 use Socket;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
@@ -138,12 +137,6 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 				       validate_port
 				       validate_portpair
 				       validate_portpair1
 				       validate_port_list
 				       expand_port_range
 				       PREROUTING
 				       INPUT
 				       FORWARD
@@ -412,14 +405,14 @@ our $VERSION = 'MODULEVERSION';
 #   Provider Chains for provider <p>
 #      Load Balance    - ~<p>
 #
-#   Zone-pair chains for rules chain <z1-z2>
+#   Zone-pair chains for rules chain <z12z2>
 #
-#      Syn Flood       - @<z1-z2>
+#      Syn Flood       - @<z12z2>
-#      Blacklist       - <z1-z2>~
+#      Blacklist       - <z12z2>~
-#      Established     - ^<z1-z2>
+#      Established     - ^<z12z2>
-#      Related         - +<z1-z2>
+#      Related         - +<z12z2>
-#      Invalid         - _<z1-z2>
+#      Invalid         - _<z12z2>
-#      Untracked       - &<z1-z2>
+#      Untracked       - &<z12z2>
 #
 our %chain_table;
 our $raw_table;
@@ -441,7 +434,7 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       REDIRECT     =>     0x20,       #'REDIRECT'
 	       ACTION       =>     0x40,       #An action (may be built-in)
 	       MACRO        =>     0x80,       #A Macro
-	       LOGRULE      =>    0x100,       #'LOG','ULOG','NFLOG'
+	       LOGRULE      =>    0x100,       #'LOG','NFLOG'
 	       NFQ          =>    0x200,       #'NFQUEUE'
 	       CHAIN        =>    0x400,       #Manual Chain
 	       SET          =>    0x800,       #SET
@@ -516,7 +509,6 @@ our $idiotcount1;
 our $hashlimitset;
 our $global_variables;
 our %address_variables;
 our %port_variables;
 our $ipset_rules;
 #
@@ -792,7 +784,6 @@ sub initialize( $$$ ) {
    %interfaceacasts    = ();
    %interfacegateways  = ();
    %address_variables  = ();
    %port_variables     = ();
    $global_variables   = 0;
    $idiotcount         = 0;
@@ -828,211 +819,6 @@ sub initialize( $$$ ) {
    #
 }
 sub record_runtime_port( $ ) {
    my ( $variable ) = @_;
    if ( $variable =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Variable %variable is already used as an address variable" if $address_variables{$1};
 	$port_variables{$1} = 1;
    } else {
 	fatal_error( "Invalid port variable (%$variable)" );
    }
    "\$$variable";
 }
 ################################################################################
 # Functions moved from IPAddrs.pm in 5.1.5				       #
 ################################################################################
 sub validate_port( $$ ) {
    my ($proto, $port) = @_;
    my $value;
    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
 	$value = numeric_value $port;
 	if ( defined $value ) {
 	    if ( $value && $value <= 65535 ) {
 		return $value;
 	    } else {
 		$value = undef;
 	    }
 	}
    } elsif ( $port =~ /^%(.*)/ ) {
 	$value = record_runtime_port( $1 );
    } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
    }
    return $value if defined $value;
    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    my $pair = $portpair;
    #
    # Accept '-' as a port-range separator
    #
    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
    my @ports = split /:/, $pair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
    $_ = validate_port( $protonum, $_) for grep $_, @ports;
    if ( @ports == 2 ) {
 	$what = 'port range';
 	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
 	    fatal_error "Invalid port range ($_[1])" unless $ports[0] < $ports[1];
 	}
    } else {
 	$what = 'port';
    }
    fatal_error "Using a $what ( $_[1] ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP     ||
 			       $protonum == UDP     ||
 			       $protonum == UDPLITE ||
 			       $protonum == SCTP    ||
 			       $protonum == DCCP );
    join ':', @ports;
 }
 sub validate_portpair1( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
    my @ports = split /-/, $portpair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
    $_ = validate_port( $protonum, $_) for grep $_, @ports;
    if ( @ports == 2 ) {
 	$what = 'port range';
 	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
 	    fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
 	}
    } else {
 	$what = 'port';
 	fatal_error 'Invalid port number (0)' unless $portpair;
    }
    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP  ||
 			       $protonum == UDP  ||
 			       $protonum == SCTP ||
 			       $protonum == DCCP );
    join '-', @ports;
 }
 sub validate_port_list( $$ ) {
    my $result = '';
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );
    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }
    $proto = proto_name $proto;
    for ( @list ) {
 	my $value = validate_portpair( $proto , $_ );
 	$result = $result ? join ',', $result, $value : $value;
    }
    $result;
 }
 #
 # Expands a port range into a minimal list of ( port, mask ) pairs.
 # Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
 #
 # Example:
 #
 #       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
 #       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
 #
 sub expand_port_range( $$ ) {
    my ( $proto, $range ) = @_;
    if ( $range =~ /^(.*):(.*)$/ ) {
 	my ( $first, $last ) = ( $1, $2);
 	my @result;
 	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
 	#
 	# Supply missing first/last port number
 	#
 	$first = 0     if $first eq '';
 	$last  = 65535 if $last eq '';
 	#
 	# Validate the ports
 	#
 	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
 	$last++; #Increment last address for limit testing.
 	#
 	# Break the range into groups:
 	#
 	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
 	#      - Otherwise, find the largest power of two P that divides the first address such that
 	#        the remaining range has less than or equal to P ports. The next group is
 	#        ( <first> , ~( P-1 ) ).
 	#
 	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
 	    my $mask = 0xffff;         #Mask for current ports in group.
 	    my $y    = 2;              #Next power of two to test
 	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
 	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
 		$mask <<= 1;
 		$z  = $y;
 		$y <<= 1;
 	    }
 	    #
 	    #
 	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
 	    $first += $z;
 	}
 	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
 	@result;
    } else {
 	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
    }
 }
 ################################################################################
 # End functions moved from IPAddrs.pm in 5.1.5				       #
 ################################################################################
 #
 # Functions to manipulate cmdlevel
 #
@@ -1295,11 +1081,11 @@ sub format_option( $$ ) {
    assert( ! reftype $value );
-    my $rule;
+    my $rule = '';
    $value =~ s/\s*$//;
-    $rule = join( ' ' , ' -m', $option, $value );
+    $rule .= join( ' ' , ' -m', $option, $value );
    $rule;
 }
@@ -1345,6 +1131,8 @@ sub format_rule( $$;$ ) {
 	    } else {
 		$rule .= join( '' , ' --', $_, ' ', $value );
 	    }
 	    next;
 	} elsif ( $type == EXPENSIVE ) {
 	    #
 	    # Only emit expensive matches now if there are '-m nfacct' or '-m recent' matches in the rule
@@ -1403,15 +1191,13 @@ sub compatible( $$ ) {
    }
    #
    # Don't combine chains where each specifies
-    #    -m policy and the policies are different
+    #    -m policy
    # or when one specifies
    #    -m multiport
    # and the other specifies
    #    --dport or --sport or -m multiport
    #
-    my ( $p1, $p2 );
+    return ! ( $ref1->{policy} && $ref2->{policy} ||
    return ! ( ( ( $p1 = $ref1->{policy} ) && ( $p2 = $ref2->{policy} ) && $p1 ne $p2 ) ||
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
 		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
@@ -1929,7 +1715,7 @@ sub delete_reference( $$ ) {
    assert( $toref );
-    delete $toref->{references}{$fromref->{name}} if --$toref->{references}{$fromref->{name}} <= 0;
+    delete $toref->{references}{$fromref->{name}} unless --$toref->{references}{$fromref->{name}} > 0;
 }
 #
@@ -2067,7 +1853,7 @@ sub adjust_reference_counts( $$$ ) {
    my ($toref, $name1, $name2) = @_;
    if ( $toref ) {
-	delete $toref->{references}{$name1} if --$toref->{references}{$name1} <= 0;
+	delete $toref->{references}{$name1} unless --$toref->{references}{$name1} > 0;
 	$toref->{references}{$name2}++;
    }
 }
@@ -3275,10 +3061,8 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS   ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
    }
@@ -3675,7 +3459,7 @@ sub optimize_level4( $$ ) {
 				#
 				delete_chain_and_references( $chainref );
 				$progress = 1;
-			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
+			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
@@ -3902,15 +3686,6 @@ sub optimize_level8( $$$ ) {
 		    }
 		    $combined{ $chainref1->{name} } = $chainref->{name};
 		    #
 		    # While rare, it is possible for a policy chain to be combined with a non-policy chain. So we need to preserve
 		    # the policy attributes in the combined chain
 		    #
 		    if ( $chainref->{policychain} ) {
 			@{$chainref1}{qw(policychain policy)} = @{$chainref}{qw(policychain policy)} unless $chainref1->{policychain};
 		    } elsif ( $chainref1->{policychain} ) {
 			@{$chainref}{qw(policychain policy)} = @{$chainref1}{qw(policychain policy)} unless $chainref->{policychain};
 		    }
 		}
 	    }
 	}
@@ -4782,7 +4557,6 @@ sub do_proto( $$$;$ )
    if ( $proto ne '' ) {
 	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
 	my $all      = ( $proto =~ s/:all$//i );
 	my $notsyn   = $1;
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
@@ -4798,7 +4572,6 @@ sub do_proto( $$$;$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
 		fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@@ -4839,7 +4612,7 @@ sub do_proto( $$$;$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
+				$ports   = validate_portpair $pname , $ports;
 				$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
 			    }
 			}
@@ -4938,8 +4711,6 @@ sub do_proto( $$$;$ )
 	} else {
 	    fatal_error '":syn" is only allowed with tcp' if $synonly;
 	    $proto = $proto . ':all' if $all;
 	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
@@ -4996,7 +4767,6 @@ sub do_iproto( $$$ )
    if ( $proto ne '' ) {
 	my $synonly  = ( $proto =~ s/:syn$//i );
 	my $all      = ( $proto =~ s/:all$//i );
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
@@ -5011,7 +4781,6 @@ sub do_iproto( $$$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
 		fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
 		@output = ( p => "${invert}${proto}" );
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@@ -5050,7 +4819,7 @@ sub do_iproto( $$$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
+				$ports   = validate_portpair $pname , $ports;
 				if ( $srcndst ) {
 				    push @output, multiport => "${invert}--ports ${ports}";
@@ -5146,8 +4915,6 @@ sub do_iproto( $$$ )
 	} else {
 	    fatal_error '":syn" is only allowed with tcp' if $synonly;
 	    $proto = $proto . ':all' if $all;
 	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
@@ -5991,7 +5758,6 @@ sub record_runtime_address( $$;$$ ) {
    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
 	fatal_error "Variable %variable is already used as a port variable" if $port_variables{$1};
 	$address_variables{$1} = $addrtype;
 	return '$' . "$1 ";
    }
@@ -6337,7 +6103,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
    }
-    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
+    $net = validate_net $net, 1;
    $net eq ALLIP ? '' : "-d $net ";
 }
@@ -6418,7 +6184,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
    }
-    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
+    $net = validate_net $net, 1;
    $net eq ALLIP ? () : ( d =>  $net );
 }
@@ -7077,8 +6843,6 @@ sub interface_gateway( $ ) {
 sub get_interface_gateway ( $;$$ ) {
    my ( $logical, $protect, $provider ) = @_;
    $provider = '' unless defined $provider;
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
    my $gateway  = get_interface_option( $interface, 'gateway' );
@@ -7092,9 +6856,9 @@ sub get_interface_gateway ( $;$$ ) {
    }
    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }
@@ -7281,19 +7045,6 @@ sub verify_address_variables() {
 	      qq(    startup_error "Invalid value ($address) for address variable $variable"),
 	      qq(fi\n) );
    }
    for my $variable( keys %port_variables ) {
 	my $port = "\$$variable";
 	my $type = $port_variables{$variable};
 	emit( qq(if [ -z "$port" ]; then) ,
 	      qq(    $variable=255) ,
 	      qq(elif qt \$g_tool -A INPUT -p 6 --dport $port; then) ,
 	      qq(    qt \$g_tool -D INPUT -p 6 --dport $variable) ,
 	      qq(else) ,
 	      qq(    startup_error "Invalid valid ($port) for port variable $variable") ,
 	      qq(fi\n) );
    }
 }
 #
@@ -7543,11 +7294,6 @@ sub isolate_dest_interface( $$$$ ) {
 	    $rule .= "-d $variable ";
 	}
    } elsif ( $dest =~ /^\$/ ) {
 	#
 	# Runtime address variable
 	#
 	$dnets  = $dest;
    } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
@@ -8471,7 +8217,6 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
 	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
 	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);
@@ -8487,7 +8232,6 @@ sub save_docker_rules($) {
 	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
@@ -8930,15 +8674,9 @@ sub create_netfilter_load( $ ) {
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
    emit( '',
-	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then' );
+	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
-
+	  '    option="--counters"',
-    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	  '',
 	emit( '    option="--counters --wait "' . $config{MUTEX_TIMEOUT} );
    } else {
 	emit( '    option="--counters"' );
    }
    emit( '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
@@ -8946,11 +8684,7 @@ sub create_netfilter_load( $ ) {
    push_indent;
-    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+    emit 'option=';
 	emit 'option="--wait "' . $config{MUTEX_TIMEOUT};
    } else {
 	emit 'option=';
    }
    save_progress_message "Preparing $utility input...";
@@ -8999,10 +8733,6 @@ sub create_netfilter_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
 			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9107,11 +8837,6 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
 		    } else {		    
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
@@ -9349,10 +9074,6 @@ sub create_stop_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
 			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9378,11 +9099,7 @@ sub create_stop_load( $ ) {
    enter_cmd_mode;
-    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
 	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' --wait ' . $config{MUTEX_TIMEOUT} . '"' );
    } else {
 	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
    }
    emit( '',
 	  'progress_message2 "Running $command..."',
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -59,7 +59,7 @@ our $have_arptables;
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
    Shorewall::Chains::initialize ($family, 1, $export );
    Shorewall::Zones::initialize ($family, $_[0]);
    Shorewall::Nat::initialize($family);
@@ -109,7 +109,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF
-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -209,8 +209,6 @@ sub generate_script_2() {
    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );
    emit 'TEMPFILE=';
@@ -268,8 +266,7 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
 	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
 	emit( '' );
    }
@@ -692,7 +689,6 @@ sub compiler {
    set_timestamp( $timestamp );
    set_debug( $debug , $confess );
    #
    #                                      S H O R E W A L L R C ,
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
    get_configuration( $export , $update , $annotate , $inline );
@@ -797,10 +793,13 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
    }
    disable_script;
    #
    #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
    enable_script;
    #
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Config.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Config.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -30,97 +30,17 @@
 #   into those files (emitters) and finalizing those files (renaming
 #   them to their final name and setting their mode appropriately).
 #
 #   A significant portion of this module is dedicated to the preprocessor:
 #
 #	process_compiler_directive() - processes compiler directives
 #
 #	embedded_shell() - handles embedded shell scripting
 #
 #	embedded_perl() - handles embedded perl scripting
 #
 #	read_a_line() - Reads the next configuration file record to
 #			be passed to the function processing the file.
 #
 #	    - Detects compiler directives and passes then to
 #	      process_compiler_directive() for handling.
 #
 #	    - Handles line continuation
 #
 #	    - Invokes a callback when the first (concatinated) non-directive
 #	      record is read from a file.
 #
 #	    - Conditionally expands variables.
 #
 #	    - Conditionally detects embedded Shell and Perl and passes them
 #	      off to embedded_shell() and embedded_perl() respectively.
 #
 #	    - Conditionally detects and handles [?}INCLUDE directives.
 #
 #	    - Conditionally detects and handles ?SECTION directives.
 #	      File processing functions can supply a callback to be
 #	      called during this processing.
 #
 #   File processing routines may need to open a second (third, fourth, ...)
 #   file while processing the main file (macro and/or action files). Two
 #   functions are provided to make that possible:
 #
 #      push_open() - open a file while leaving the current file open.
 #
 #      pop_open() - close the current file, and make the previous
 #		    file (if any) the current one.
 #
 #   Because this module expands variables, it must be aware of action
 #   parameters.
 #
 #	push_action_params() - populates the %actparams hash and
 #			       returns a reference to the previous
 #			       contents of that hash. The caller is
 #			       expected to store those contents locally.
 #
 #	pop_action_params()  - Restores the %actparams hash from
 #			       the reference returned by
 #			       push_action_params().
 #
 #   The following routines are provided for INLINE PERL within
 #   action bodies:
 #
 #	default_action_params() - called to fill in omitted
 #				  arguments when a DEFAULTS
 #				  line is encountered.
 #
 #	get_action_params() - returns an array of arguments.
 #
 #	setup_audit_action() - helper for A_* actions.
 #
 #	get_action_logging() - returns log level and tag
 #			       from the action's invocation.
 #
 #	get_action_chain_name() - returns chain name.
 #
 #	set_action_name_to_caller() - replace chain name
 #				      with that of invoking
 #				      chain for logging purposes.
 #
 #	set_action_disposition() - set the current action
 #				   disposition for logging purposes.
 #
 #	get_action_disposition() - get the current action disposition.
 #
 #	set_action_param() - set the value of an argument.
 #
 package Shorewall::Config;
 use strict;
 use warnings;
 use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
 use File::Glob ':globally';
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
 use Errno qw(:POSIX);
 our @ISA = qw(Exporter);
 #
@@ -166,9 +86,6 @@ our @EXPORT = qw(
 		 kernel_version
                 compiletime
 		 F_IPV4
 		 F_IPV6
                );
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -280,6 +197,9 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       PARMSMODIFIED
                                       USEDCALLER
 		                       F_IPV4
 		                       F_IPV6
 				       TCP
 				       UDP
 				       UDPLITE
@@ -395,7 +315,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -493,9 +413,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                 WAIT_OPTION     => 'iptables --wait option',
                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                 NETMAP_TARGET   => 'NETMAP Target',
-                 NFLOG_SIZE      => '--nflog-size support',
+
 		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -570,55 +488,53 @@ our %helpers_aliases;
 our %helpers_enabled;
 our %config_files = ( #accounting      => 1,
-		      actions	       => 1,
+		      actions          => 1,
-		      blacklist	       => 1,
+		      blacklist        => 1,
-		      clear	       => 1,
+		      clear            => 1,
-		      conntrack	       => 1,
+		      conntrack        => 1,
-		      ecn	       => 1,
+		      ecn              => 1,
-		      findgw	       => 1,
+		      findgw           => 1,
-		      hosts	       => 1,
+		      hosts            => 1,
-		      init	       => 1,
+		      init             => 1,
-		      initdone	       => 1,
+		      initdone         => 1,
 		      interfaces       => 1,
-		      isusable	       => 1,
+		      isusable         => 1,
-		      maclist	       => 1,
+		      maclist          => 1,
-		      mangle	       => 1,
+		      masq             => 1,
-		      masq	       => 1,
+		      nat              => 1,
-		      nat	       => 1,
+		      netmap           => 1,
-		      netmap	       => 1,
+		      params           => 1,
-		      params	       => 1,
+		      policy           => 1,
-		      policy	       => 1,
+		      providers        => 1,
-		      providers	       => 1,
+		      proxyarp         => 1,
-		      proxyarp	       => 1,
+		      refresh          => 1,
-		      refresh	       => 1,
+		      refreshed        => 1,
-		      refreshed	       => 1,
+		      restored         => 1,
-		      restored	       => 1,
+		      rawnat           => 1,
 		      rawnat	       => 1,
 		      route_rules      => 1,
-		      routes	       => 1,
+		      routes           => 1,
 		      routestopped     => 1,
-		      rtrules	       => 1,
+		      rtrules          => 1,
-		      rules	       => 1,
+		      rules            => 1,
-		      scfilter	       => 1,
+		      scfilter         => 1,
-		      secmarks	       => 1,
+		      secmarks         => 1,
-		      snat	       => 1,
+		      start            => 1,
-		      start	       => 1,
+		      started          => 1,
-		      started	       => 1,
+		      stop             => 1,
-		      stop	       => 1,
+		      stopped          => 1,
 		      stopped	       => 1,
 		      stoppedrules     => 1,
-		      tcclasses	       => 1,
+		      tcclasses        => 1,
-		      tcclear	       => 1,
+		      tcclear          => 1,
-		      tcdevices	       => 1,
+		      tcdevices        => 1,
-		      tcfilters	       => 1,
+		      tcfilters        => 1,
 		      tcinterfaces     => 1,
-		      tcpri	       => 1,
+		      tcpri            => 1,
-		      tcrules	       => 1,
+		      tcrules          => 1,
-		      tos	       => 1,
+		      tos              => 1,
-		      tunnels	       => 1,
+		      tunnels          => 1,
-		      zones	       => 1 );
+		      zones            => 1 );
 #
-# Options that involve the AUDIT target
+# Options that involve the the AUDIT target
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
@@ -675,7 +591,6 @@ our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.
 our $family;                 # Protocol family (4 or 6)
 our $export;                 # True when compiling for export
 our $toolname;               # Name of the tool to use (iptables or iptables6)
 our $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
@@ -729,7 +644,6 @@ our %eliminated = ( LOGRATE          => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
                    MODULE_SUFFIX    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -789,8 +703,8 @@ sub add_variables( \% );
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$$$) {
+sub initialize( $;$$) {
-    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+    ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
    if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -834,8 +748,8 @@ sub initialize( $;$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.8-Beta1",
+		    VERSION                 => "5.1.3",
-		    CAPVERSION              => 50106 ,
+		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -930,6 +844,7 @@ sub initialize( $;$$$) {
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
 	  MODULE_SUFFIX => undef,
 	  DISABLE_IPV6 => undef,
 	  DYNAMIC_ZONES => undef,
 	  PKTTYPE=> undef,
@@ -992,8 +907,6 @@ sub initialize( $;$$$) {
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
 	  PERL_HASH_SEED => undef ,
 	  USE_NFLOG_SIZE => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1089,7 +1002,7 @@ sub initialize( $;$$$) {
 	       CONNLIMIT_MATCH => undef,
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
-	       LOG_TARGET => undef,
+	       LOG_TARGET => 1,         # Assume that we have it.
 	       ULOG_TARGET => undef,
 	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
@@ -1127,8 +1040,6 @@ sub initialize( $;$$$) {
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
 	       NFLOG_SIZE => undef,
 	       RESTORE_WAIT_OPTION => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1181,7 +1092,7 @@ sub initialize( $;$$$) {
    %compiler_params = ();
-    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '', callfile => '', callline => ''  );
+    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
    $usedcaller    = 0;
    %ipsets = ();
@@ -1254,7 +1165,7 @@ sub initialize( $;$$$) {
    #
    # Process the global shorewallrc file
    #
-    #   Note: The build script calls this function passing only the protocol family
+    #   Note: The build file executes this function passing only the protocol family
    #
    process_shorewallrc( $shorewallrc,
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
@@ -1305,9 +1216,10 @@ sub compiletime() {
 # Create 'currentlineinfo'
 #
 sub currentlineinfo() {
-    if ( $currentfilename ) {
+    my $linenumber = $currentlinenumber || 1;
-	my $linenumber = $currentlinenumber || 1;
+
-	my $lineinfo   = " $currentfilename ";
+    if ( $currentfile ) {
 	my $lineinfo = " $currentfilename ";
 	if ( $linenumber eq 'EOF' ) {
 	    $lineinfo .= '(EOF)'
@@ -2073,7 +1985,6 @@ sub find_file($)
    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
 	$!{ENOENT} || fatal_error "Unable to access $file: " . $!; 
    }
    "$config_path[0]$filename";
@@ -2321,7 +2232,7 @@ sub split_list4( $ ) {
 sub split_columns( $ ) {
    my ($list) = @_;
-    return split ' ', $list unless $list =~ /[()]/;
+    return split ' ', $list unless $list =~ /\(/;
    my @list1 = split ' ', $list;
    my @list2;
@@ -2362,7 +2273,9 @@ sub split_columns( $ ) {
 	}
    }
-    fatal_error "Mismatched parentheses ($list)" unless $opencount == 0;
+    unless ( $opencount == 0 ) {
 	fatal_error "Mismatched parentheses ($list)";
    }
    @list2;
 }
@@ -2375,7 +2288,7 @@ sub clear_comment();
 #    ensure that it has an appropriate number of columns.
 #    supply '-' in omitted trailing columns.
 #    Handles all of the supported forms of column/pair specification
-#    Handles segragating raw iptables input in rules
+#    Handles segragating raw iptables input in INLINE rules
 #
 sub split_line2( $$;$$$ ) {
    my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
@@ -2428,7 +2341,7 @@ sub split_line2( $$;$$$ ) {
 	    $inline_matches = $pairs;
-	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
+	    if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
 		#
 		# Pairs are enclosed in curly brackets.
 		#
@@ -2444,7 +2357,7 @@ sub split_line2( $$;$$$ ) {
 	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;
-		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
+		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
 		    #
 		    # Pairs are enclosed in curly brackets.
 		    #
@@ -2458,7 +2371,7 @@ sub split_line2( $$;$$$ ) {
 	} elsif ( $checkinline ) {
 	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
 	}
-    } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
+    } elsif ( $currline =~ /^(\s*|.*[^&@%]){(.*)}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
 	#
@@ -2656,7 +2569,7 @@ sub open_file( $;$$$$ ) {
 	$max_format       = supplied $mf ? $mf : 1;
 	$comments_allowed = supplied $ca ? $ca : 0;
 	$nocomment        = $nc;
-	do_open_file $fname;
+	do_open_file $fname;;
    } else {
 	$ifstack = @ifstack;
 	'';
@@ -2869,7 +2782,7 @@ sub evaluate_expression( $$$$ ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
-	    $usedcaller = USEDCALLER if $var =~ /^(?:caller|callfile|callline)$/;
+	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest , $just_expand );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
@@ -2905,6 +2818,7 @@ sub evaluate_expression( $$$$ ) {
 	#
 	# Not a simple one-term expression -- compile it
 	#
 	declare_passed unless $evals++;
 	$val = eval qq(package Shorewall::User;
@@ -2921,7 +2835,6 @@ sub evaluate_expression( $$$$ ) {
    $val;
 }
 sub pop_open();
 #
 # Set callback
 #
@@ -2929,40 +2842,6 @@ sub directive_callback( $ ) {
    $directive_callback = shift;
 }
 sub directive_message( \&$$$$ ) {
    my ( $functptr, $verbose, $expression, $filename, $linenumber ) = @_;
    unless ( $omitting ) {
 	if ( $actparams{0} ) {
 	    #
 	    # When issuing a message from an action, report the action invocation
 	    # site rather than the action file and line number.
 	    #
 	    # Avoid double-reporting by temporarily removing the invocation site
 	    # from the open stack.
 	    #
 	    my $saveopens = pop @openstack;
 	    $functptr->( $verbose ,
 			 evaluate_expression( $expression ,
 					      $filename ,
 					      $linenumber ,
 					      1 ),
 			 $actparams{callfile} ,
 			 $actparams{callline} );
 	    push @openstack, $saveopens;
 	} else {
 	    $functptr->( $verbose ,
 			 evaluate_expression( $expression ,
 					      $filename ,
 					      $linenumber ,
 					      1 ),
 			 $filename ,
 			 $linenumber );
 	}
    }
 }
 #
 # Each entry in @ifstack consists of a 4-tupple
 #
@@ -2976,8 +2855,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber )
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
 	unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -3079,13 +2957,13 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2 || 'chain';
 		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
 		      if ( exists $actparams{$var} ) {
-			  if ( $var =~ /^(?:loglevel|logtag|chain|disposition|caller|callfile|callline)$/ ) {
+			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
 			      $actparams{$var} = '';
 			  } else {
 			      delete $actparams{$var}
 			  }
-			  $parmsmodified = PARMSMODIFIED if @ifstack > $ifstack;
+			  $parmsmodified = PARMSMODIFIED;
 		      } else {
 			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
@@ -3119,85 +2997,68 @@ sub process_compiler_directive( $$$$ ) {
 	  ERROR => sub() {
 	      unless ( $omitting ) {
-		  if ( $actparams{0} ) {
+		  directive_error( evaluate_expression( $expression ,
-		      close $currentfile;
+							$filename ,
-		      #
+							$linenumber ,
-		      # Avoid 'missing ?ENDIF' error in pop_open'
+							1 ) ,
-		      #
+				   $filename ,
-		      @ifstack = ();
+				   $linenumber ) unless $omitting;
 		      #
 		      # Avoid double-reporting the action invocation site
 		      #
 		      pop_open;
 		      directive_error( evaluate_expression( $expression ,
 							    $filename ,
 							    $linenumber ,
 							    1 ) ,
 				       $actparams{callfile} ,
 				       $actparams{callline} );
 		  } else {
 		      directive_error( evaluate_expression( $expression ,
 							    $filename ,
 							    $linenumber ,
 							    1 ) ,
 				       $filename ,
 				       $linenumber ) unless $omitting;
 		  }
 	      }
 	  } ,
 	  WARNING => sub() {
-	      directive_message( &directive_warning ,
+	      unless ( $omitting ) {
-				 $config{VERBOSE_MESSAGES},
+		  directive_warning( $config{VERBOSE_MESSAGES} ,
-				 $expression ,
+				     evaluate_expression( $expression ,
-				 $filename ,
+							  $filename ,
-				 $linenumber );
+							  $linenumber ,
 							  1 ),
 				     $filename ,
 				     $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  INFO => sub() {
-	      directive_message( &directive_info,
+	      unless ( $omitting ) {
-				 $config{VERBOSE_MESSAGES} ,
+		  directive_info( $config{VERBOSE_MESSAGES} ,
-				 $expression ,
+				  evaluate_expression( $expression ,
-				 $filename ,
+						       $filename ,
-				 $linenumber );
+						       $linenumber ,
 						       1 ),
 				  $filename ,
 				  $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  'WARNING!' => sub() {
-	      directive_message( &directive_warning ,
+	      unless ( $omitting ) {
-				 ! $config{VERBOSE_MESSAGES} ,
+		  directive_warning( ! $config{VERBOSE_MESSAGES} ,
-				 $expression ,
+				     evaluate_expression( $expression ,
-				 $filename ,
+							  $filename ,
-				 $linenumber );
+							  $linenumber ,
 							  1 ),
 				     $filename ,
 				     $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  'INFO!' => sub() {
-	      directive_message( &directive_info ,
+	      unless ( $omitting ) {
-				 ! $config{VERBOSE_MESSAGES} ,
+		  directive_info( ! $config{VERBOSE_MESSAGES} ,
-				 $expression ,
+				  evaluate_expression( $expression ,
-				 $filename ,
+						       $filename ,
-				 $linenumber );
+						       $linenumber ,
 						       1 ),
 				  $filename ,
 				  $linenumber ) unless $omitting;
 	      }
 	  } ,
 	  REQUIRE => sub() {
 	      unless ( $omitting ) {
 		  fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
-		  fatal_error "Unknown capability ($expression)" unless ( my $capdesc = $capdesc{$expression} );
+		  fatal_error "Unknown capability ($expression)" unless $capdesc{$expression};
-		  unless ( have_capability( $expression ) ) {
+		  require_capability( $expression, "The $actparams{action} action", 's' );
 		      close $currentfile;
 		      #
 		      # Avoid 'missing ?ENDIF' error in pop_open'
 		      #
 		      @ifstack = ();
 		      #
 		      # Avoid double-reporting the action call site
 		      #
 		      pop_open;
 		      directive_error( "The $actparams{action} action requires the $capdesc capability",
 				       $actparams{callfile} ,
 				       $actparams{callline} );
 		  }
 	      }
 	  } ,
@@ -3699,8 +3560,6 @@ sub push_action_params( $$$$$$ ) {
    $actparams{loglevel}    = $loglevel;
    $actparams{logtag}      = $logtag;
    $actparams{caller}      = $caller;
    $actparams{callfile}    = $currentfilename;
    $actparams{callline}    = $currentlinenumber;
    $actparams{disposition} = '' if $chainref->{action};
    #
    # The Shorewall variable '@chain' has non-word characters other than hyphen removed
@@ -4133,7 +3992,7 @@ sub make_mask( $ ) {
    0xffffffff >> ( 32 - $_[0] );
 }
-my @suffixes;
+my @suffixes = qw(group range threshold nlgroup cprange qthreshold);
 #
 # Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate"
@@ -4369,7 +4228,7 @@ sub which( $ ) {
 # Load the kernel modules defined in the 'modules' file.
 #
 sub load_kernel_modules( ) {
-    my $moduleloader = which( 'modprobe' ) || which( 'insmod' );
+    my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );
    my $modulesdir = $config{MODULESDIR};
@@ -4402,20 +4261,25 @@ sub load_kernel_modules( ) {
 	close LSMOD;
-      MODULE:
+	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
 	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
-		if ( $moduleloader =~ /modprobe$/ ) {
+		for my $directory ( @moduledirectories ) {
-		    system( "modprobe -q $module $arguments" );
+		    for my $suffix ( @suffixes ) {
-		    $loadedmodules{ $module } = 1;
+			my $modulefile = "$directory/$module.$suffix";
-		} else {
+			if ( -f $modulefile ) {
-		    for my $directory ( @moduledirectories ) {
+			    if ( $moduleloader eq 'insmod' ) {
-			for my $modulefile ( <$directory/$module.*> ) {
+				system ("insmod $modulefile $arguments" );
-			    system ("insmod $modulefile $arguments" );
+			    } else {
 				system( "modprobe $module $arguments" );
 			    }
 			    $loadedmodules{ $module } = 1;
 			    next MODULE;
 			}
 		    }
 		}
@@ -4900,10 +4764,6 @@ sub NFLog_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -j NFLOG" );
 }
 sub NFLog_Size() {
    have_capability( 'NFLOG_TARGET' ) && qt1( "$iptables $iptablesw -A $sillyname -j NFLOG --nflog-size 64" );
 }
 sub Logmark_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -j LOGMARK" );
 }
@@ -5027,10 +4887,6 @@ sub Cpu_Fanout() {
    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }
 sub Restore_Wait_Option() {
    length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0;
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -5083,7 +4939,6 @@ our %detect_capability =
      LOG_TARGET => \&Log_Target,
      ULOG_TARGET => \&Ulog_Target,
      NFLOG_TARGET => \&NFLog_Target,
      NFLOG_SIZE => \&NFLog_Size,
      MANGLE_ENABLED => \&Mangle_Enabled,
      MANGLE_FORWARD => \&Mangle_Forward,
      MARK => \&Mark,
@@ -5111,7 +4966,6 @@ our %detect_capability =
      REALM_MATCH => \&Realm_Match,
      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
      RESTORE_WAIT_OPTION => \&Restore_Wait_Option,
      RPFILTER_MATCH => \&RPFilter_Match,
      SANE_HELPER => \&SANE_Helper,
      SANE0_HELPER => \&SANE0_Helper,
@@ -5278,9 +5132,6 @@ sub determine_capabilities() {
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
 	$capabilities{RESTORE_WAIT_OPTION}
 				       = detect_capability( 'RESTORE_WAIT_OPTION' );
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5329,13 +5180,7 @@ sub ensure_config_path() {
 	fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH};
    }
-    my $path = $config{CONFIG_PATH};
+    @config_path = split /:/, $config{CONFIG_PATH};
    my $chop = ( $path =~ s/^:// );
    @config_path = split /:/, $path;
    shift @config_path if $chop && ( $export || $> != 0 );
    #
    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
@@ -5464,11 +5309,11 @@ sub update_config_file( $ ) {
 	update_default( 'BALANCE_PROVIDERS', 'Yes' );
    }
-    update_default( 'EXPORTMODULES',         'No' );
+    update_default( 'EXPORTMODULES',     'No' );
-    update_default( 'RESTART',               'reload' );
+    update_default( 'RESTART',           'reload' );
-    update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
+    update_default( 'PAGER',             $shorewallrc1{DEFAULT_PAGER} );
-    update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
+    update_default( 'LOGFORMAT',         'Shorewall:%s:%s:' );
-    update_default( 'LOGLIMIT',              '' );
+    update_default( 'LOGLIMIT',          '' );
    if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
@@ -6153,6 +5998,7 @@ sub get_configuration( $$$$ ) {
    #
    # get_capabilities requires that the true settings of these options be established
    #
    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
    if ( ! $export && $> == 0 ) {
@@ -6338,7 +6184,7 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_VERBOSITY} = -1;
    }
-    default_yes_no 'ADD_IP_ALIASES'             , $family == F_IPV4 ? 'Yes' : '';
+    default_yes_no 'ADD_IP_ALIASES'             , 'Yes';
    default_yes_no 'ADD_SNAT_ALIASES'           , '';
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
@@ -6491,19 +6337,8 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'USE_DEFAULT_RT'             , '';
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
    default_yes_no 'AUTOMAKE'                   , '';
-    default_yes_no 'TRACK_PROVIDERS'            , 'Yes';
+    default_yes_no 'TRACK_PROVIDERS'            , '';
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
    default_yes_no 'USE_NFLOG_SIZE'             , '';
    if ( $config{USE_NFLOG_SIZE} ) {
 	if ( have_capability( 'NFLOG_SIZE' ) ) {
 	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
 	} else {
 	    fatal_error "USE_NFLOG_SIZE=Yes, but the --nflog-size capabiity is not present";
 	}
    } else {
 	@suffixes = qw(group range threshold nlgroup cprange qthreshold);
    }
    unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6924,12 +6759,6 @@ sub get_configuration( $$$$ ) {
 	}
    }
    if ( supplied( $val = $config{MUTEX_TIMEOUT} ) ) {
 	fatal_error "Invalid value ($val) for MUTEX_TIMEOUT" unless $val && $val =~ /^\d+$/;
    } else {
 	$config{MUTEX_TIMEOUT} = 60;
    }
    add_variables %config;
    while ( my ($var, $val ) = each %renamed ) {
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -63,6 +63,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  validate_host
 		  validate_range
 		  ip_range_explicit
 		  expand_port_range
 		  allipv4
 		  allipv6
 		  allip
@@ -73,6 +74,10 @@ our @EXPORT = ( qw( ALLIPv4
 		  resolve_proto
 		  resolve_dnsname
 		  proto_name
 		  validate_port
 		  validate_portpair
 		  validate_portpair1
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
 		 ) );
@@ -406,6 +411,114 @@ sub proto_name( $ ) {
    $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
 }
 sub validate_port( $$ ) {
    my ($proto, $port) = @_;
    my $value;
    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
 	$port = numeric_value $port;
 	return $port if defined $port && $port && $port <= 65535;
    } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
    }
    return $value if defined $value;
    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    my $pair = $portpair;
    #
    # Accept '-' as a port-range separator
    #
    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
    my @ports = split /:/, $pair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
    $_ = validate_port( $protonum, $_) for grep $_, @ports;
    if ( @ports == 2 ) {
 	$what = 'port range';
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
    } else {
 	$what = 'port';
    }
    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP     ||
 			       $protonum == UDP     ||
 			       $protonum == UDPLITE ||
 			       $protonum == SCTP    ||
 			       $protonum == DCCP );
    join ':', @ports;
 }
 sub validate_portpair1( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
    my @ports = split /-/, $portpair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
    $_ = validate_port( $protonum, $_) for grep $_, @ports;
    if ( @ports == 2 ) {
 	$what = 'port range';
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
    } else {
 	$what = 'port';
 	fatal_error 'Invalid port number (0)' unless $portpair;
    }
    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP  ||
 			       $protonum == UDP  ||
 			       $protonum == SCTP ||
 			       $protonum == DCCP );
    join '-', @ports;
 }
 sub validate_port_list( $$ ) {
    my $result = '';
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );
    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }
    $proto = proto_name $proto;
    for ( @list ) {
 	my $value = validate_portpair( $proto , $_ );
 	$result = $result ? join ',', $result, $value : $value;
    }
    $result;
 }
 my %icmp_types = ( any                          => 'any',
 		   'echo-reply'                 => 0,
 		   'destination-unreachable'    => 3,
@@ -459,6 +572,67 @@ sub validate_icmp( $ ) {
    fatal_error "Invalid ICMP Type ($type)"
 }
 #
 # Expands a port range into a minimal list of ( port, mask ) pairs.
 # Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
 #
 # Example:
 #
 #       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
 #       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
 #
 sub expand_port_range( $$ ) {
    my ( $proto, $range ) = @_;
    if ( $range =~ /^(.*):(.*)$/ ) {
 	my ( $first, $last ) = ( $1, $2);
 	my @result;
 	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
 	#
 	# Supply missing first/last port number
 	#
 	$first = 0     if $first eq '';
 	$last  = 65535 if $last eq '';
 	#
 	# Validate the ports
 	#
 	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
 	$last++; #Increment last address for limit testing.
 	#
 	# Break the range into groups:
 	#
 	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
 	#      - Otherwise, find the largest power of two P that divides the first address such that
 	#        the remaining range has less than or equal to P ports. The next group is
 	#        ( <first> , ~( P-1 ) ).
 	#
 	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
 	    my $mask = 0xffff;         #Mask for current ports in group.
 	    my $y    = 2;              #Next power of two to test
 	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
 	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
 		$mask <<= 1;
 		$z  = $y;
 		$y <<= 1;
 	    }
 	    #
 	    #
 	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
 	    $first += $z;
 	}
 	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
 	@result;
    } else {
 	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
    }
 }
 sub valid_6address( $ ) {
    my $address = $_[0];
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -667,7 +667,6 @@ sub create_docker_rules() {
    my $chainref = $filter_table->{FORWARD};
    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
    if ( my $dockerref = known_interface('docker0') ) {
@@ -1214,53 +1213,55 @@ sub add_common_rules ( $ ) {
 	}
    }
-    my $announced = 0;
+    if ( $family == F_IPV4 ) {
 	my $announced = 0;
-    $list = find_interfaces_by_option 'upnp';
+	$list = find_interfaces_by_option 'upnp';
-    if ( @$list ) {
+	if ( @$list ) {
-	progress_message2 "$doing UPnP";
+	    progress_message2 "$doing UPnP";
-	$chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
+	    $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
-	add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
+	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
-	my $chainref1;
+	    my $chainref1;
-	if ( $config{MINIUPNPD} ) {
+	    if ( $config{MINIUPNPD} ) {
-	    $chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
-	    add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
 	    }
 	    $announced = 1;
 	    for $interface ( @$list ) {
 		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
 		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	    }
 	}
-	$announced = 1;
+	$list = find_interfaces_by_option 'upnpclient';
-	for $interface ( @$list ) {
+	if ( @$list ) {
-	    add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+	    progress_message2 "$doing UPnP" unless $announced;
 	    add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	}
    }
-    $list = find_interfaces_by_option 'upnpclient';
+	    for $interface ( @$list ) {
 		my $chainref = $filter_table->{input_option_chain $interface};
 		my $base     = uc var_base get_physical $interface;
 		my $optional = interface_is_optional( $interface );
 		my $variable = get_interface_gateway( $interface, ! $optional );
 		my $origin   = get_interface_origin( $interface );
-    if ( @$list ) {
+		if ( $optional ) {
-	progress_message2 "$doing UPnP" unless $announced;
+		    add_commands( $chainref,
-
+				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
-	for $interface ( @$list ) {
+		    incr_cmd_level( $chainref );
-	    my $chainref = $filter_table->{input_option_chain $interface};
+		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
-	    my $base     = uc var_base get_physical $interface;
+		    decr_cmd_level( $chainref );
-	    my $optional = interface_is_optional( $interface );
+		    add_commands( $chainref, 'fi' );
-	    my $variable = get_interface_gateway( $interface, ! $optional );
+		} else {
-	    my $origin   = get_interface_origin( $interface );
+		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
-
+		}
 	    if ( $optional ) {
 		add_commands( $chainref,
 			      qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
 		incr_cmd_level( $chainref );
 		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
 		decr_cmd_level( $chainref );
 		add_commands( $chainref, 'fi' );
 	    } else {
 		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
 	    }
 	}
    }
@@ -2448,7 +2449,7 @@ sub setup_mss( ) {
    my $clampmss = $config{CLAMPMSS};
    my $option;
    my @match;
-    my $chainref = $mangle_table->{FORWARD};
+    my $chainref = $filter_table->{FORWARD};
    if ( $clampmss ) {
 	if ( "\L$clampmss" eq 'yes' ) {
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -941,17 +941,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-
+	    my @servers = validate_address $server, 1;
 	    my @servers;
 	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
 		$server = record_runtime_address( $1, $2 );
 		$server =~ s/ $//;
 		@servers = ( $server );
 	    } else {
 		@servers = validate_address $server, 1;
 	    }
 	    $server = join ',', @servers;
 	}
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -64,8 +64,6 @@ our @load_interfaces;
 our $balancing;
 our $fallback;
 our $balanced_providers;
 our $fallback_providers;
 our $metrics;
 our $first_default_route;
 our $first_fallback_route;
@@ -101,8 +99,6 @@ sub initialize( $ ) {
    %provider_interfaces    = ();
    @load_interfaces        = ();
    $balancing              = 0;
    $balanced_providers     = 0;
    $fallback_providers     = 0;
    $fallback               = 0;
    $metrics                = 0;
    $first_default_route    = 1;
@@ -125,7 +121,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask   = in_hex( $globals{PROVIDER_MASK} );
+    my $mask = in_hex( $globals{PROVIDER_MASK} );
    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
@@ -161,15 +157,6 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
 		if ( have_ipsec ) {
 		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
 			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
 			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    }
 		}
 		$marked_interfaces{$interface} = 1;
 	    }
@@ -336,13 +323,7 @@ sub balance_default_route( $$$$ ) {
    emit '';
    if ( $first_default_route ) {
-	if ( $balanced_providers == 1 ) {
+	if ( $gateway ) {
 	    if ( $gateway ) {
 		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
 		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
 	    }
 	} elsif ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
 	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
@@ -366,13 +347,7 @@ sub balance_fallback_route( $$$$ ) {
    emit '';
    if ( $first_fallback_route ) {
-	if ( $fallback_providers == 1 ) {
+	if ( $gateway ) {
 	    if ( $gateway ) {
 		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
 		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
 	    }
 	} elsif ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
 	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
@@ -511,7 +486,7 @@ sub process_a_provider( $ ) {
    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, $number );
+	$gateway = get_interface_gateway( $interface, undef, 1 );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
@@ -521,9 +496,6 @@ sub process_a_provider( $ ) {
 	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	$gateway = $1 if $family == F_IPV6 && $gateway =~ /^\[(.+)\]$/;
 	validate_address $gateway, 0;
 	if ( defined $mac ) {
@@ -614,7 +586,6 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'nohostroute' ) {
 		$hostroute = 0;
 	    } elsif ( $option eq 'persistent' ) {
 		warning_message "When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option may not work as expected" if $config{RESTORE_DEFAULT_ROUTE};
 		$persistent = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -622,12 +593,7 @@ sub process_a_provider( $ ) {
 	}
    }
-    if ( $balance ) {
+    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;
 	fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $default;
 	$balanced_providers++;
    } elsif ( $default ) {
 	$fallback_providers++;
    }
    if ( $load ) {
 	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
@@ -701,6 +667,7 @@ sub process_a_provider( $ ) {
 	    $pref = 10000 + $number - 1;
 	}
    }
    unless ( $loose || $pseudo ) {
@@ -859,7 +826,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route replace default dev $physical table $id";
+		emit "run_ip route add default dev $physical table $id";
 	    }
 	}
@@ -875,7 +842,7 @@ sub add_a_provider( $$ ) {
 		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }
-	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
 	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
@@ -885,24 +852,24 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( "find_interface_addresses $physical | while read address; do",
+		emit  ( "find_interface_addresses $physical | while read address; do" );
-			"    qt \$IP -$family rule del from \$address",
+		emit  ( "    qt \$IP -$family rule del from \$address" );
-			"    run_ip rule add from \$address pref 20000 table $id",
+		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
 			'done'
 		      );
 	    }
 	}
-	if ( @{$providerref->{persistent_routes}} ) {
+	    if ( @{$providerref->{persistent_routes}} ) {
-	    emit '';
+		emit '';
-	    emit $_ for @{$providers{$table}->{persistent_routes}};
+		emit $_ for @{$providers{$table}->{persistent_routes}};
-	}
+	    }
-	if ( @{$providerref->{persistent_rules}} ) {
+	    if ( @{$providerref->{persistent_rules}} ) {
-	    emit '';
+		emit '';
-	    emit $_ for @{$providers{$table}->{persistent_rules}};
+		emit $_ for @{$providers{$table}->{persistent_rules}};
 	    }
 	}
 	pop_indent;
@@ -910,6 +877,7 @@ sub add_a_provider( $$ ) {
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 	pop_indent;
 	emit( "}\n" );
@@ -935,7 +903,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route replace default dev $physical table $id";
+		emit "run_ip route add default dev $physical table $id";
 	    }
 	}
    }
@@ -967,7 +935,7 @@ CEOF
 	my $hexmark = in_hex( $mark );
 	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $persistent || $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
@@ -996,7 +964,7 @@ CEOF
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}
-	emit "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
    }
    if ( $balance ) {
@@ -1008,16 +976,14 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route replace default via $gateway src $address dev $physical table $id metric $number);
+	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route replace default table $id dev $physical metric $number);
+	    emit qq(run_ip route add default table $id dev $physical metric $number);
 	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}
 	emit( 'g_fallback=Yes' ) if $persistent;
 	$metrics = 1;
    }
@@ -1039,13 +1005,12 @@ CEOF
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
 		if ( $persistent ) {
-		    emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),
+		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
 			  qq(    qt \$IP -$family rule del from $address pref 20000),
 			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
-		    emit  "qt \$IP -$family rule del from $address" if $persistent || $config{DELETE_THEN_ADD};
+		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
@@ -1102,21 +1067,7 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
-	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
 	    );
 	if ( ! $pseudo && $config{USE_DEFAULT_RT} && $config{RESTORE_DEFAULT_ROUTE} ) {
 	    emit  ( '#',
 		    '# We now have a viable default route in the \'default\' table so delete any default routes in the main table',
 		    '#',
 		    'while qt \$IP -$family route del default table ' . MAIN_TABLE . '; do',
 		    '    true',
 		    'done',
 		    ''
 		);
 	}
 	emit_started_message( '', 2, $pseudo, $table, $number );
 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1261,14 +1212,12 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
-	emit( "echo 1 > \${VARDIR}/${physical}.status",
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );
 	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
 	    );
 	if ( $pseudo ) {
-	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
+	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
 	} else {
-	    emit( "progress_message2 \"Provider $table ($number) stopped\"" );
+	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
 	}
 	pop_indent;
@@ -1369,7 +1318,7 @@ sub add_an_rtrule1( $$$$$ ) {
    $priority = "pref $priority";
-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $persistent || $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    if ( $persistent ) {
@@ -1467,22 +1416,22 @@ sub add_a_route( ) {
    if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes,            qq(run_ip route replace $dest via $gateway dev $physical table $id);
+	    push @$routes,            qq(run_ip route add $dest via $gateway dev $physical table $id);
-	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway dev $physical table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route add $dest via $gateway dev $physical table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} elsif ( $null ) {
-	    push @$routes,            qq(run_ip route replace $null $dest table $id);
+	    push @$routes,            qq(run_ip route add $null $dest table $id);
-	    push @$persistent_routes, qq(run_ip route replace $null $dest table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route add $null $dest table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes,            qq(run_ip route replace $dest via $gateway table $id);
+	    push @$routes,            qq(run_ip route add $dest via $gateway table $id);
-	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route add $dest via $gateway table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
    } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes,            qq(run_ip route replace $dest dev $physical table $id);
+	push @$routes,            qq(run_ip route add $dest dev $physical table $id);
-	push @$persistent_routes, qq(run_ip route replace $dest dev $physical table $id) if $persistent;
+	push @$persistent_routes, qq(run_ip route add $dest dev $physical table $id) if $persistent;
 	push @$routes,             q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
    }
@@ -1584,10 +1533,10 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        while qt \$IP -6 route delete default table $table; do true; done",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
-		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
-		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
 		    '    fi',
 		    '' );
 	}
@@ -1605,7 +1554,7 @@ sub finish_providers() {
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    [ -z "\${FALLBACK_ROUTE}\${g_fallback}" ] && restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -1632,7 +1581,7 @@ sub finish_providers() {
 	}
 	emit ( '#',
-	       '# Delete any default routes with metric 0 in the \'balance\' table',
+	       '# Delete any routes in the \'balance\' table',
 	       '#',
 	       "while qt \$IP -$family route del default table $balance; do",
 	       '    true',
@@ -1647,7 +1596,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
@@ -1660,10 +1609,7 @@ sub finish_providers() {
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( '#',
+	emit( "delete_default_routes $default",
 	      '# No balanced fallback routes - delete any routes with metric 0 from the \'default\' table',
 	      '#',
 	      "delete_default_routes $default",
 	      ''
 	    );
    }
@@ -1708,7 +1654,7 @@ sub process_providers( $ ) {
    }
    if ( $providers ) {
-	fatal_error q(Either all 'fallback' providers must specify a weight or none of them can specify a weight) if $fallback && $metrics;
+	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
 	my $fn = open_file( 'route_rules' );
@@ -1947,6 +1893,7 @@ sub setup_providers() {
 	emit "fi\n";
    }
 }
 #
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -91,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
    my $disposition = $action;
    my $exception_rule = '';
-
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
    my $level = '';
    if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
@@ -138,14 +138,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 	if ( $proto ne '-' ) {
 	    if ( $proto =~ s/:all$// ) {
 		fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
 	    } else {
 		$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
 	    }
 	}
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
@@ -207,9 +199,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
    expand_rule( $chainref ,
 		 $restriction ,
 		 '',
-		 do_proto( $proto, $ports, $sports ) . 
+		 $rule,
 		 do_user ( $user ) . 
 		 do_condition( $switch , $chainref->{name} ),
 		 $source ,
 		 $dest ,
 		 '' ,
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Rules.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Rules.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,7 +96,7 @@ use constant { NULL_SECTION          => 0x00,
 	       INVALID_SECTION       => 0x10,
 	       UNTRACKED_SECTION     => 0x20,
 	       NEW_SECTION           => 0x40,
-	       POLICYACTION_SECTION  => 0x80 };
+	       DEFAULTACTION_SECTION => 0x80 };
 #
 # Number of elements in the action tuple
 #
@@ -216,10 +216,6 @@ our %statetable;
 # Tracks which of the state match actions (action.Invalid, etc.) that is currently being expanded
 #
 our $statematch;
 #
 # Remembers NAT-oriented columns from top-level action invocations
 #
 our %nat_columns;
 #
 # Action/Inline options
@@ -388,8 +384,6 @@ sub initialize( $ ) {
 	                  );
    }
    %nat_columns = ( dest => '-', proto => '-', ports => '-' );
    ############################################################################
    # Initialize variables moved from the Tc module in Shorewall 5.0.7         #
    ############################################################################
@@ -623,7 +617,7 @@ sub handle_nfqueue( $$ ) {
 	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
 	    if ( supplied $queue2 ) {
-		$fanout    = $queue2 =~ s/c$// ? ' --queue-cpu-fanout' : '';
+		$fanout    = ' --queue-cpu-fanout' if $queue2 =~ s/c$//;
 		$queuenum2 = numeric_value( $queue2 );
 		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
@@ -927,28 +921,6 @@ sub process_policies()
 #
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
 #
 # Determine the protocol to be used in the jump to the passed action
 #
 sub determine_action_protocol( $$ ) {
    my ( $action, $proto ) = @_;
    if ( my $actionproto = $actions{$action}{proto} ) {
 	if ( $proto eq '-' ) {
 	    $proto = $actionproto;
 	} else {
 	    if ( defined( my $protonum = resolve_proto( $proto ) ) ) {
 		fatal_error( "The $action action is only usable with " . proto_name( $actionproto ) ) unless $actionproto == $protonum;
 		$proto = $protonum;
 	    } else {
 		fatal_error( "Unknown protocol ($proto)" );
 	    }
 	}
    }
    $proto;
 }
 sub add_policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
@@ -964,16 +936,12 @@ sub add_policy_rules( $$$$$ ) {
 	    if ( ( $targets{$action} || 0 ) & ACTION ) {
 		#
-		# Policy action is a regular action -- jump to the action chain
+		# Default action is a regular action -- jump to the action chain
 		#
-		if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
+		add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
 		    add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
 		} else {
 		    add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
 		}
 	    } else {
 		#
-		# Policy action is an inline 
+		# Default action is an inline 
 		#
 		( undef, my $level )   = split /:/, $paction, 2;
 		( $action, my $param ) = get_target_param( $action );
@@ -1159,7 +1127,7 @@ sub setup_syn_flood_chains() {
 	    add_rule $synchainref , "${limit}-j RETURN";
 	    log_irule_limit( $level ,
 			     $synchainref ,
-			     $synchainref->{name} ,
+			     $chainref->{name} ,
 			     'DROP',
 			     @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
 			    '' ,
@@ -1288,7 +1256,7 @@ sub finish_chain_section ($$$) {
 	if ( $chain1ref->{is_policy} ) {
 	    if ( $chain1ref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $chain1ref;
-		if ( $section == POLICYACTION_SECTION ) {
+		if ( $section == DEFAULTACTION_SECTION ) {
 		    if ( $chain1ref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
 			add_ijump $chain1ref, j => $synchainref, p => 'tcp --syn';
 		    }
@@ -1324,7 +1292,7 @@ sub ensure_rules_chain( $ )
    $chainref = new_rules_chain( $chain ) unless $chainref;
    unless ( $chainref->{referenced} ) {
-	if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
+	if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID,UNTRACKED';
 	} elsif ( $section == UNTRACKED_SECTION ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID';
@@ -1443,13 +1411,13 @@ sub external_name( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$$$$$ ) {
+sub new_action( $$$$$ ) {
-    my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
+    my ( $action , $type, $options , $actionfile , $state ) = @_;
-    fatal_error "Reserved action name ($action)" if reserved_name( $action );
+    fatal_error "Invalid action name($action)" if reserved_name( $action );
-    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
+    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state };
    $targets{$action} = $type;
 }
@@ -1457,7 +1425,11 @@ sub new_action( $$$$$$ ) {
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
-# a 1- or 2-digit sequence number.
+# a 1- or 2-digit sequence number. In the functions that follow,
 # the $chain, $level and $tag variables serve as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
 # set $chain to the name of the iptables chain where rules are to be added.
 # Similarly, $level and $tag contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
@@ -1663,7 +1635,7 @@ sub merge_inline_source_dest( $$ ) {
 		    return join( ':', $invocation, $body );
 		}
 	    } else {
-		fatal_error 'Interface names cannot appear in the DEST column within an action body' if $body =~ /:\[|:\+/;
+		fatal_error 'Interface names cannot appear in the DEST column within an action body' if $body =~ /:\[|:\+|/;
 		if ( $invocation =~ /:\[|:\+/ ) {
 		    $invocation =~ s/:.*//;
@@ -1680,19 +1652,6 @@ sub merge_inline_source_dest( $$ ) {
    $body || '';
 }
 #
 # This one is used by perl_action_helper()
 #
 sub merge_action_column( $$ ) {
    my ( $body, $invocation ) = @_;
    if ( supplied( $body ) && $body ne '-' ) {
 	$body;
    } else {
 	$invocation;
    }
 }
 sub merge_macro_column( $$ ) {
    my ( $body, $invocation ) = @_;
@@ -1773,14 +1732,6 @@ sub process_action(\$\$$) {
 	fatal_error "Action $action may not be used in the mangle file"  if $chainref->{table} eq 'mangle';
    }
    if ( $type & NAT_TABLE ) {
 	fatal_error "Action $action may only be used in the snat file" unless $chainref->{table} eq 'nat';
    } else {
 	fatal_error "Action $action may not be used in the snat file"  if $chainref->{table} eq 'nat';
    }
    $param = $1 if $param =~ /^.*\|(.*)$/; #Strip interface name off of the parameters
    my $actionfile = $actionref->{file};
    progress_message2 "$doing $actionfile for chain $chainref->{name}...";
@@ -1969,7 +1920,7 @@ sub process_action(\$\$$) {
 	    for my $proto (split_list( $protos, 'Protocol' ) ) {
 		process_snat1( $chainref,
-			       $nolog ? $action : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $action ),
+			       $action,
 			       $source,
 			       $dest,
 			       $proto,
@@ -2071,10 +2022,9 @@ sub process_actions() {
 	    my $opts = $type == INLINE ? NOLOG_OPT : 0;
 	    my $state = '';
 	    my $proto = 0;
 	    if ( $action =~ /:/ ) {
-		warning_message 'Policy Actions are now specified in /etc/shorewall/shorewall.conf';
+		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
 		$action =~ s/:.*$//;
 	    }
@@ -2088,9 +2038,6 @@ sub process_actions() {
 			} else {
 			    fatal_error( q(The 'state' option is reserved for use in the actions.std file) );
 			}
 		    } elsif ( /^proto=(.+)$/ ) {
 			fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
 			fatal_error "A protocol may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
 		    } else {
 			fatal_error "Invalid option ($_)" unless $options{$_};
 			$opts |= $options{$_};
@@ -2100,10 +2047,10 @@ sub process_actions() {
 		unless ( $type & INLINE ) {
 		    $type = INLINE if $opts & INLINE_OPT;
 		}
 		fatal_error "Conflicting OPTIONS ($options)" if ( $opts & NOINLINE_OPT && $type == INLINE ) || ( $opts & INLINE_OPT && $opts & BUILTIN_OPT );
 	    }
 	    fatal_error "Conflicting OPTIONS ($options)" if ( $opts & NOINLINE_OPT && $type == INLINE ) || ( $opts & INLINE_OPT && $opts & BUILTIN_OPT );
 	    if ( my $actiontype = $targets{$action} ) {
 		if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
 		    if ( $actions{$action}{options} & NOINLINE_OPT ) {
@@ -2111,11 +2058,6 @@ sub process_actions() {
 			next;
 		    }
 		    $proto = $actions{$action}{proto} unless $proto;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} elsif ( ( $actiontype & INLINE ) && ( $type == ACTION ) && $opts & NOINLINE_OPT ) {
 		    $proto = $actions{$action}{proto} unless $proto;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -2125,8 +2067,6 @@ sub process_actions() {
 	    }
 	    if ( $opts & BUILTIN_OPT ) {
 		warning_message( "The 'proto' option has no effect when specified on a builtin action" ) if $proto;
 		my $actiontype = USERBUILTIN | OPTIONS;
 		$actiontype   |= MANGLE_TABLE if $opts & MANGLE_OPT;
 		$actiontype   |= RAW_TABLE    if $opts & RAW_OPT;
@@ -2159,7 +2099,7 @@ sub process_actions() {
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
-		new_action ( $action, $type, $opts, $actionfile , $state , $proto );
+		new_action ( $action, $type, $opts, $actionfile , $state );
 	    }
 	}
    }
@@ -2197,7 +2137,7 @@ sub process_reject_action() {
    #
    # This gets called very early in the compilation process so we fake the section
    #
-    $section = POLICYACTION_SECTION;
+    $section = DEFAULTACTION_SECTION;
    if ( ( $targets{$action} || 0 ) == ACTION ) {
 	add_ijump $rejectref, j => use_policy_action( $action, $rejectref->{name} );
@@ -2531,7 +2471,7 @@ sub verify_audit($;$$) {
 # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument. A chain
-# reference is also passed when rules are being generated during processing of a macro used as a policy action.
+# reference is also passed when rules are being generated during processing of a macro used as a default action.
 #
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
@@ -2570,8 +2510,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $exceptionrule = '';
    my $usergenerated;
    my $prerule = '';
    my %save_nat_columns = %nat_columns;
    my $generated = 0;
    #
    # Subroutine for handling MARK and CONNMARK.
    #
@@ -2653,30 +2591,32 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$current_param = $param unless $param eq '' || $param eq 'PARAM';
-	$generated = process_macro( $basictarget,
+	my $generated = process_macro( $basictarget,
-				    $chainref,
+				       $chainref,
-				    $rule . $raw_matches,
+				       $rule . $raw_matches,
-				    $matches1,
+				       $matches1,
-				    $target,
+				       $target,
-				    $current_param,
+				       $current_param,
-				    $source,
+				       $source,
-				    $dest,
+				       $dest,
-				    $proto,
+				       $proto,
-				    $ports,
+				       $ports,
-				    $sports,
+				       $sports,
-				    $origdest,
+				       $origdest,
-				    $ratelimit,
+				       $ratelimit,
-				    $user,
+				       $user,
-				    $mark,
+				       $mark,
-				    $connlimit,
+				       $connlimit,
-				    $time,
+				       $time,
-				    $headers,
+				       $headers,
-				    $condition,
+				       $condition,
-				    $helper,
+				       $helper,
-				    $wildcard );
+				       $wildcard );
 	$macro_nest_level--;
-	goto EXIT;
+
 	return $generated;
    } elsif ( $actiontype & NFQ ) {
 	$action = handle_nfqueue( $param,
 				  1 # Allow 'bypass'
@@ -2748,7 +2688,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
 		  if ( $dest eq '-' ) {
 		      if ( $family == F_IPV4 ) {
 			  $dest = ( $inchain ) ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
@@ -2877,7 +2816,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    }
 	}
    }
    #
    # Isolate and validate source and destination zones
    #
@@ -2971,7 +2909,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	if ( $destref->{type} & BPORT ) {
 	    unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
-		goto EXIT if $wildcard;
+		return 0 if $wildcard;
 		fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 	    }
 	}
@@ -2986,7 +2924,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	my $policy = $chainref->{policy};
 	if ( $policy eq 'NONE' ) {
-	    goto EXIT if $wildcard;
+	    return 0 if $wildcard;
 	    fatal_error "Rules may not override a NONE policy";
 	}
 	#
@@ -2995,9 +2933,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	if ( $optimize == 1 && $section == NEW_SECTION ) {
 	    my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 	    if ( $loglevel ne '' ) {
-		goto EXIT if $target eq "${policy}:${loglevel}";
+		return 0 if $target eq "${policy}:${loglevel}";
 	    } else {
-		goto EXIT if $basictarget eq $policy;
+		return 0 if $basictarget eq $policy;
 	    }
 	}
 	#
@@ -3042,25 +2980,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $actionchain; # Name of the action chain
    if ( $actiontype & ACTION ) {
 	#
 	# Verify action 'proto', if any
 	#
 	$proto = determine_action_protocol( $basictarget, $proto );
 	#
 	# Save NAT-oriented column contents
 	#
 	@nat_columns{'dest', 'proto', 'ports' } = ( $dest,
 						    $proto eq '-' ? $nat_columns{proto} : $proto,
 						    $ports eq '-' ? $nat_columns{ports} : $ports );
 	#
 	# Push the current column array onto the column stack
 	#
        my @savecolumns = @columns;
 	#
 	# And store the (modified) columns into the columns array for use by perl_action[_tcp]_helper. We
 	# only need the NAT-oriented columns
 	#
 	@columns = ( undef , undef, $dest, $proto, $ports);
 	#
 	# Handle 'section' option
 	#
@@ -3104,8 +3023,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	}
 	$action = $basictarget; # Remove params, if any, from $action.
 	@columns = @savecolumns;
    } elsif ( $actiontype & INLINE ) {
 	#
 	# process_inline() will call process_rule() recursively for each rule in the action body
@@ -3122,34 +3039,34 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$actionresult = 0;
-	$generated = process_inline( $basictarget,
+	my $generated = process_inline( $basictarget,
-				     $chainref,
+					$chainref,
-				     $prerule . $rule,
+					$prerule . $rule,
-				     $matches1 . $raw_matches,
+					$matches1 . $raw_matches,
-				     $loglevel,
+					$loglevel,
-				     $target,
+					$target,
-				     $param,
+					$param,
-				     $source,
+					$source,
-				     $dest,
+					$dest,
-				     $proto,
+					$proto,
-				     $ports,
+					$ports,
-				     $sports,
+					$sports,
-				     $origdest,
+					$origdest,
-				     $ratelimit,
+					$ratelimit,
-				     $user,
+					$user,
-				     $mark,
+					$mark,
-				     $connlimit,
+					$connlimit,
-				     $time,
+					$time,
-				     $headers,
+					$headers,
-				     $condition,
+					$condition,
-				     $helper,
+					$helper,
-				     $wildcard ) || $actionresult;
+					$wildcard ) || $actionresult;
 	( $actionresult, @columns ) = @$savecolumns;;
 	$macro_nest_level--;
-	goto EXIT;
+	return $generated;
    }
    #
    # Generate Fixed part of the rule
@@ -3196,7 +3113,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     );
    }
-    unless ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ||
+    unless ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ||
 	     $inaction ||
 	     $blacklist ||
 	     $basictarget eq 'dropInvalid' ) {
@@ -3332,17 +3249,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $log_action ,
 		     $exceptionrule ,
 		     $usergenerated && ! $loglevel )
-	    unless unreachable_warning( $wildcard || $section == POLICYACTION_SECTION, $chainref );
+	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }
-    $generated = 1;
+    return 1;
  EXIT:
    {
      %nat_columns = %save_nat_columns;
    }
    return $generated;
 }
@@ -3410,7 +3320,7 @@ sub check_state( $ ) {
 	}
    }
-    if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
+    if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
 	if ( $state eq 'NEW' ) {
 	    #
 	    # If an INVALID or UNTRACKED rule would be emitted then we must include the state match
@@ -3496,60 +3406,27 @@ sub perl_action_helper($$;$$) {
 				 '',                              # CurrentParam
 				 @columns );
    } else {
-	if ( ( $targets{$target} || 0 ) & NATRULE ) {
+	$result = process_rule( $chainref,
-	    $result = process_rule( $chainref,
+				$matches,
-				    $matches,
+				$matches1,
-				    $matches1,
+				merge_target( $actions{$action}, $target ),
-				    merge_target( $actions{$action}, $target ),
+				'',                               # Current Param
-				    '',                               # Current Param
+				'-',                              # Source
-				    '-',                              # Source
+				'-',                              # Dest
-				    merge_action_column(              # Dest
+				'-',                              # Proto
-					$columns[2],			      
+				'-',                              # Port(s)
-					$nat_columns{dest}
+				'-',                              # Source Port(s)
-				    ),
+				'-',                              # Original Dest
-				    merge_action_column(              #Proto
+				'-',                              # Rate Limit
-					$columns[3],
+				'-',                              # User
-					$nat_columns{proto}
+				'-',                              # Mark
-				    ),
+				'-',                              # Connlimit
-				    merge_action_column(              #Ports
+				'-',                              # Time
-					$columns[4],
+				'-',                              # Headers,
-					$nat_columns{ports}),
+				'-',                              # condition,
-				    '-',                              # Source Port(s)
+				'-',                              # helper,
-				    '-',                              # Original Dest
+				0,                                # Wildcard
-				    '-',                              # Rate Limit
+			      );
 				    '-',                              # User
 				    '-',                              # Mark
 				    '-',                              # Connlimit
 				    '-',                              # Time
 				    '-',                              # Headers,
 				    '-',                              # condition,
 				    '-',                              # helper,
 				    0,                                # Wildcard
 		);
 	} else {
 	    $result = process_rule( $chainref,
 				    $matches,
 				    $matches1,
 				    merge_target( $actions{$action}, $target ),
 				    '',                               # Current Param
 				    '-',                              # Source
 				    '-',                              # Dest
 				    '-',                              # Proto
 				    '-',                              # Port(s)
 				    '-',                              # Source Port(s)
 				    '-',                              # Original Dest
 				    '-',                              # Rate Limit
 				    '-',                              # User
 				    '-',                              # Mark
 				    '-',                              # Connlimit
 				    '-',                              # Time
 				    '-',                              # Headers,
 				    '-',                              # condition,
 				    '-',                              # helper,
 				    0,                                # Wildcard
 		);
 	}
 	allow_optimize( $chainref );
    }
    #
@@ -3615,8 +3492,7 @@ sub perl_action_tcp_helper($$) {
 				    '-',                              # condition,
 				    '-',                              # helper,
 				    0,                                # Wildcard
-		                  );
+				  );
 	    allow_optimize( $chainref );
 	}
 	#
@@ -3951,7 +3827,7 @@ sub process_rules() {
    #
    # No need to finish the NEW section since no rules need to be generated
    #
-    $section = $next_section = POLICYACTION_SECTION;
+    $section = $next_section = DEFAULTACTION_SECTION;
 }
 sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
@@ -4187,10 +4063,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		expand_rule( $chainref,
 			     $restriction,
 			     $prerule ,
 			     do_proto( $proto, $ports, $sports ) .
 			     $match .
 			     do_user( $user ) .
-			     do_test( $testval, $mask ) .
+			     do_test( $testval, $globals{TC_MASK} ) .
 			     do_test( $testval, $globals{TC_MASK} ) .
 			     do_length( $length ) .
 			     do_tos( $tos ) .
 			     do_connbytes( $connbytes ) .
@@ -4198,7 +4074,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 			     do_headers( $headers ) .
 			     do_probability( $probability ) .
 			     do_dscp( $dscp ) .
 			     do_time( $time ) .
 			     do_condition( $condition, $chainref->{name} ) .
 			     state_match( $state ) .
 			     $raw_matches ,
@@ -4634,52 +4509,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 	TCPMSS     => {
 	    defaultchain   => FORWARD,
 	    allowedchains  => FORWARD | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 2,
 	    function       => sub () {
 		if ( $proto eq '-' ) {
 		    $proto = TCP;
 		} else {
 		    fatal_error 'TCPMSS only valid with TCP' unless $proto eq '6' || $proto eq 'tcp';
 		}
 		$target   = 'TCPMSS ';
 		$matches .= '--tcp-flags SYN,RST SYN ';
 		if ( supplied $params ) {
 		    my ( $mss, $ipsec ) = split /,/, $params;
 		    if ( supplied $mss ) {
 			if ( $mss eq 'pmtu' ) {
 			    $target .= '--clamp-mss-to-pmtu';
 			} else {
 			    my $num = numeric_value $mss;
 			    fatal_error "Invalid MSS ($mss)" unless defined $num && $num >= 500 && $num < 65534;
 			    $target .= "--set-mss $num";
 			}
 		    } else {
 			$target .= '--clamp-mss-to-pmtu';
 		    }
 		    if ( supplied $ipsec && $ipsec ne 'all' ) {
 			if ( $ipsec eq '-' || $ipsec eq 'none' ) {
 			    $matches .= '-m policy --pol none --dir out ';
 			} elsif ( $ipsec eq 'ipsec' ) {
 			    $matches .= '-m policy --pol ipsec --dir out ';
 			} else {
 			    fatal_error "Invalid ipsec parameter ($ipsec)";
 			}
 			require_capability 'POLICY_MATCH', "The $ipsec ipsec option", 's';
 		    }
 		} else {
 		    $target .= '--clamp-mss-to-pmtu';
 		}
 	    },
 	},
 	TOS        => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
@@ -4703,7 +4532,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		my ( $port, $ip, $bad );
 		if ( $params ) {
-		    ( $port, $ip ) = split /,/, $params, 2;
+		    ( $port, $ip, $bad ) = split_list $params, 'Parameter';
 		    fatal_error "Invalid TPROXY specification( TPROXY($params) )" if defined $bad;
 		}
 		my $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
@@ -4770,10 +4600,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	function          => sub() {
 	    fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
 	    #
 	    # Verify action 'proto', if any
 	    #
 	    $proto = determine_action_protocol( $cmd, $proto );
 	    #
 	    # Create the action:level:tag:param tuple.
 	    #
 	    my $normalized_target = normalize_action( $cmd, '', $params );
@@ -5299,23 +5125,18 @@ sub process_mangle_rule( $ ) {
    }
 }
-sub process_snat_inline( $$$$$$$$$$$$$$ ) {
+sub process_snat_inline( $$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
    my ( $level,
 	 $tag )    = split( ':', $loglevel, 2 );
    my $oldparms   = push_action_params( $inline,
 					 $chainref,
 					 $params,
-					 supplied $level ? $level : 'none',
+					  'none',
-					 defined  $tag   ? $tag   : '' ,
+					 '' ,
 					 $chainref->{name} );
-    my $actionref    = $actions{$inline};
+    my $inlinefile = $actions{$inline}{file};
-    my $inlinefile   = $actionref->{file};
+    my $matches    = fetch_inline_matches;
    my $options      = $actionref->{options};
    my $nolog        = $options & NOLOG_OPT;
    my $matches      = fetch_inline_matches;
    progress_message "..Expanding inline action $inlinefile...";
@@ -5349,8 +5170,6 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 	    next;
 	}
 	$maction = merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $maction ) unless $nolog;
 	$msource = $source if $msource eq '-';
 	if ( $mdest eq '-' ) {
@@ -5395,7 +5214,7 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 # Process a record in the snat file
 #
 sub process_snat1( $$$$$$$$$$$$ ) {
-    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $chainref, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
    my $inchain;
    my $inaction;
@@ -5412,9 +5231,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
    my $actiontype;
    my $interfaces;
    my $normalized_action;
    my ( $action, $loglevel ) = split_action( $origaction );
    my $logaction;
    my $param;
    if ( $action =~ /^MASQUERADE(\+)?(?:\((.+)\))?$/ ) {
 	$target     = 'MASQUERADE';
@@ -5423,7 +5239,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$addresses  = ( $2 || '' );
 	$options    = 'random' if $addresses =~ s/:?random$//;
 	$add_snat_aliases = '';
 	$logaction  = 'MASQ';
    } elsif ( $action =~ /^SNAT(\+)?\((.+)\)$/ ) {
 	$pre_nat    = $1;
 	$addresses  = $2;
@@ -5432,16 +5247,13 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$options   .= ':persistent' if $addresses =~ s/:persistent//;
 	$options   .= ':random'     if $addresses =~ s/:random//;
 	$options   =~ s/^://;
 	$logaction = 'SNAT';
    } elsif ( $action =~ /^CONTINUE(\+)?$/ ) {
 	$add_snat_aliases = 0;
 	$actiontype = $builtin_target{$target = 'RETURN'};
 	$pre_nat    = $1;
 	$logaction = 'RETURN';
    } elsif ( $action eq 'MASQUERADE' ) {
 	$actiontype = $builtin_target{$target = 'MASQUERADE'};
 	$add_snat_aliases = '';
 	$logaction  = 'MASQ';
    } else {
 	( $target , $params ) = get_target_param1( $action );
@@ -5449,24 +5261,11 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$actiontype = ( $targets{$target} || 0 );
-	if ( $actiontype & LOGRULE ) {
+	fatal_error "Invalid ACTION ($action)" unless $actiontype & ( ACTION | INLINE );
 	    $logaction = 'LOG';
 	    if ( $target eq 'LOG' ) {
 		fatal_error 'LOG requires a log level' unless supplied $loglevel;
 	    } else {
 		$target   = "$target($params)";
 		validate_level( $action );
 		$loglevel = supplied $loglevel ? join( ':', $target, $loglevel ) : $target;
 		$target   = 'LOG';
 	    }
 	} else {
 	    fatal_error "Invalid ACTION ($action)" unless $actiontype & ( ACTION | INLINE );
 	    $logaction = '';
 	}
    }
    if ( $inchain = defined $chainref ) {
-	( $inaction, undef,undef,undef,$param ) = split( /:/, $normalized_action = $chainref->{action}) if $chainref->{action};
+	( $inaction, undef, $interfaces, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 5 if $chainref->{action};
 	fatal_error q('+' is not allowed within an action body) if $pre_nat;
    }
    #
@@ -5474,8 +5273,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
    #
    if ( $inaction ) {
 	$destnets = $dest;
 	assert( $param =~ /^(.*)\|/ );
 	$interfaces=$1;
    } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^([^:]+)::([^:]*)$/ ) {
 	    $add_snat_aliases = 0;
@@ -5489,7 +5286,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $interfaces = $1;
 	} elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) {
 	    my ( $one, $two ) = ( $1, $2 );
-	    if ( $2 =~ /\./ || $2 =~ /^[+%!]/ ) {
+	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
 		$interfaces = $one;
 		$destnets = $two;
 	    } else {
@@ -5717,7 +5514,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    process_snat_inline( $target,
 				 $chainref,
 				 $params,
 				 $loglevel,
 				 $source,
 				 supplied $destnets && $destnets ne '-' ? $inaction ? $destnets : join( ':', $interface, $destnets ) : $inaction ? '-' : $interface,
 				 $proto,
@@ -5732,14 +5528,10 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( $actiontype & ACTION ) {
 		fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
 		#
 		# Verify action 'proto', if any
 		#
 		$proto = determine_action_protocol( $target, $proto );
 		#
 		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
 		# the interface name in the log tag
 		#
-		my $normalized_target = normalize_action( $target, "$loglevel", "$interface|$params" );
+		my $normalized_target = normalize_action( $target, "none:$interface", $params );
 		fatal_error( "Action $target invoked Recursively (" .  join( '->', map( external_name( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$target};
 		my $ref = use_action( 'nat', $normalized_target );
@@ -5749,6 +5541,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		    # First reference to this tuple - process_action may modify both $normalized_target and $ref!!!
 		    #
 		    process_action( $normalized_target, $ref, $chainref->{name} );
 		    #
 		    # Capture the name of the action chain
 		    #
 		} else {
 		    #
 		    # We've seen this tuple before
@@ -5757,12 +5552,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		}
 		$target = $ref->{name};
 		if ( $actions{$target}{options} & LOGJUMP_OPT ) {
 		    $logaction = $target;
 		} else {
 		    $loglevel = '';
 		}
 	    } else {
 		for my $option ( split_list2( $options , 'option' ) ) {
 		    if ( $option eq 'random' ) {
@@ -5791,8 +5580,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			 $destnets ,
 			 $origdest ,
 			 $target ,
-			 $loglevel ,
+			 '' ,
-			 $logaction ,
+			 '' ,
 			 $exceptionrule ,
 			 '' )
 		unless unreachable_warning( 0, $chainref );
@@ -5853,23 +5642,15 @@ sub process_snat( )
 sub setup_snat( $ ) # Convert masq->snat if true
 {
    my $fn;
    my $have_masq;
-    if ( $_[0] ) {
+    convert_masq() if $_[0];
-	convert_masq();
+
-    } elsif ( $fn = open_file( 'masq', 1, 1 ) ) {
+    if ( $fn = open_file( 'masq', 1, 1 ) ) {
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
-	process_one_masq(0), $have_masq = 1 while read_a_line( NORMAL_READ );
+	process_one_masq(0) while read_a_line( NORMAL_READ );
-    }
+    } elsif ( $fn = open_file( 'snat', 1, 1 ) ) {
-
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
-    unless ( $have_masq ) {
+	process_snat while read_a_line( NORMAL_READ );
 	#
 	# Masq file empty or didn't exist
 	#
 	if ( $fn = open_file( 'snat', 1, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
 	    process_snat while read_a_line( NORMAL_READ );
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -225,11 +225,11 @@ sub handle_in_bandwidth( $$$ ) {
    if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
-		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst drop\n" );
+		  "    police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
 	} else {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
 		  "    estimator $in_interval $in_decay basic \\",
-		  "    police avrate ${in_avrate}kbit drop\n" );
+		  "    police drop avrate ${in_avrate}kbit\n" );
 	}
    } else {
 	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 	    while ( @sportlist ) {
 		my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
-		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
+		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
 		$rule .= ' or' if @sportlist;
 	    }
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,8 +90,9 @@ our @EXPORT = ( qw( NOTHING
 		    interface_is_optional
 		    interface_is_required
 		    find_interfaces_by_option
 		    find_interfaces_by_option1
 		    get_interface_option
-		    get_interface_origin
+                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    interface_zone
@@ -107,37 +108,55 @@ our @EXPORT = ( qw( NOTHING
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
 #
 # IPSEC Option types
 #
 use constant { NOTHING    => 'NOTHING',
 	       NUMERIC    => '0x[\da-fA-F]+|\d+',
 	       NETWORK    => '\d+.\d+.\d+.\d+(\/\d+)?',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	       };
 #
 # Option columns
 #
 use constant { IN_OUT     => 1,
 	       IN         => 2,
 	       OUT        => 3 };
 #
 # Zone Table.
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
 #     %zones{<zone1> => {name =>       <name>,
-#			 type =>       <zone type>	 FIREWALL, IP, IPSEC, BPORT;
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
-#			 complex =>    0|1
+#                        complex =>    0|1
-#			 super	 =>    0|1
+#                        super   =>    0|1
-#			 options =>    { in_out	 => < policy match string >
+#                        options =>    { in_out  => < policy match string >
-#					 in	 => < policy match string >
+#                                        in      => < policy match string >
-#					 out	 => < policy match string >
+#                                        out     => < policy match string >
-#				       }
+#                                      }
-#			 parents =>    [ <parents> ]	  Parents, Children and interfaces are listed by name
+#                        parents =>    [ <parents> ]      Parents, Children and interfaces are listed by name
-#			 children =>   [ <children> ]
+#                        children =>   [ <children> ]
-#			 interfaces => { <interfaces1> => 1, ... }
+#                        interfaces => { <interfaces1> => 1, ... }
-#			 bridge =>     <bridge>
+#                        bridge =>     <bridge>
-#			 hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
+#                        hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
-#								   options => { <option1> => <value1>
+#                                                                  options => { <option1> => <value1>
-#										...
+#                                                                               ...
-#									      }
+#                                                                             }
-#								   hosts   => [ <net1> , <net2> , ... ]
+#                                                                  hosts   => [ <net1> , <net2> , ... ]
-#								   exclusions => [ <net1>, <net2>, ... ]
+#                                                                  exclusions => [ <net1>, <net2>, ... ]
-#								   origin   => <where defined>
+#                                                                  origin   => <where defined>
-#								 }
+#                                                                }
-#						 <interface2> => ...
+#                                                <interface2> => ...
-#					       }
+#                                              }
-#					     ]
+#                                            ]
-#			}
+#                       }
-#	      <zone2> => ...
+#             <zone2> => ...
-#	    }
+#           }
 #
 #     $firewall_zone names the firewall zone.
 #
@@ -159,27 +178,27 @@ our %reservedName = ( all => 1,
 #
 #     @interfaces lists the interface names in the order that they appear in the interfaces file.
 #
-#     %interfaces { <interface1> => { name	  => <name of interface>
+#     %interfaces { <interface1> => { name        => <name of interface>
-#				      root	  => <name without trailing '+'>
+#                                     root        => <name without trailing '+'>
-#				      options	  => { port => undef|1
+#                                     options     => { port => undef|1
-#						     { <option1> } => <val1> ,		#See %validinterfaceoptions
+#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
-#						       ...
+#                                                      ...
-#						     }
+#                                                    }
-#				      zone	  => <zone name>
+#                                     zone        => <zone name>
-#				      multizone	  => undef|1   #More than one zone interfaces through this interface
+#                                     multizone   => undef|1   #More than one zone interfaces through this interface
-#				      nets	  => <number of nets in interface/hosts records referring to this interface>
+#                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#				      bridge	  => <bridge name> # Same as ->{name} if not a bridge port.
+#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
-#				      ports	  => <number of port on this bridge>
+#                                     ports       => <number of port on this bridge>
-#				      ipsec	  => undef|1 # Has an ipsec host group
+#                                     ipsec       => undef|1 # Has an ipsec host group
-#				      broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
-#				      number	  => <ordinal position in the interfaces file>
+#                                     number      => <ordinal position in the interfaces file>
-#				      physical	  => <physical interface name>
+#                                     physical    => <physical interface name>
-#				      base	  => <shell variable base representing this interface>
+#                                     base        => <shell variable base representing this interface>
-#				      wildcard	  => undef|1 # Wildcard Name
+#                                     wildcard    => undef|1 # Wildcard Name
-#				      zones	  => { zone1 => 1, ... }
+#                                     zones       => { zone1 => 1, ... }
-#				      origin	  => <where defined>
+#                                     origin      => <where defined>
-#				    }
+#                                   }
-#		  }
+#                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
@@ -202,26 +221,6 @@ our $zonemarkincr;
 our $zonemarklimit;
 our $loopback_interface;
 #
 # IPSEC Option types
 #
 use constant { NOTHING    => 'NOTHING',
 	       NUMERIC    => '0x[\da-fA-F]+|\d+',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	     };
 sub NETWORK() {
    $family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?';
 }
 #
 # Option columns
 #
 use constant { IN_OUT     => 1,
 	       IN         => 2,
 	       OUT        => 3 };
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -252,17 +251,6 @@ use constant { NO_UPDOWN   => 1,
 our %validinterfaceoptions;
 our %procinterfaceoptions=( accept_ra   => 1,
 			    arp_filter  => 1,
 			    arp_ignore  => 1,
 			    forward     => 1,
 			    logmartians => 1,
 			    proxyarp    => 1,
 			    proxyndp    => 1,
 			    routefilter => 1,
 			    sourceroute => 1,
 			  );
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -288,7 +276,19 @@ our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore =
 our %validhostoptions;
-our %validzoneoptions;
+our %validzoneoptions = ( mss            => NUMERIC,
 			  nomark         => NOTHING,
 			  blacklist      => NOTHING,
 			  dynamic_shared => NOTHING,
 			  strict         => NOTHING,
 			  next           => NOTHING,
 			  reqid          => NUMERIC,
 			  spi            => NUMERIC,
 			  proto          => IPSECPROTO,
 			  mode           => IPSECMODE,
 			 "tunnel-src"   => NETWORK,
 			 "tunnel-dst"   => NETWORK,
 		       );
 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
@@ -327,29 +327,15 @@ sub initialize( $$ ) {
    %mapbase = ();
    %mapbase1 = ();
    $baseseq = 0;
-    $minroot = undef;
+    $minroot = 0;
    $loopback_interface = '';
    %validzoneoptions = ( mss            => NUMERIC,
 			  nomark         => NOTHING,
 			  blacklist      => NOTHING,
 			  dynamic_shared => NOTHING,
 			  strict         => NOTHING,
 			  next           => NOTHING,
 			  reqid          => NUMERIC,
 			  spi            => NUMERIC,
 			  proto          => IPSECPROTO,
 			  mode           => IPSECMODE,
 			 "tunnel-src"   => NETWORK,
 			 "tunnel-dst"   => NETWORK,
 		       );
    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
-				  dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
+				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -373,9 +359,9 @@ sub initialize( $$ ) {
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
-				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST + IF_OPTION_WILDOK,
+				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
 				  unmanaged   => SIMPLE_IF_OPTION,
-				  wait        => NUMERIC_IF_OPTION,
+				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -400,7 +386,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
-				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
+				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -412,18 +398,16 @@ sub initialize( $$ ) {
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER + IF_OPTION_WILDOK,
+				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => BINARY_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				    unmanaged   => SIMPLE_IF_OPTION,
-				    upnp        => SIMPLE_IF_OPTION,
+				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    upnpclient  => SIMPLE_IF_OPTION,
 				    wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -711,40 +695,6 @@ sub haveipseczones() {
    0;
 }
 #
 # Returns 1 if the two interfaces passed are related
 #
 sub interface_match( $$ ) {
    my ( $piface, $ciface ) = @_;
    return 1 if $piface eq $ciface;
    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
    return 1 if $piface eq $cifaceref->{bridge};
    return 1 if $ciface eq $pifaceref->{bridge};
    if ( defined $minroot ) {
 	if ( $piface =~ /\+$/ ) {
 	    my $root    = $pifaceref->{root};
 	    my $rlength = length( $root );
 	    while ( length( $ciface ) >= $rlength ) {
 		return 1 if $ciface eq $root;
 		chop $ciface;
 	    }
 	} elsif ( $ciface =~ /\+$/ ) {
 	    my $root    = $cifaceref->{root};
 	    my $rlength = length( $root );
 	    while ( length( $piface ) >= $rlength ) {
 		return 1 if $piface eq $root;
 		chop $piface;
 	    }
 	}
    }
    0;
 }
 #
 # Report about zones.
 #
@@ -782,7 +732,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
+				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -791,17 +741,6 @@ sub zone_report()
 	    }
 	}
      PARENT:
 	for my $p ( @{$zoneref->{parents}} ) {
 	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
 		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
 		    next PARENT if interface_match( $pi, $ci );
 		}
 	    }
 	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
 	}
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -1214,16 +1153,15 @@ sub process_interface( $$ ) {
    }
    my $wildcard = 0;
    my $physwild = 0;
    my $root;
    if ( $interface =~ /\+$/ ) {
-	$wildcard = $physwild = 1; # Default physical name is the logical name
+	$wildcard = 1;
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;
-	if ( defined $minroot ) {
+	if ( $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
 	    $minroot = $len;
@@ -1269,6 +1207,8 @@ sub process_interface( $$ ) {
 	my %hostoptions = ( dynamic => 0 );
 	for my $option (split_list1 $options, 'option' ) {
 	    next if $option eq '-';
 	    ( $option, my $value ) = split /=/, $option;
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
@@ -1305,6 +1245,7 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
 		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
@@ -1328,6 +1269,7 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
 		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1371,7 +1313,7 @@ sub process_interface( $$ ) {
 		    assert(0);
 		}
 	    } elsif ( $type == STRING_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless supplied $value;
+		fatal_error "The '$option' option requires a value" unless defined $value;
 		if ( $option eq 'physical' ) {
 		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
@@ -1379,9 +1321,7 @@ sub process_interface( $$ ) {
 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
-		    $physwild = ( $value =~ /\+$/ );
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $physwild;
 		    $physical = $value;
 		} else {
 		    assert(0);
@@ -1409,14 +1349,6 @@ sub process_interface( $$ ) {
 	    $options{ignore} = 0;
 	}
 	for my $option ( keys %options ) {
 	    if ( $root ) {
 		warning_message( "The '$option' option is ignored when used with a wildcard physical name" ) if $physwild && $procinterfaceoptions{$option};
 	    } else {
 		warning_message( "The '$option' option is ignored when used with interface name '+'" ) unless $validinterfaceoptions{$option} & IF_OPTION_WILDOK;
 	    }
 	}
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
@@ -1475,7 +1407,6 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
 						   physwild   => $physwild, # Currently unused
 					         };
    $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1634,11 +1565,13 @@ sub known_interface($)
    my $iface = $interface;
-    if ( defined $minroot ) {
+    if ( $minroot ) {
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface >= $minroot ) {
+	while ( length $iface > $minroot ) {
 	    chop $iface;
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1660,8 +1593,6 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
 	    chop $iface;
 	}
    }
@@ -1875,8 +1806,7 @@ sub find_interfaces_by_option( $;$ ) {
    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
-	next unless $interfaceref->{root};                                   # Don't return '+' interface
+	next unless $interfaceref->{root};
 	next if $procinterfaceoptions{$option} && $interfaceref->{physwild}; # Ignore /proc options on wildcard interface
 	my $optionsref = $interfaceref->{options};
 	if ( $nonzero ) {
@@ -1891,6 +1821,35 @@ sub find_interfaces_by_option( $;$ ) {
    \@ints;
 }
 #
 # Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
 #
 # - All entries in %interfaces are searched.
 # - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
 #
 sub find_interfaces_by_option1( $ ) {
    my $option = $_[0];
    my @ints = ();
    my $wild = 0;
    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 	next unless defined $interfaceref->{physical};
 	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
 	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
    }
    return unless defined wantarray;
    wantarray ? ( \@ints, $wild ) : \@ints;
 }
 #
 # Return the value of an option for an interface
 #
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -43,8 +43,6 @@
 #         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
 #    If the <filename> is omitted, then a 'check' operation is performed.
 #
 use strict;
 use FindBin;
 use lib "$FindBin::Bin";
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1,4 +1,4 @@
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -32,7 +32,7 @@
 #	    down			Stop an optional interface
 #	    enable			Enable an optional interface
 #	    help			Show command syntax
-#	    reenable			Disable then enable an optional
+#	    reenable			Disable then nable an optional
 #					interface
 #	    refresh			Refresh the firewall
 #	    reload			Reload the firewall
@@ -369,7 +369,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 delete_default_routes() # $1 = table number
 {
    $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
-	qt $IP -$g_family route del $route table $1
+	qt $IP -$g_family route del $route
    done
 } 
@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {
    if [ -n "$g_purge" ]; then
-	if [ -n "$(mywhich conntrack)" ]; then
+	if [ -n $(mywhich conntrack) ]; then
            conntrack -F
 	else
            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -899,7 +899,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface $2 = table number
+detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
@@ -912,8 +912,6 @@ detect_gateway() # $1 = interface $2 = table number
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
@@ -1065,6 +1063,8 @@ clear_firewall() {
    run_iptables -F
    qt $IPTABLES -t raw -F
    echo 1 > /proc/sys/net/ipv4/ip_forward
    if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
@@ -1373,6 +1373,8 @@ clear_firewall() {
    run_iptables -F
    qt $IP6TABLES -t raw -F
    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
    run_clear_exit
    set_state "Cleared"
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -1,23 +1,5 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
 #
 #   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #	Free Software Foundation, either version 2 of the license or, at your
 #	option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 ###############################################################################
 #
 # Give Usage Information
@@ -96,13 +78,11 @@ reload_command() {
    detect_configuration
    define_firewall
    status=$?
-
+    if [ -n "$SUBSYSLOCK" ]; then
-    if [ $status -eq 0 ]; then
+ 	[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
 	[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
 	progress_message3 "done."
    else
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
    fi
    [ $status -eq 0 ] && progress_message3 "done."
 }
 ################################################################################
@@ -147,10 +127,8 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
 g_dockeringress=
 g_dockernetwork=
 g_forcereload=
 g_fallback=
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
@@ -286,10 +264,8 @@ case "$COMMAND" in
 	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
-	    for table in raw mangle nat filter; do
+	    $g_tool -Z
-		qt $g_tool -t $table -Z
+	    $g_tool -t mangle -Z
 	    done
 	    date > ${VARDIR}/restarted
 	    status=0
 	    progress_message3 "$g_product Counters Reset"
@@ -373,7 +349,6 @@ case "$COMMAND" in
    clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
 	detect_configuration
 	clear_firewall
 	status=0
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -443,12 +418,9 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
 	    COMMAND=disable
 	    detect_configuration $1
-	    disable_provider $1 Yes
+	    COMMAND=enable  disable_provider $1 Yes
-	    COMMAND=enable
+	    COMMAND=disable enable_provider  $1 Yes
 	    detect_configuration $1
 	    enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -77,7 +77,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -205,6 +205,8 @@ MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -215,8 +217,6 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=0
 REJECT_ACTION=
 REQUIRE_INTERFACE=Yes
@@ -247,8 +247,6 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,4 +14,4 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     NET_IF          dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=eth0
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -88,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -216,6 +216,8 @@ MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -226,8 +228,6 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=0
 REJECT_ACTION=
 REQUIRE_INTERFACE=No
@@ -258,8 +258,6 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     NET_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
-dmz     DMZ_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
+dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -85,7 +85,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -213,6 +213,8 @@ MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -223,8 +225,6 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=0
 REJECT_ACTION=
 REQUIRE_INTERFACE=No
@@ -255,8 +255,6 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		NET_IF
+			192.168.0.0/16		eth0
--- a/Shorewall/Samples/three-interfaces/stoppedrules
+++ b/Shorewall/Samples/three-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2017 by the Shorewall Team
+# Copyright (C) 2012-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,8 +13,8 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		LOC_IF		-
+ACCEPT		eth1		-
-ACCEPT		-		LOC_IF
+ACCEPT		-		eth1
-ACCEPT		DMZ_IF		-
+ACCEPT		eth2		-
-ACCEPT		-		DMZ_IF
+ACCEPT		-		eth2
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,5 +14,5 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -88,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -216,6 +216,8 @@ MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -226,8 +228,6 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=0
 REJECT_ACTION=
 REQUIRE_INTERFACE=No
@@ -258,8 +258,6 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		NET_IF
+			192.168.0.0/16		eth0
--- a/Shorewall/Samples/two-interfaces/stoppedrules
+++ b/Shorewall/Samples/two-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012-2017 by the Shorewall Team
+# Copyright (C) 2012-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,5 +13,5 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		LOC_IF		-
+ACCEPT		eth1		-
-ACCEPT		-		LOC_IF
+ACCEPT		-		eth1
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,7 +8,6 @@
 #
 ###############################################################################
 #ACTION
 A_AllowICMPs inline		# Audited version of AllowICMPs
 A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
@@ -21,46 +20,33 @@ allowMcast   inline		# Silently Allow Multicast
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 ?if __ADDRTYPE
 Broadcast    inline,audit	# Handles Broadcast/Anycast
 ?else
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
-?endif
+DNSAmp				# Matches one-question recursive DNS queries
 DNSAmp	     proto=17		# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline,proto=6	# Silently Drop Non-syn TCP packets
+dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
-DropDNSrep   inline,proto=17	# Drops DNS replies
+DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
 FIN	     inline,audit,\	# Handles ACK,FIN packets
 	     proto=6
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
 Limit	     noinline		# Limit the rate of connections from each individual IP address
 ?if __ADDRTYPE
 Multicast    inline,audit	# Handles Multicast
 ?else
 Multicast    noinline,audit	# Handles Multicast
 ?endif
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,audit,\	# Handles TCP packets which do not have SYN=1 and ACK=0
+NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
-	     proto=6
+rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
 rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
 Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit,\	# Handle packets with RST set
+RST	     inline,audit	# Handle packets with RST set
 	     proto=6
 SetEvent     inline		# Initialize an event
-TCPFlags     proto=6		# Handle bad flag combinations.
+TCPFlags			# Handle bad flag combinations.
 Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED	#
--- a/Shorewall/configfiles/disabled
+++ b/Shorewall/configfiles/disabled
@@ -1,12 +0,0 @@
 #
 # Shorewall -- /etc/shorewall/disabled
 #
 # Add commands below that you want executed when an optional
 # interface is successfully disabled using the 'disable' command
 #
 # When the commands are invoked:
 #
 #  $1 contains the physical name of the interface
 #  $2 contains the logical name of the interface
 #  $3 contains the name of the provider associated with the interface,
      if any
--- a/Shorewall/configfiles/enabled
+++ b/Shorewall/configfiles/enabled
@@ -1,12 +0,0 @@
 #
 # Shorewall -- /etc/shorewall/enabled
 #
 # Add commands below that you want executed when an optional
 # interface is successfully enabled using the 'enable' command
 #
 # When the commands are invoked:
 #
 #  $1 contains the physical name of the interface
 #  $2 contains the logical name of the interface
 #  $3 contains the name of the provider associated with the interface,
      if any
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -77,7 +77,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -205,6 +205,8 @@ MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
 MODULE_SUFFIX=ko
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -215,8 +217,6 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=0
 REJECT_ACTION=
 REQUIRE_INTERFACE=No
@@ -241,14 +241,12 @@ TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-TRACK_PROVIDERS=Yes
+TRACK_PROVIDERS=No
 TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/configpath
+++ b/Shorewall/configpath
@@ -3,4 +3,4 @@
 #
 # /usr/share/shorewall/configpath
 #
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.cli-std.
+# Shorewall 5.0 -- /usr/share/shorewall/lib.cli-std.
 #
-#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -47,10 +47,11 @@ get_config() {
 	fi
    fi
-    if [ -n "$g_shorewalldir" ]; then
+    if [ "$(id -u)" -eq 0 ]; then
 	config="$g_shorewalldir/$PRODUCT.conf"
    else
 	config=$(find_file ${PRODUCT}.conf)
    else
 	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
 	config="$g_shorewalldir/$PRODUCT.conf"
    fi
    if [ -f $config ]; then
@@ -210,35 +211,30 @@ get_config() {
 	LOG_VERBOSITY=-1
    fi
-    if [ -z "${g_export}${g_test}" ]; then
+    if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then
-	if [ -n "$SHOREWALL_SHELL" ]; then
+	if [ ! -x "$SHOREWALL_SHELL" ]; then
-	    if [ ! -x "$SHOREWALL_SHELL" ]; then
+	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
-		echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
+	    SHOREWALL_SHELL=/bin/sh
 		SHOREWALL_SHELL=/bin/sh
 	    fi
 	fi
    fi
-	if [ -n "$IP" ]; then
+    if [ -n "$IP" ]; then
-	    case "$IP" in
+	case "$IP" in
-		*/*)
+	    */*)
-		    if [ ! -x "$IP" ] ; then
+		if [ ! -x "$IP" ] ; then
-			fatal_error "The program specified in IP ($IP) does not exist or is not executable"
+		    fatal_error "The program specified in IP ($IP) does not exist or is not executable"
-		    fi
+		fi
-		    ;;
+		;;
-		*)
+	    *)
-		    prog="$(mywhich $IP 2> /dev/null)"
+		prog="$(mywhich $IP 2> /dev/null)"
-		    if [ -z "$prog" ] ; then
+		if [ -z "$prog" ] ; then
-			fatal_error "Can't find $IP executable"
+		    fatal_error "Can't find $IP executable"
-		    fi
+		fi
-		    IP=$prog
+		IP=$prog
-		    ;;
+		;;
-	    esac
+	esac
 	else
 	    IP='ip'
 	fi
    else
-	[ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh
+	IP='ip'
 	[ -n "$IP" ]              || IP='ip'
    fi
    case $VERBOSITY in
@@ -341,24 +337,8 @@ get_config() {
 	fi
    fi
-    if [ -n "$DYNAMIC_BLACKLIST" -a "$(id -u)" = 0 ]; then
+    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	case $COMMAND in
+	setup_dbl
 	    blacklist|allow|drop|logdrop|reject)
 		setup_dbl
 		;;
 	esac
    fi
    if [ -z "$PERL_HASH_SEED" ]; then
 	PERL_HASH_SEED=0
    else
 	case $PERL_HASH_SEED in
 	    [0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]|random)
 	        ;;
 	    *)
 		fatal_error "Invalid setting ($PERL_HASH_SEED) for PERL_HASH_SEED"
 		;;
 	esac
    fi
    lib=$(find_file lib.cli-user)
@@ -366,17 +346,6 @@ get_config() {
    [ -f $lib ] && . $lib
 }
 #
 # Ensure that the effective UID is 0 or that we are dealing with a private configuration
 #
 ensure_root() {
    if [ $(id -u) -ne 0 ]; then
 	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
 	    startup_error "Ordinary users may not $COMMAND the default $PRODUCT configuration"
 	fi
    fi
 }
 #
 # Determine if there are config files newer than the passed object
 #
@@ -384,27 +353,20 @@ uptodate() {
    [ -x $1 ] || return 1
    local dir
-    local busybox
+    local ifs
    local find
-    find=$(mywhich find)
+    ifs="$IFS"
    IFS=':'
-    [ -n "${find}" ] || return 1
+    for dir in $g_shorewalldir $CONFIG_PATH; do
-    [ -h "${find}" ] && busybox=Yes
+	if [ -n "$(find ${dir} -newer $1)" ]; then
-
+	    IFS="$ifs"
    for dir in $g_shorewalldir $(split $CONFIG_PATH); do
 	if [ -n "${busybox}" ]; then
 	    #
 	    # Busybox 'find' doesn't support -quit.
 	    #
 	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print)" ]; then
 		return 1;
 	    fi
 	elif [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
 	    return 1;
 	fi
    done
    IFS="$ifs"
    return 0
 }
@@ -434,7 +396,11 @@ compiler() {
    pc=${LIBEXECDIR}/shorewall/compiler.pl
-    ensure_root
+    if [ $(id -u) -ne 0 ]; then
 	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
 	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
 	fi
    fi
    #
    # We've now set g_shorewalldir so recalculate CONFIG_PATH
    #
@@ -518,17 +484,8 @@ compiler() {
    #
    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
-    case $PERL_HASH_SEED in
+    PERL_HASH_SEED=0
-	random)
+    export PERL_HASH_SEED
 	    unset PERL_HASH_SEED
 	    unset PERL_PERTURB_KEYS
 	    ;;
 	*)
 	    export PERL_HASH_SEED
 	    PERL_PERTURB_KEYS=0
 	    export PERL_PERTURB_KEYS
 	    ;;
    esac
    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	eval $PERL $debugflags $pc $options $@ $g_pager
@@ -556,6 +513,28 @@ start_command() {
    local rc
    rc=0
    do_it() {
 	if [ -n "$AUTOMAKE" ]; then
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/firewall $g_debugging start
 	    rc=$?
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    g_file="${VARDIR}/.start"
 	    if compiler $g_debugging $nolock compile "$g_file"; then
 		[ -n "$nolock" ] || mutex_on
 		run_it ${VARDIR}/.start $g_debugging start
 		rc=$?
 		[ -n "$nolock" ] || mutex_off
 	    else
 		rc=$?
 		mylogger kern.err "ERROR:$g_product start failed"
 	    fi
 	fi
 	exit $rc
    }
    if product_is_started; then
 	error_message "Shorewall is already running"
 	exit 0
@@ -647,25 +626,7 @@ start_command() {
 	fi
    fi
-    if [ -n "$AUTOMAKE" ]; then
+    do_it
 	[ -n "$nolock" ] || mutex_on
 	run_it ${VARDIR}/firewall $g_debugging start
 	rc=$?
 	[ -n "$nolock" ] || mutex_off
    else
 	g_file="${VARDIR}/.start"
 	if compiler $g_debugging $nolock compile "$g_file"; then
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/.start $g_debugging start
 	    rc=$?
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    rc=$?
 	    mylogger kern.err "ERROR:$g_product start failed"
 	fi
    fi
    exit $rc
 }
 #
@@ -792,10 +753,6 @@ check_command() {
 			    g_profile=Yes
 			    option=${option#p}
 			    ;;
 			t*)
 			    g_test=Yes
 			    option=${option#t}
 			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -880,10 +837,6 @@ update_command() {
 			    g_profile=Yes
 			    option=${option#p}
 			    ;;
 			t*)
 			    g_test=Yes
 			    option=${option#t}
 			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -1557,8 +1510,6 @@ remote_reload_command() # $* = original arguments less the command.
 	litedir="${VARDIR}-lite"
    fi
    g_export=Yes
    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
@@ -1588,16 +1539,18 @@ remote_reload_command() # $* = original arguments less the command.
 	progress_message "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
-	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+	    if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
 	    fi
-	elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+	elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
 	    fatal_error "Capturing capabilities on system $system failed"
 	fi
    fi
    file=$(resolve_file $g_shorewalldir/firewall)
    g_export=Yes
    program=$sbindir/${PRODUCT}-lite
    #
    # Handle nonstandard remote VARDIR
@@ -1758,7 +1711,6 @@ compiler_command() {
 	    compile_command $@
 	    ;;
 	refresh)
 	    only_root
 	    get_config Yes Yes
 	    shift
 	    refresh_command $@
@@ -1780,13 +1732,11 @@ compiler_command() {
 	    export_command $@
 	    ;;
 	try)
 	    only_root
 	    get_config Yes
 	    shift
 	    try_command $@
 	    ;;
 	safe-reload|safe-restart|safe-start)
 	    only_root
 	    get_config Yes
 	    shift
 	    safe_commands $@
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/accounting</command>
+      <command>/etc/shorewall/accounting</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -783,19 +783,29 @@
    <title>FILES</title>
    <para>/etc/shorewall/accounting</para>
    <para>/etc/shorewall6/accounting</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para><ulink
-    url="shorewall-logging.htm">shorewall-logging(5)</ulink></para>
+    url="/Accounting.html">http://www.shorewall.net/Accounting.html
    </ulink></para>
    <para><ulink
    url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/actions</command>
+      <command>/etc/shorewall/actions</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -148,9 +148,9 @@
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
-                url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
+                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
-                rather than <ulink
+                than <ulink
-                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>
@@ -160,11 +160,11 @@
              <listitem>
                <para>Added in Shorewall 5.0.13. Specifies that this action is
                to be used in <ulink
-                url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink>
+                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
-                rather than <ulink
+                than <ulink
-                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
-                The <option>mangle</option> and <option>nat</option> options
+                <option>mangle</option> and <option>nat</option> options are
-                are mutually exclusive.</para>
+                mutually exclusive.</para>
              </listitem>
            </varlistentry>
@@ -191,27 +191,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>proto</option>=<replaceable>protocol</replaceable></term>
              <listitem>
                <para>Added in Shorewall 5.1.10. Specifies that the action is
                only usable with the specified
                <replaceable>protocol</replaceable> (name or number). When the
                action is invoked with no protocol specified in the PROTO
                column, or if the action is used as a Policy Action, the named
                <replaceable>protocol</replaceable> will be assumed. If a
                protocol is specified in the PROTO column of an invocation,
                then it must match the named
                <replaceable>protocol</replaceable>.</para>
                <para>The <option>proto</option> option has no effect if the
                <option>inline</option> or <option>builtin</option> option is
                specified. A warning is issued if <option>proto</option> is
                specified along with <option>builtin</option>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>section</option></term>
@@ -227,7 +206,7 @@
                <para>Given that neither the <filename>snat</filename> nor the
                <filename>mangle</filename> file is sectioned, this parameter
                has no effect when <option>mangle</option> or
-                <option>nat</option> is specified.</para>
+                <option>nat</option> is specified. </para>
              </listitem>
            </varlistentry>
@@ -260,8 +239,6 @@
    <title>FILES</title>
    <para>/etc/shorewall/actions</para>
    <para>/etc/shorewall6/actions</para>
  </refsect1>
  <refsect1>
@@ -270,6 +247,14 @@
    <para><ulink
    url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-arprules.xml
+++ b/Shorewall/manpages/shorewall-arprules.xml
@@ -25,8 +25,6 @@
  <refsect1>
    <title>Description</title>
    <para>IPv4 only.</para>
    <para>This file was added in Shorewall 4.5.12 and is used to describe
    low-level rules managed by arptables (8). These rules only affect Address
    Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and
@@ -379,10 +377,4 @@ SNAT:10.1.10.11        -                       eth1:10.1.10.0/24   1</programlis
    <para>/etc/shorewall/arprules</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para>shorewall(8)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/blrules</command>
+      <command>/etc/shorewall/blrules</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -27,9 +27,12 @@
    <para>This file is used to perform blacklisting and whitelisting.</para>
-    <para>Rules in this file are applied depending on the setting of BLACKLIST
+    <para>Rules in this file are applied depending on the setting of
-    in <ulink
+    BLACKLISTNEWONLY in <ulink
-    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If
    BLACKLISTNEWONLY=No, then they are applied regardless of the connection
    tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
    connections in the NEW and INVALID states.</para>
    <para>The format of rules in this file is the same as the format of rules
    in <ulink url="/manpages/shorewall-rules.html">shorewall-rules
@@ -115,10 +118,10 @@
            </varlistentry>
            <varlistentry>
-              <term>A_DROP</term>
+              <term>A_DROP and A_DROP!</term>
              <listitem>
-                <para>Audited version of DROP. Requires AUDIT_TARGET support
+                <para>Audited versions of DROP. Requires AUDIT_TARGET support
                in the kernel and ip6tables.</para>
              </listitem>
            </varlistentry>
@@ -167,7 +170,7 @@
              <listitem>
                <para>queues matching packets to a back end logging daemon via
                a netlink socket then continues to the next rule. See <ulink
-                url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
+                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
              </listitem>
            </varlistentry>
@@ -258,7 +261,7 @@
          <para>You may also specify <emphasis role="bold">NFLOG</emphasis>
          (must be in upper case) as a log level.This will log to the NFLOG
          target for routing to a separate log through use of ulogd (<ulink
-          url="shorewall-logging.html">shorewall-logging.htm</ulink>).</para>
+          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
          <para>Actions specifying logging may be followed by a log tag (a
          string of alphanumeric characters) which is appended to the string
@@ -273,11 +276,11 @@
  </refsect1>
  <refsect1>
-    <title>Examples</title>
+    <title>Example</title>
    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>
        <listitem>
          <para>Drop Teredo packets from the net.</para>
@@ -287,28 +290,7 @@
      </varlistentry>
      <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>
        <listitem>
          <para>Don't subject packets from 2001:DB8::/64 to the remaining
          rules in the file.</para>
          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 1:</term>
        <listitem>
          <para>Drop Teredo packets from the net.</para>
          <programlisting>DROP          net:[2001::/32]            all</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 2:</term>
        <listitem>
          <para>Don't subject packets from 2001:DB8::/64 to the remaining
@@ -324,8 +306,6 @@
    <title>FILES</title>
    <para>/etc/shorewall/blrules</para>
    <para>/etc/shorewall6/blrules</para>
  </refsect1>
  <refsect1>
@@ -337,6 +317,12 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
    shorewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5),
    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/conntrack</command>
+      <command>/etc/shorewall/conntrack</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -35,7 +35,7 @@
    <emphasis role="bold">conntrack</emphasis>.</para>
    <para>The file supports three different column layouts: FORMAT 1, FORMAT
-    2, and FORMAT 3 with FORMAT 1 being the default. The three differ as
+    2, and FORMAT 3, FORMAT 1 being the default. The three differ as
    follows:</para>
    <itemizedlist>
@@ -311,9 +311,9 @@
            <listitem>
              <para><option>ULOG</option></para>
-              <para>IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to
+              <para>Added in Shoreawll 4.6.0. Queues the packet to a backend
-              a backend logging daemon using the ULOG netfilter target with
+              logging daemon using the ULOG netfilter target with the
-              the specified <replaceable>ulog-parameters</replaceable>.</para>
+              specified <replaceable>ulog-parameters</replaceable>.</para>
            </listitem>
          </itemizedlist>
@@ -447,7 +447,7 @@
              <listitem>
                <para>This form combines the preceding two and requires that
-                both the incoming interface and source address match.</para>
+                both the incoming interace and source address match.</para>
              </listitem>
            </varlistentry>
@@ -543,7 +543,7 @@
              <listitem>
                <para>This form combines the preceding two and requires that
-                both the outgoing interface and destination address
+                both the outgoing interace and destination address
                match.</para>
              </listitem>
            </varlistentry>
@@ -579,23 +579,14 @@
        <listitem>
          <para>A protocol name from <filename>/etc/protocols</filename> or a
-          protocol number. tcp and 6 may be optionally followed by <emphasis
+          protocol number.</para>
          role="bold">:syn </emphasis>to match only the SYN packet (first
          packet in the three-way handshake).</para>
-          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          <para>Beginning with Shorewall 4.5.12, this column is labeled
-          comma-separated list of protocols and either <emphasis
+          <emphasis role="bold">PROTOS</emphasis> and can accept a
          comma-separated list of protocols. Either <emphasis
          role="bold">proto</emphasis> or <emphasis
          role="bold">protos</emphasis> is accepted in the alternate input
          format.</para>
          <para>Beginning with Shorewall 5.1.11, when <emphasis
          role="bold">tcp</emphasis> or <emphasis role="bold">6</emphasis> is
          specified and the ACTION is <emphasis role="bold">CT</emphasis>, the
          compiler will default to <emphasis role="bold">:syn</emphasis>. If
          you wish the rule to match packets with any valid combination of TCP
          flags, you may specify <emphasis role="bold">tcp:all</emphasis> or
          <emphasis role="bold">6:all</emphasis>.</para>
        </listitem>
      </varlistentry>
@@ -698,57 +689,31 @@
  <refsect1>
    <title>EXAMPLE</title>
-    <para>IPv4 Example 1:</para>
+    <para>Example 1:</para>
    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
-    <para>IPv4 Example 2 (Shorewall 4.5.10 or later):</para>
+    <para>Example 2 (Shorewall 4.5.10 or later):</para>
    <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
-    <programlisting>?FORMAT 2
+    <programlisting>FORMAT 2
 #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP                          all-:1.2.3.4       -
 DROP                          all                1.2.3.4</programlisting>
-    <para>or<programlisting>?FORMAT 3
+    <para>or<programlisting>FORMAT 3
 #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP:P                        1.2.3.4            -
 DROP:PO                       -                  1.2.3.4
 </programlisting></para>
    <para>IPv6 Example 1:</para>
    <para>Use the FTP helper for TCP port 21 connections from the firewall
    itself.</para>
    <programlisting>FORMAT 2
 #ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
    <para>IPv6 Example 2 (Shorewall 4.5.10 or later):</para>
    <para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
    <programlisting>FORMAT 2
 #ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
 DROP                          all-:2001:1.2.3::4 -
 DROP                          all                2001:1.2.3::4
 </programlisting>
    <para>or<programlisting>FORMAT 3
 #ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
 DROP:P                        2001:1.2.3::4      -
 DROP:PO                       -                  2001:1.2.3::4</programlisting></para>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall/conntrack</para>
    <para>/etc/shorewall6/conntrack</para>
  </refsect1>
  <refsect1>
@@ -757,6 +722,14 @@ DROP:PO                       -                  2001:1.2.3::4</programlisting><
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-ecn.xml
+++ b/Shorewall/manpages/shorewall-ecn.xml
@@ -25,12 +25,8 @@
  <refsect1>
    <title>Description</title>
    <para>IPv4 only.</para>
    <para>Use this file to list the destinations for which you want to disable
-    ECN (Explicit Congestion Notification). Use of this file is deprecated in
+    ECN (Explicit Congestion Notification).</para>
    favor of ECN rules in <ulink
    url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(8).</para>
    <para>The columns in the file are as follows.</para>
@@ -69,6 +65,14 @@
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-exclusion.xml
+++ b/Shorewall/manpages/shorewall-exclusion.xml
@@ -49,10 +49,9 @@
    <para>Beginning in Shorewall 4.4.13, the second form of exclusion is
    allowed after <emphasis role="bold">all</emphasis> and <emphasis
-    role="bold">any</emphasis> in the SOURCE and DEST columns of <ulink
+    role="bold">any</emphasis> in the SOURCE and DEST columns of
-    url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5). It allows
+    /etc/shorewall/rules. It allows you to omit arbitrary zones from the list
-    you to omit arbitrary zones from the list generated by those key
+    generated by those key words.</para>
    words.</para>
    <warning>
      <para>If you omit a sub-zone and there is an explicit or explicit
@@ -118,7 +117,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1 - All IPv4 addresses except 192.168.3.4</term>
+        <term>Example 1 - All IPv4 addresses except 192.168.3.4</term>
        <listitem>
          <para>!192.168.3.4</para>
@@ -126,8 +125,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
      </varlistentry>
      <varlistentry>
-        <term>IPv4 Example 2 - All IPv4 addresses except the network
+        <term>Example 2 - All IPv4 addresses except the network 192.168.1.0/24
-        192.168.1.0/24 and the host 10.2.3.4</term>
+        and the host 10.2.3.4</term>
        <listitem>
          <para>!192.168.1.0/24,10.1.3.4</para>
@@ -135,7 +134,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
      </varlistentry>
      <varlistentry>
-        <term>IPv4 Example 3 - All IPv4 addresses except the range
+        <term>Example 3 - All IPv4 addresses except the range
        192.168.1.3-192.168.1.12 and the network 10.0.0.0/8</term>
        <listitem>
@@ -144,8 +143,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
      </varlistentry>
      <varlistentry>
-        <term>IPv4 Example 4 - The network 192.168.1.0/24 except hosts
+        <term>Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
-        192.168.1.3 and 192.168.1.9</term>
+        and 192.168.1.9</term>
        <listitem>
          <para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>
@@ -177,6 +176,14 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/hosts</command>
+      <command>/etc/shorewall/hosts</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -270,8 +270,6 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    <title>FILES</title>
    <para>/etc/shorewall/hosts</para>
    <para>/etc/shorewall6/hosts</para>
  </refsect1>
  <refsect1>
@@ -280,6 +278,14 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-init.xml
+++ b/Shorewall/manpages/shorewall-init.xml
@@ -165,6 +165,14 @@
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/interfaces</command>
+      <command>/etc/shorewall/interfaces</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -104,7 +104,9 @@ loc     eth2            -</programlisting>
          <para>You may use wildcards here by specifying a prefix followed by
          the plus sign ("+"). For example, if you want to make an entry that
          applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
-          ppp1, ppp2, …</para>
+          ppp1, ppp2, … Please note that the '+' means '<emphasis
          role="bold">one</emphasis> or more additional characters' so 'ppp'
          does not match 'ppp+'.</para>
          <para>When using Shorewall versions before 4.1.4, care must be
          exercised when using wildcards where there is another zone that uses
@@ -112,10 +114,7 @@ loc     eth2            -</programlisting>
          url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
          for a discussion of this problem.</para>
-          <para>Shorewall allows '+' as an interface name, but that usage is
+          <para>Shorewall allows '+' as an interface name.</para>
          deprecated. A better approach is to specify
          '<option>physical</option>=+' in the OPTIONS column (see
          below).</para>
          <para>There is no need to define the loopback interface (lo) in this
          file.</para>
@@ -196,76 +195,27 @@ loc     eth2            -</programlisting>
          should have no embedded white-space.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold">accept_ra</emphasis>[={0|1|2}]</term>
              <listitem>
                <para>IPv6 only; added in Shorewall 4.5.16. Values are:</para>
                <variablelist>
                  <varlistentry>
                    <term>0</term>
                    <listitem>
                      <para>Do not accept Router Advertisements.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>1</term>
                    <listitem>
                      <para>Accept Route Advertisements if forwarding is
                      disabled.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>2</term>
                    <listitem>
                      <para>Overrule forwarding behavior. Accept Route
                      Advertisements even if forwarding is enabled.</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
                <para>If the option is specified without a value, then the
                value 1 is assumed.</para>
                <note>
                  <para>This option does not work with a wild-card <emphasis
                  role="bold">physical</emphasis> name (e.g., eth0.+).
                  Beginning with Shorewall 5.1.10, If this option is
                  specified, a warning is issued and the option is
                  ignored.</para>
                </note>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
              <listitem>
-                <para>IPv4 only. If specified, this interface will only
+                <para>If specified, this interface will only respond to ARP
-                respond to ARP who-has requests for IP addresses configured on
+                who-has requests for IP addresses configured on the interface.
-                the interface. If not specified, the interface can respond to
+                If not specified, the interface can respond to ARP who-has
-                ARP who-has requests for IP addresses on any of the firewall's
+                requests for IP addresses on any of the firewall's interface.
-                interface. The interface must be up when Shorewall is
+                The interface must be up when Shorewall is started.</para>
                started.</para>
                <para>Only those interfaces with the
                <option>arp_filter</option> option will have their setting
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>
                <para/>
                <note>
-                  <para>This option does not work with a wild-card <emphasis
+                  <para>This option does not work with a wild-card
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  Beginning with Shorewall 5.1.10, If this option is
+                  the INTERFACE column.</para>
                  specified, a warning is issued and the option is
                  ignored.</para>
                </note>
              </listitem>
            </varlistentry>
@@ -275,8 +225,8 @@ loc     eth2            -</programlisting>
              role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>
              <listitem>
-                <para>IPv4 only. If specified, this interface will respond to
+                <para>If specified, this interface will respond to arp
-                arp requests based on the value of <emphasis>number</emphasis>
+                requests based on the value of <emphasis>number</emphasis>
                (defaults to 1).</para>
                <para>1 - reply only if the target IP address is local address
@@ -294,18 +244,20 @@ loc     eth2            -</programlisting>
                <para>8 - do not reply for all local addresses</para>
                <para/>
                <note>
-                  <para>This option does not work with a wild-card <emphasis
+                  <para>This option does not work with a wild-card
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  Beginning with Shorewall 5.1.10, If this option is
+                  the INTERFACE column.</para>
                  specified, a warning is issued and the option is
                  ignored.</para>
                </note>
                <para/>
                <warning>
                  <para>Do not specify <emphasis
                  role="bold">arp_ignore</emphasis> for any interface involved
-                  in <ulink url="/ProxyARP.htm">Proxy ARP</ulink>.</para>
+                  in <ulink url="../ProxyARP.htm">Proxy ARP</ulink>.</para>
                </warning>
              </listitem>
            </varlistentry>
@@ -371,7 +323,7 @@ loc     eth2            -</programlisting>
                and/or destination address is to be compared against the
                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
                <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
+                url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
                The default is determine by the setting of
                DYNAMIC_BLACKLIST:</para>
@@ -459,13 +411,13 @@ loc     eth2            -</programlisting>
                  <listitem>
                    <para>the interface is a <ulink
-                    url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
+                    url="../SimpleBridge.html">simple bridge</ulink> with a
-                    server on one port and DHCP clients on another
+                    DHCP server on one port and DHCP clients on another
                    port.</para>
                    <note>
                      <para>If you use <ulink
-                      url="/bridge-Shorewall-perl.html">Shorewall-perl for
+                      url="../bridge-Shorewall-perl.html">Shorewall-perl for
                      firewall/bridging</ulink>, then you need to include
                      DHCP-specific rules in <ulink
                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
@@ -479,25 +431,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
              <listitem>
                <para>IPv6 only Sets the
                /proc/sys/net/ipv6/conf/interface/forwarding option to the
                specified value. If no value is supplied, then 1 is
                assumed.</para>
                <note>
                  <para>This option does not work with a wild-card <emphasis
                  role="bold">physical</emphasis> name (e.g., eth0.+).
                  Beginning with Shorewall 5.1.10, If this option is
                  specified, a warning is issued and the option is
                  ignored.</para>
                </note>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">ignore[=1]</emphasis></term>
@@ -534,15 +467,15 @@ loc     eth2            -</programlisting>
              role="bold">logmartians[={0|1}]</emphasis></term>
              <listitem>
-                <para>IPv4 only. Turn on kernel martian logging (logging of
+                <para>Turn on kernel martian logging (logging of packets with
-                packets with impossible source addresses. It is strongly
+                impossible source addresses. It is strongly suggested that if
-                suggested that if you set <emphasis
+                you set <emphasis role="bold">routefilter</emphasis> on an
-                role="bold">routefilter</emphasis> on an interface that you
+                interface that you also set <emphasis
-                also set <emphasis role="bold">logmartians</emphasis>. Even if
+                role="bold">logmartians</emphasis>. Even if you do not specify
-                you do not specify the <option>routefilter</option> option, it
+                the <option>routefilter</option> option, it is a good idea to
-                is a good idea to specify <option>logmartians</option> because
+                specify <option>logmartians</option> because your distribution
-                your distribution may have enabled route filtering without you
+                may have enabled route filtering without you knowing
-                knowing it.</para>
+                it.</para>
                <para>Only those interfaces with the
                <option>logmartians</option> option will have their setting
@@ -564,11 +497,9 @@ loc     eth2            -</programlisting>
                <para/>
                <note>
-                  <para>This option does not work with a wild-card <emphasis
+                  <para>This option does not work with a wild-card
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  Beginning with Shorewall 5.1.10, If this option is
+                  the INTERFACE column.</para>
                  specified, a warning is issued and the option is
                  ignored.</para>
                </note>
                <blockquote>
@@ -645,8 +576,8 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">nosmurfs</emphasis></term>
              <listitem>
-                <para>IPv4 only. Filter packets for smurfs (packets with a
+                <para>Filter packets for smurfs (packets with a broadcast
-                broadcast address as the source).</para>
+                address as the source).</para>
                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
@@ -665,9 +596,9 @@ loc     eth2            -</programlisting>
                <itemizedlist>
                  <listitem>
                    <para>a <filename
-                    class="directory">/proc/sys/net/ipv[46]/conf/</filename>
+                    class="directory">/proc/sys/net/ipv4/conf/</filename>
                    entry for the interface cannot be modified (including for
-                    proxy ARP or proxy NDP).</para>
+                    proxy ARP).</para>
                  </listitem>
                  <listitem>
@@ -695,10 +626,7 @@ loc     eth2            -</programlisting>
                <para>If the <emphasis>interface</emphasis> name is a wildcard
                name (ends with '+'), then the physical
-                <emphasis>name</emphasis> must also end in '+'. The physical
+                <emphasis>name</emphasis> must also end in '+'.</para>
                <replaceable>name</replaceable> may end in '+' (or be exactly
                '+') when the <replaceable>interface</replaceable> name is not
                a wildcard name.</para>
                <para>If <option>physical</option> is not specified, then it's
                value defaults to the <emphasis>interface</emphasis>
@@ -710,7 +638,7 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
              <listitem>
-                <para>IPv4 only. Sets
+                <para>Sets
                /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
                Do NOT use this option if you are employing Proxy ARP through
                entries in <ulink
@@ -720,13 +648,9 @@ loc     eth2            -</programlisting>
                url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
                </ulink></para>
-                <note>
+                <para><emphasis role="bold">Note</emphasis>: This option does
-                  <para>This option does not work with a wild-card <emphasis
+                not work with a wild-card <replaceable>interface</replaceable>
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                name (e.g., eth0.+) in the INTERFACE column.</para>
                  Beginning with Shorewall 5.1.10, If this option is
                  specified, a warning is issued and the option is
                  ignored.</para>
                </note>
                <para>Only those interfaces with the <option>proxyarp</option>
                option will have their setting changed; the value assigned to
@@ -735,28 +659,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
              <listitem>
                <para>IPv6 only. Sets
                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
                <note>
                  <para>This option does not work with a wild-card <emphasis
                  role="bold">physical</emphasis> name (e.g., eth0.+).
                  Beginning with Shorewall 5.1.10, If this option is
                  specified, a warning is issued and the option is
                  ignored.</para>
                </note>
                <para>Only those interfaces with the <option>proxyndp</option>
                option will have their setting changed; the value assigned to
                the setting will be the value specified (if any) or 1 if no
                value is given.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">required</emphasis></term>
@@ -798,8 +700,8 @@ loc     eth2            -</programlisting>
              role="bold">routefilter[={0|1|2}]</emphasis></term>
              <listitem>
-                <para>IPv4 only. Turn on kernel route filtering for this
+                <para>Turn on kernel route filtering for this interface
-                interface (anti-spoofing measure).</para>
+                (anti-spoofing measure).</para>
                <para>Only those interfaces with the
                <option>routefilter</option> option will have their setting
@@ -812,11 +714,9 @@ loc     eth2            -</programlisting>
                filtering.</para>
                <note>
-                  <para>This option does not work with a wild-card <emphasis
+                  <para>This option does not work with a wild-card
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  Beginning with Shorewall 5.1.10, If this option is
+                  the INTERFACE column.</para>
                  specified, a warning is issued and the option is
                  ignored.</para>
                </note>
                <para>This option can also be enabled globally via the
@@ -925,11 +825,9 @@ loc     eth2            -</programlisting>
                specified (if any) or 1 if no value is given.</para>
                <note>
-                  <para>This option does not work with a wild-card <emphasis
+                  <para>This option does not work with a wild-card
-                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  Beginning with Shorewall 5.1.10, If this option is
+                  the INTERFACE column.</para>
                  specified, a warning is issued and the option is
                  ignored.</para>
                </note>
              </listitem>
            </varlistentry>
@@ -987,14 +885,11 @@ loc     eth2            -</programlisting>
                      <member><emphasis
                      role="bold">routefilter</emphasis></member>
                      <member><emphasis
                      role="bold">proxyarp</emphasis></member>
                      <member><emphasis
                      role="bold">proxyudp</emphasis></member>
                      <member><emphasis
                      role="bold">sourceroute</emphasis></member>
                      <member><emphasis
                      role="bold">proxyndp</emphasis></member>
                    </simplelist>
                  </listitem>
                </itemizedlist>
@@ -1007,9 +902,7 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Incoming requests from this interface may be remapped
                via UPNP (upnpd). See <ulink
-                url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.
+                url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
                Supported in IPv4 and in IPv6 in Shorewall 5.1.4 and
                later.</para>
              </listitem>
            </varlistentry>
@@ -1023,8 +916,7 @@ loc     eth2            -</programlisting>
                causes Shorewall to detect the default gateway through the
                interface and to accept UDP packets from that gateway. Note
                that, like all aspects of UPnP, this is a security hole so use
-                this option at your own risk. Supported in IPv4 and in IPv6 in
+                this option at your own risk.</para>
                Shorewall 5.1.4 and later.</para>
              </listitem>
            </varlistentry>
@@ -1051,7 +943,7 @@ loc     eth2            -</programlisting>
    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>
        <listitem>
          <para>Suppose you have eth0 connected to a DSL modem and eth1
@@ -1064,7 +956,7 @@ loc     eth2            -</programlisting>
          <para>Your entries for this setup would look like:</para>
-          <programlisting>?FORMAT 1
+          <programlisting>FORMAT 1
 #ZONE   INTERFACE BROADCAST        OPTIONS
 net     eth0      206.191.149.223  dhcp
 loc     eth1      192.168.1.255
@@ -1079,7 +971,7 @@ dmz     eth2      192.168.2.255</programlisting>
          <para>The same configuration without specifying broadcast addresses
          is:</para>
-          <programlisting>?FORMAT 2
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     eth0      dhcp
 loc     eth1      
@@ -1094,7 +986,7 @@ dmz     eth2</programlisting>
          <para>You have a simple dial-in system with no Ethernet
          connections.</para>
-          <programlisting>?FORMAT 2
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     ppp0      -</programlisting>
        </listitem>
@@ -1107,7 +999,7 @@ net     ppp0      -</programlisting>
          <para>You have a bridge with no IP address and you want to allow
          traffic through the bridge.</para>
-          <programlisting>?FORMAT 2
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 -       br0       bridge</programlisting>
        </listitem>
@@ -1119,8 +1011,6 @@ net     ppp0      -</programlisting>
    <title>FILES</title>
    <para>/etc/shorewall/interfaces</para>
    <para>/etc/shorewall6/interfaces</para>
  </refsect1>
  <refsect1>
@@ -1129,6 +1019,13 @@ net     ppp0      -</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@@ -103,7 +103,7 @@
    <important>
      <para>These additional match options are not available in <ulink
-      url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>.</para>
+      url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>.</para>
    </important>
    <para>Available options are:</para>
@@ -251,44 +251,34 @@
    <para>/etc/shorewall/accounting</para>
    <para>/etc/shorewall6/accounting</para>
    <para>/etc/shorewall/blrules</para>
    <para>/etc/shorewall6/blrules</para>
    <para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis>
    Multiple matches enclosed in +[...] may not be used in this file.</para>
    <para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis>
    Multiple matches enclosed in +[...] may not be used in this file.</para>
    <para>/etc/shorewall/maclist -- <emphasis role="bold">Note:</emphasis>
    Multiple matches enclosed in +[...] may not be used in this file.</para>
-    <para>/etc/shorewall6/maclist -- <emphasis role="bold">Note:</emphasis>
+    <para>/etc/shorewall/masq</para>
    Multiple matches enclosed in +[...] may not be used in this file.</para>
    <para>/etc/shorewall/rules</para>
    <para>/etc/shorewall6/rules</para>
    <para>/etc/shorewall/secmarks</para>
    <para>/etc/shorewall6/secmarks</para>
    <para>/etc/shorewall/mangle</para>
    <para>/etc/shorewall6/mangle</para>
    <para>/etc/shorewall/snat</para>
    <para>/etc/shorewall6/snat</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-logging.xml
+++ b/Shorewall/manpages/shorewall-logging.xml
@@ -1,385 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-logging</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
    <refname>logging</refname>
    <refpurpose>Shorewall logging</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command><replaceable>action</replaceable>:<replaceable>level</replaceable></command>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>NFLOG(<replaceable>nflog-parameters</replaceable>)</command>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>ULOG(<replaceable>ulog-parameters</replaceable>)</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>The disposition of packets entering a Shorewall firewall is
    determined by one of a number of Shorewall facilities. Only some of these
    facilities permit logging.</para>
    <orderedlist>
      <listitem>
        <para>The packet is part of an established connection. While the
        packet can be logged using LOG rules in the ESTABLISHED section of
        <ulink
        url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that
        is not recommended because of the large amount of information that may
        be logged.</para>
      </listitem>
      <listitem>
        <para>The packet represents a connection request that is related to an
        established connection (such as a <ulink url="FTP.html">data
        connection associated with an FTP control connection</ulink>). These
        packets may be logged using LOG rules in the RELATED section of <ulink
        url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
      </listitem>
      <listitem>
        <para>The packet is rejected because of an option in <ulink
        url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) or <ulink
        url="manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
        These packets can be logged by setting the appropriate logging-related
        option in <ulink
        url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>.</para>
      </listitem>
      <listitem>
        <para>The packet matches a rule in <ulink
        url="manpages/shorewall-rules.html">shorewall-rules</ulink>(5). By
        including a syslog level (see below) in the ACTION column of a rule
        (e.g., <quote>ACCEPT<emphasis role="bold">:info</emphasis> net $FW tcp
        22</quote>), the connection attempt will be logged at that
        level.</para>
      </listitem>
      <listitem>
        <para>The packet doesn't match a rule so it is handled by a policy
        defined in <ulink
        url="manpages/shorewall-policy.html">shorewall-policy(5)</ulink>.
        These may be logged by specifying a syslog level in the LOG LEVEL
        column of the policy's entry (e.g., <quote>loc net ACCEPT <emphasis
        role="bold">info</emphasis></quote>).</para>
      </listitem>
    </orderedlist>
  </refsect1>
  <refsect1>
    <title>Default Logging</title>
    <para>By default, Shorewall directs Netfilter to log using syslog (8).
    Syslog classifies log messages by a <emphasis>facility</emphasis> and a
    <emphasis>priority</emphasis> (using the notation
    <emphasis>facility.priority</emphasis>).</para>
    <para>The facilities defined by syslog are <emphasis>auth, authpriv, cron,
    daemon, kern, lpr, mail, mark, news, syslog, user, uucp</emphasis> and
    <emphasis>local0</emphasis> through <emphasis>local7.</emphasis></para>
    <para>Throughout the Shorewall documentation, the term
    <emphasis>level</emphasis> rather than <emphasis>priority is used,
    </emphasis>since <emphasis>level</emphasis> is the term used by Netfilter.
    The syslog documentation uses the term
    <emphasis>priority</emphasis>.</para>
  </refsect1>
  <refsect1>
    <title>Syslog Levels</title>
    <para>Syslog levels are a method of describing to syslog (8) the
    importance of a message. A number of Shorewall parameters have a syslog
    level as their value.</para>
    <para>Valid levels are:</para>
    <simplelist>
      <member>7 - <emphasis role="bold">debug</emphasis> (Debug-level
      messages)</member>
      <member>6 - <emphasis role="bold">info</emphasis>
      (Informational)</member>
      <member>5 - <emphasis role="bold">notice</emphasis> (Normal but
      significant Condition)</member>
      <member>4 - <emphasis role="bold">warning</emphasis> (Warning
      Condition)</member>
      <member>3 - <emphasis role="bold">err</emphasis> (Error
      Condition)</member>
      <member>2 - <emphasis role="bold">crit</emphasis> (Critical
      Conditions)</member>
      <member>1 - <emphasis role="bold">alert</emphasis> (must be handled
      immediately)</member>
      <member>0 - <emphasis role="bold">emerg</emphasis> (System is
      unusable)</member>
    </simplelist>
    <para>For most Shorewall logging, a level of 6 (info) is appropriate.
    Shorewall log messages are generated by Netfilter and are logged using the
    <emphasis>kern</emphasis> facility and the level that you specify. If you
    are unsure of the level to choose, 6 (info) is a safe bet. You may specify
    levels by name or by number.</para>
    <para>Beginning with Shorewall 4.5.5, the <replaceable>level</replaceable>
    name or number may be optionally followed by a comma-separated list of one
    or more<replaceable> log options</replaceable>. The list is enclosed in
    parentheses. Log options cause additional information to be included in
    each log message.</para>
    <para>Valid log options are:</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">ip_options</emphasis></term>
        <listitem>
          <para>Log messages will include the option settings from the IP
          header.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">macdecode</emphasis></term>
        <listitem>
          <para>Decode the MAC address and protocol.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">tcp_sequence</emphasis></term>
        <listitem>
          <para>Include TCP sequence numbers.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">tcp_options</emphasis></term>
        <listitem>
          <para>Include options from the TCP header.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">uid</emphasis></term>
        <listitem>
          <para>Include the UID of the sending program; only valid for packets
          originating on the firewall itself.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>Example: <emphasis
    role="bold">info(tcp_options,tcp_sequence)</emphasis></para>
    <para>Syslogd writes log messages to files (typically in <filename
    class="directory">/var/log/</filename>*) based on their facility and
    level. The mapping of these facility/level pairs to log files is done in
    /etc/syslog.conf (5). If you make changes to this file, you must restart
    syslogd before the changes can take effect.</para>
    <para>Syslog may also write to your system console. See <ulink
    url="FAQ.htm#faq16">Shorewall FAQ 16</ulink> for ways to avoid having
    Shorewall messages written to the console.</para>
  </refsect1>
  <refsect1>
    <title>Configuring a Separate Log for Shorewall Messages (ulogd)</title>
    <para>There are a couple of limitations to syslogd-based logging:</para>
    <orderedlist>
      <listitem>
        <para>If you give, for example, kern.info its own log destination then
        that destination will also receive all kernel messages of levels 5
        (notice) through 0 (emerg).</para>
      </listitem>
      <listitem>
        <para>All kernel.info messages will go to that destination and not
        just those from Netfilter.</para>
      </listitem>
      <listitem>
        <para>Netfilter (Shorewall) messages show up in
        <command>dmesg</command>.</para>
      </listitem>
    </orderedlist>
    <para>If your kernel has NFLOG target support (and most vendor-supplied
    kernels do), you may also specify a log level of NFLOG (must be all caps).
    When NFLOG is used, Shorewall will direct Netfilter to log the related
    messages via the NFLOG target which will send them to a process called
    <quote>ulogd</quote>. The ulogd program is included in most
    distributions.</para>
    <note>
      <para>The NFLOG logging mechanism is <emphasis
      role="underline">completely separate</emphasis> from syslog. Once you
      switch to NFLOG, the settings in <filename>/etc/syslog.conf</filename>
      have absolutely no effect on your Shorewall logging (except for
      Shorewall status messages which still go to syslog).</para>
    </note>
    <para>You will need to change all instances of log levels (usually
    <quote>info</quote>) in your Shorewall configuration files to
    <quote>NFLOG</quote> - this includes entries in the policy, rules and
    shorewall.conf files. If you initially installed using Shorewall 5.1.2 or
    later, you can simply change the setting of LOG_LEVEL in
    shorewall.conf.</para>
  </refsect1>
  <refsect1>
    <title>Understanding the Contents of Shorewall Log Messages</title>
    <para>For general information on the contents of Netfilter log messages,
    see <ulink
    url="http://logi.cc/en/2010/07/netfilter-log-format/">http://logi.cc/en/2010/07/netfilter-log-format/</ulink>.</para>
    <para>For Shorewall-specific information, see <ulink
    url="/FAQ.htm#faq17">FAQ #17</ulink>.</para>
  </refsect1>
  <refsect1>
    <title>Customizing the Content of Shorewall Log Messages</title>
    <para>In a Shorewall logging rule, the log level can be followed by a
    <firstterm>log tag</firstterm> as in "DROP:NFLOG:junk". The generated log
    message will include "<emphasis>chain-name</emphasis> junk DROP".</para>
    <para>By setting the LOGTAGONLY option to Yes in <ulink
    url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
    url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
    disposition ('DROP' in the above example) will be omitted. Consider the
    following rule:</para>
    <programlisting>#ACTION                                    SOURCE          DEST           PROTO
 REJECT(icmp-proto-unreachable):notice:IPv6 loc             net            41      # who's using IPv6 tunneling</programlisting>
    <para>This rule generates the following warning at compile time:</para>
    <simplelist>
      <member>WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p "
      /etc/shorewall/rules (line 212)</member>
    </simplelist>
    <para>and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp-p
    ".</para>
    <para>Now consider this similar rule:</para>
    <programlisting>#ACTION                                              SOURCE          DEST           PROTO
 REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net            41      # who's using IPv6 tunneling</programlisting>
    <para>With LOGTAGONLY=Yes, no warning is generated and the prefix becomes
    "Shorewall:IPv6:tunneling:"</para>
    <para>See the <ulink url="shorewall.conf.html">shorewall[6].conf man
    page</ulink> for further information about how LOGTAGONLY=Yes can be
    used.</para>
  </refsect1>
  <refsect1>
    <title>Log Backends</title>
    <para>Netfilter logging allows configuration of multiple backends. Logging
    backends provide the The low-level forward of log messages. There are
    currently three backends:</para>
    <variablelist>
      <varlistentry>
        <term>LOG (ipt_LOG and ip6t_LOG).</term>
        <listitem>
          <para>Normal kernel-based logging to a syslog daemon.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>ULOG (ipt_ULOG)</term>
        <listitem>
          <para>ULOG logging as described ablve. Only available for
          IPv4.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>netlink (nfnetlink_log)</term>
        <listitem>
          <para>The logging backend behind NFLOG, defined above.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>The currently-available and currently-selected IPv4 and IPv6
    backends are shown in /proc/sys/net/netfilter/nf_log:</para>
    <programlisting>cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
 10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
 11 NONE (nfnetlink_log)
 12 NONE (nfnetlink_log)</programlisting>
    <para>The magic numbers (0-12) are Linux address family numbers (AF_INET
    is 2 and AF_INET6 is 10).</para>
    <para>The name immediately following the number is the currently-selected
    backend, and the ones in parentheses are the ones that are available. You
    can change the currently selected backend by echoing it's name into
    /proc/net/netfilter/nf_log.<replaceable>number</replaceable>.</para>
    <para>Example - change the IPv4 backend to LOG:</para>
    <programlisting>sysctl net.netfilter.nf_log.2=ipt_LOG</programlisting>
    <para>Beginning with Shorewall 4.6.4, you can configure the backend using
    the LOG_BACKEND option in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
  </refsect1>
  <refsect1>
    <title>SEE ALSO</title>
    <para><ulink
    url="/shorewall_logging.htm">http://www.shorewall.net/shorewall_logging.html</ulink></para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-maclist.xml
+++ b/Shorewall/manpages/shorewall-maclist.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/maclist</command>
+      <command>/etc/shorewall/maclist</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -97,8 +97,6 @@
    <title>FILES</title>
    <para>/etc/shorewall/maclist</para>
    <para>/etc/shorewall6/maclist</para>
  </refsect1>
  <refsect1>
@@ -110,6 +108,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -18,17 +18,31 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/mangle</command>
+      <command>/etc/shorewall/mangle</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
-    <para>This file was introduced in Shorewall 4.6.0 and replaces <ulink
+    <para>This file was introduced in Shorewall 4.6.0 and is intended to
    replace <ulink
    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
    file is only processed by the compiler if:</para>
    <orderedlist numeration="loweralpha">
      <listitem>
        <para>No file named 'tcrules' exists on the current CONFIG_PATH (see
        <ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>);
        or</para>
      </listitem>
      <listitem>
        <para>The first file named 'tcrules' found on the CONFIG_PATH contains
        no non-commentary entries.</para>
      </listitem>
    </orderedlist>
    <para>Entries in this file cause packets to be marked as a means of
    classifying them for traffic control or policy routing.</para>
@@ -103,7 +117,9 @@
          SOURCE is $FW, the generated rule is always placed in the OUTPUT
          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
          Additionally, a <replaceable>chain-designator</replaceable> may not
-          be specified in an action body.</para>
+          be specified in an action body unless the action is declared as
          <option>inline</option> in <ulink
          url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -283,7 +299,7 @@
                configuration described at <ulink
                url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
                place this entry in <ulink
-                url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>
+                url="manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>
                <programlisting>#NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
 TProxy   1        -       -          lo        -               tproxy</programlisting>
@@ -349,9 +365,8 @@ DIVERTHA        -               -               tcp</programlisting>
              <listitem>
                <para>Added in Shorewall 5.0.6 as an alternative to entries in
-                <ulink
+                <ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
-                url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>.
+                PROTO is specified, it must be 'tcp' (6). If no PROTO is
                If a PROTO is specified, it must be 'tcp' (6). If no PROTO is
                supplied, TCP is assumed. This action causes all ECN bits in
                the TCP header to be cleared.</para>
              </listitem>
@@ -674,43 +689,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">TCPMSS</emphasis>([<replaceable>mss</replaceable>[,<replaceable>ipsec</replaceable>]])</term>
              <listitem>
                <para>Added in Shorewall 5.1.9. This target only applies to
                TCP traffic and alters the MSS value in SYN packets. It may be
                used in the FORWARD and POSTROUTING chains; the default is
                FORWARD.</para>
                <para>The <replaceable>mss</replaceable> parameter may be
                either <option>pmtu</option> or an integer in the range
                500:65533. The value <option>pmtu</option> automatically
                clamps the MSS value to (path_MTU - 40 for IPv4; -60 for
                IPv6). This may not function as desired where asymmetric
                routes with differing path MTU exist — the kernel uses the
                path MTU which it would use to send packets from itself to the
                source and destination IP addresses. Prior to Linux 2.6.25,
                only the path MTU to the destination IP address was considered
                by this option; subsequent kernels also consider the path MTU
                to the source IP address. If an integer is given, the MSS
                option is set to the specified value. If the MSS of the packet
                is already lower than <replaceable>mss</replaceable>, it will
                not be increased (from Linux 2.6.25 onwards) to avoid more
                problems with hosts relying on a proper MSS. If
                <replaceable>mss</replaceable> is omitted,
                <option>pmtu</option> is assumed.</para>
                <para>The <replaceable>ipsec</replaceable> parameter
                determines whether the rule applies to IPSEC traffic
                (<option>ipsec</option> is passed), non-IPSEC traffic
                (<option>none</option> is passed) or both
                (<option>all</option> is passed). If omitted,
                <option>all</option> is assumed.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</term>
@@ -747,7 +725,7 @@ Normal-Service       =&gt; 0x00</programlisting>
            <varlistentry>
              <term><emphasis
-              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>[,<replaceable>address</replaceable>]])</term>
+              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])</term>
              <listitem>
                <para>Transparently redirects a packet without altering the IP
@@ -810,7 +788,7 @@ Normal-Service       =&gt; 0x00</programlisting>
              <listitem>
                <para>where <replaceable>interface</replaceable> is the
                logical name of an interface defined in <ulink
-                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
                Matches packets entering the firewall from the named
                interface. May not be used in CLASSIFY rules or in rules using
                the :T chain qualifier.</para>
@@ -933,12 +911,11 @@ Normal-Service       =&gt; 0x00</programlisting>
              <listitem>
                <para>where <replaceable>interface</replaceable> is the
                logical name of an interface defined in <ulink
-                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
                Matches packets leaving the firewall through the named
                interface. May not be used in the PREROUTING chain (:P in the
                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
-                in <ulink
+                in <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
                url="/manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
@@ -975,7 +952,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                when both the outgoing interface and destination IP address
                match. May not be used in the PREROUTING chain (:P in the mark
                column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
-                <ulink url="/manpages/shorewall.conf">shorewall.conf</ulink>
+                <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
@@ -990,7 +967,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                <replaceable>exclusion</replaceable>. May not be used in the
                PREROUTING chain (:P in the mark column or no chain qualifier
                and MARK_IN_FORWARD_CHAIN=No in <ulink
-                url="/manpages/shorewall.conf">shorewall.conf</ulink>
+                url="manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
@@ -1059,7 +1036,7 @@ Normal-Service       =&gt; 0x00</programlisting>
        <listitem>
          <para>See <ulink
-          url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
+          url="shorewall-rules.html">shorewall-rules(5)</ulink> for
          details.</para>
          <para>Beginning with Shorewall 4.5.12, this column can accept a
@@ -1566,7 +1543,7 @@ Normal-Service       =&gt; 0x00</programlisting>
    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>
        <listitem>
          <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
@@ -1595,7 +1572,7 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>
      <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>
        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -1607,41 +1584,12 @@ Normal-Service       =&gt; 0x00</programlisting>
       #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
       CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
-/etc/shorewall/snat:
+/etc/shorewall/masq:
-       #ACTION          SOURCE              DEST     ...
+       #INTERFACE SOURCE         ADDRESS     ...
-       SNAT(1.1.1.1)    eth0:192.168.1.0/24 - { mark=1:C }
+       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
-       SNAT(1.1.1.3)    eth0:192.168.1.0/24 - { mark=2:C }
+       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
-       SNAT(1.1.1.4)    eth0:192.168.1.0/24 - { mark=3:C }</programlisting>
+       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 1:</term>
        <listitem>
          <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
          to peer traffic with packet mark 4.</para>
          <para>This is a little more complex than otherwise expected. Since
          the ipp2p module is unable to determine all packets in a connection
          are P2P packets, we mark the entire connection as P2P if any of the
          packets are determined to match.</para>
          <para>We assume packet/connection mark 0 means unclassified.</para>
          <programlisting>       #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
       MARK(1):T  ::/0      ::/0         icmp    echo-request
       MARK(1):T  ::/0      ::/0         icmp    echo-reply
       RESTORE:T  ::/0      ::/0         all     -             -       -       0
       CONTINUE:T ::/0      ::/0         all     -             -       -       !0
       MARK(4):T  ::/0      ::/0         ipp2p:all
       SAVE:T     ::/0      ::/0         all     -             -       -       !0</programlisting>
          <para>If a packet hasn't been classified (packet mark is 0), copy
          the connection mark to the packet mark. If the packet mark is set,
          we're done. If the packet is P2P, set the packet mark to 4. If the
          packet mark has been set, save it to the connection mark.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -1651,8 +1599,6 @@ Normal-Service       =&gt; 0x00</programlisting>
    <title>FILES</title>
    <para>/etc/shorewall/mangle</para>
    <para>/etc/shorewall6/mangle</para>
  </refsect1>
  <refsect1>
@@ -1670,6 +1616,14 @@ Normal-Service       =&gt; 0x00</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/masq</command>
+      <command>/etc/shorewall/masq</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -579,7 +579,7 @@
    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>
        <listitem>
          <para>You have a simple masquerading setup where eth0 connects to a
@@ -594,7 +594,7 @@
      </varlistentry>
      <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>
        <listitem>
          <para>You add a router to your local network to connect subnet
@@ -607,7 +607,7 @@
      </varlistentry>
      <varlistentry>
-        <term>IPv4 Example 3:</term>
+        <term>Example 3:</term>
        <listitem>
          <para>You have an IPSEC tunnel through ipsec0 and you want to
@@ -620,7 +620,7 @@
      </varlistentry>
      <varlistentry>
-        <term>IPv4 Example 4:</term>
+        <term>Example 4:</term>
        <listitem>
          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@@ -634,7 +634,7 @@
      </varlistentry>
      <varlistentry>
-        <term>IPv4 Example 5:</term>
+        <term>Example 5:</term>
        <listitem>
          <para>You want all outgoing SMTP traffic entering the firewall from
@@ -654,7 +654,7 @@
      </varlistentry>
      <varlistentry>
-        <term>IPv4 Example 6:</term>
+        <term>Example 6:</term>
        <listitem>
          <para>Connections leaving on eth0 and destined to any host defined
@@ -667,7 +667,7 @@
      </varlistentry>
      <varlistentry>
-        <term>IPv4 Example 7:</term>
+        <term>Example 7:</term>
        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -689,7 +689,7 @@
      </varlistentry>
      <varlistentry>
-        <term>IPv4 Example 8:</term>
+        <term>Example 8:</term>
        <listitem>
          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
@@ -716,49 +716,6 @@
 </programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 1:</term>
        <listitem>
          <para>You have a simple 'masquerading' setup where eth0 connects to
          a DSL or cable modem and eth1 connects to your local network with
          subnet 2001:470:b:787::0/64</para>
          <para>Your entry in the file will be:</para>
          <programlisting>        #INTERFACE   SOURCE                  ADDRESS
        eth0         2001:470:b:787::0/64    -</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 2:</term>
        <listitem>
          <para>Your sit1 interface has two public IP addresses:
          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
          iptables statistics match to masquerade outgoing connections evenly
          between these two addresses.</para>
          <programlisting>/etc/shorewall/masq:
       #INTERFACE    SOURCE         ADDRESS 
       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
       sit1          ::/0           2001:470:a:227::2 
 </programlisting>
          <para>If INLINE_MATCHES=Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
          then these rules may be specified as follows:</para>
          <programlisting>/etc/shorewall/masq:
       #INTERFACE    SOURCE         ADDRESS 
       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
       sit1          ::/0           2001:470:a:227::2</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@@ -766,8 +723,6 @@
    <title>FILES</title>
    <para>/etc/shorewall/masq</para>
    <para>/etc/shorewall6/masq</para>
  </refsect1>
  <refsect1>
@@ -776,6 +731,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-modules.xml
+++ b/Shorewall/manpages/shorewall-modules.xml
@@ -18,11 +18,11 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/usr/share/shorewall[6]/modules</command>
+      <command>/usr/share/shorewall/modules</command>
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>/usr/share/shorewall[6]/helpers</command>
+      <command>/usr/share/shorewall/helpers</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -51,7 +51,7 @@
    <para>The <replaceable>modulename</replaceable> names a kernel module
    (without suffix). Shorewall will search for modules based on your
-    MODULESDIR setting in <ulink
+    MODULESDIR and MODULE_SUFFIX settings in <ulink
    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(8). The
    <replaceable>moduleoption</replaceable>s are passed to modprobe (if
    installed) or to insmod.</para>
@@ -82,19 +82,19 @@
    <para>/etc/shorewall/modules</para>
    <para>/etc/shorewall/helpers</para>
    <para>/usr/share/shorewall6/modules</para>
    <para>/usr/share/shorewall6/helpers</para>
    <para>/etc/shorewall6/modules</para>
    <para>/etc/shorewall6/helpers</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-nat.xml
+++ b/Shorewall/manpages/shorewall-nat.xml
@@ -34,8 +34,6 @@
      url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also,
      in many cases, Proxy ARP (<ulink
      url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
      or Proxy-NDP(<ulink
      url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
      is a better solution that one-to-one NAT.</para>
    </warning>
@@ -201,7 +199,7 @@ all		all		REJECT		info
      <listitem>
        <para>Set IMPLICIT_CONTINUE=Yes in <ulink
-        url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
      </listitem>
    </orderedlist>
  </refsect1>
@@ -210,8 +208,6 @@ all		all		REJECT		info
    <title>FILES</title>
    <para>/etc/shorewall/nat</para>
    <para>/etc/shorewall6/nat</para>
  </refsect1>
  <refsect1>
@@ -223,6 +219,14 @@ all		all		REJECT		info
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-nesting.xml
+++ b/Shorewall/manpages/shorewall-nesting.xml
@@ -200,16 +200,6 @@
    <para>/etc/shorewall/policy</para>
    <para>/etc/shorewall/rules</para>
    <para>/etc/shorewall6/zones</para>
    <para>/etc/shorewall6/interfaces</para>
    <para>/etc/shorewall6/hosts</para>
    <para>/etc/shorewall6/policy</para>
    <para>/etc/shorewall6/rules</para>
  </refsect1>
  <refsect1>
--- a/Shorewall/manpages/shorewall-netmap.xml
+++ b/Shorewall/manpages/shorewall-netmap.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/netmap</command>
+      <command>/etc/shorewall/netmap</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -44,6 +44,8 @@
        role="bold">SNAT}</emphasis></term>
        <listitem>
          <para>Must be DNAT or SNAT</para>
          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
          its destination address rewritten to the corresponding address in
          NET2.</para>
@@ -167,8 +169,6 @@
    <title>FILES</title>
    <para>/etc/shorewall/netmap</para>
    <para>/etc/shorewall6/netmap</para>
  </refsect1>
  <refsect1>
@@ -180,6 +180,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-params.xml
+++ b/Shorewall/manpages/shorewall-params.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/params</command>
+      <command>/etc/shorewall/params</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -107,7 +107,7 @@
    <programlisting>NET_IF=eth0
 NET_BCAST=130.252.100.255
-NET_OPTIONS=routefilter</programlisting>
+NET_OPTIONS=routefilter,norfc1918</programlisting>
    <para>Example <ulink
    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
@@ -119,15 +119,13 @@ net     $NET_IF         $NET_BCAST      $NET_OPTIONS</programlisting>
    <para>This is the same as if the interfaces file had contained:</para>
    <programlisting>ZONE    INTERFACE       BROADCAST       OPTIONS
-net     eth0            130.252.100.255 routefilter</programlisting>
+net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall/params</para>
    <para>/etc/shorewall6/params</para>
  </refsect1>
  <refsect1>
@@ -136,6 +134,14 @@ net     eth0            130.252.100.255 routefilter</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	e8b90f89a3	Clean up column/value pair editing. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-22 09:47:48 -07:00
Tom Eastep	870f6130ee	Set $parmsmodified on ?reset Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-18 12:39:33 -07:00