Correct handling of dbl=src_dst in interface OPTIONS

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Check for linkdown in interface_is_usable() rather than ..._is_up().
2018-05-18 10:18:09 -07:00 · 2018-05-18 07:56:06 -07:00 · 2018-05-12 08:09:46 -07:00 · 2018-05-10 11:12:23 -07:00 · 2018-05-10 09:30:02 -07:00 · 2018-05-06 13:31:54 -07:00
101 changed files with 1672 additions and 2246 deletions
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall/lib.base
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.cli.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.cli
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=50106
+SHOREWALL_CAPVERSION=50200
 if [ -z "$g_basedir" ]; then
    #
@@ -87,6 +87,8 @@ showchain() # $1 = name of chain
 #
 validate_restorefile() # $* = label
 {
    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
    case $RESTOREFILE in
 	*/*)
 	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
@@ -415,9 +417,9 @@ resolve_arptables() {
 savesets() {
    local supported
-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+    supported=$(run_it $g_firewall help | fgrep savesets )
-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
+    [ -n "$supported" ] && run_it $g_firewall savesets ${g_restorepath}-ipsets 
 }
 #
@@ -426,9 +428,9 @@ savesets() {
 savesets1() {
    local supported
-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+    supported=$(run_it $g_firewall help | fgrep savesets )
-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+    [ -n "$supported" ] && run_it $g_firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }
 #
@@ -439,9 +441,9 @@ do_save() {
    local arptables
    status=0
-    if [ -f ${VARDIR}/firewall ]; then
+    if [ -f $g_firewall ]; then
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    cp -f ${VARDIR}/firewall $g_restorepath
+	    cp -f $g_firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod 700 $g_restorepath
 	    chmod 600 ${g_restorepath}-iptables
@@ -453,7 +455,7 @@ do_save() {
 	    status=1
 	fi
    else
-	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+	echo "   ERROR: $g_firewall does not exist" >&2
 	status=1
    fi
@@ -638,7 +640,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
+		ip -6 -o route list table $table | grep -vF cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -651,7 +653,7 @@ show_routing() {
    else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | grep -vF cache | sort_routes
+	    ip -6 -o route list | grep -vF cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -1189,6 +1191,32 @@ show_ipsec_command() {
    show_ipsec
 }
 show_saves_command() {
    local f
    local fn
    local mtime
    echo "$g_product $SHOREWALL_VERSION Saves at $g_hostname - $(date)"
    echo "Saved snapshots are:"
    echo
    for f in ${VARDIR}/*-iptables; do
 	case $f in
 	    *\**)
 	        ;;
 	    *)
 		fn=$(basename $f)
 		fn=${fn%-iptables}
 		mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
 		[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
 		echo "   $mtime ${fn%-iptables}"
 		;;
 	esac
    done
    echo
 }
 #
 # Show Command Executor
 #
@@ -1410,6 +1438,17 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
        rc)
            shift
 	    [ $# -gt 1 ] && too_many_arguments $2
            if [ -n "$1" -a -d "$1" ]; then
                cat $1/shorewallrc
            elif [ -n "$g_basedir" -a -d "$g_basedir" ]; then
                cat $g_basedir/shorewallrc
            else
                fatal_error "Can not determine the location of the shorewallrc file."
            fi
            ;;
 	policies)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
@@ -1478,6 +1517,10 @@ show_command() {
 	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
 	saves)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    show_saves_command
 	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -1957,41 +2000,6 @@ show_proc() # $1 = name of a file
    [ -f $1 ] && echo "   $1 = $(cat $1)"
 }
 read_yesno_with_timeout() {
    local timeout
    timeout=${1:-60}
    case $timeout in
 	*s)
 	    ;;
 	*m)
 	    timeout=$((${timeout%m} * 60))
 	    ;;
 	*h)
 	    timeout=$((${timeout%h} * 3600))
 	    ;;
    esac
    read -t $timeout yn 2> /dev/null
    if [ $? -eq 2 ]
    then
 	# read doesn't support timeout
 	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
 	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
 	return $?
    else
 	# read supports timeout
 	case "$yn" in
 	    y|Y)
 		return 0
 		;;
 	    *)
 		return 1
 		;;
 	esac
    fi
 }
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2802,7 +2810,6 @@ determine_capabilities() {
    LENGTH_MATCH=
    CLASSIFY_TARGET=
    ENHANCED_REJECT=
    USEPKTTYPE=
    KLUDGEFREE=
    MARK=
    XMARK=
@@ -2898,6 +2905,7 @@ determine_capabilities() {
 		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
 	    qt $g_tool -t nat -L INPUT -n && NAT_INPUT_CHAIN=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
@@ -3148,7 +3156,6 @@ determine_capabilities() {
 	fi
    fi
    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
    qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
@@ -3262,7 +3269,6 @@ report_capabilities_unsorted() {
 	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
 	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
    fi
    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
    report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
    report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
    report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
@@ -3272,8 +3278,8 @@ report_capabilities_unsorted() {
    [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
    report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
    report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
    if [ -n "$IPSET_MATCH" ]; then
 	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
 	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
@@ -3366,6 +3372,7 @@ report_capabilities_unsorted() {
    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
    report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3378,8 +3385,6 @@ report_capabilities() {
 	report_capabilities_unsorted | sort
    fi
    [ -n "$PKTTYPE" ] || USEPKTTYPE=
 }
 report_capabilities_unsorted1() {
@@ -3396,7 +3401,6 @@ report_capabilities_unsorted1() {
    report_capability1 CONNTRACK_MATCH
    report_capability1 NEW_CONNTRACK_MATCH
    report_capability1 OLD_CONNTRACK_MATCH
    report_capability1 USEPKTTYPE
    report_capability1 POLICY_MATCH
    report_capability1 PHYSDEV_MATCH
    report_capability1 PHYSDEV_BRIDGE
@@ -3474,6 +3478,7 @@ report_capabilities_unsorted1() {
    report_capability1 NETMAP_TARGET
    report_capability1 NFLOG_SIZE
    report_capability1 RESTORE_WAIT_OPTION
    report_capability1 NAT_INPUT_CHAIN
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3816,7 +3821,7 @@ iprange_command() {
 }
 ipdecimal_command() {
-    if [ $# eq 1 ]; then
+    if [ $# -eq 1 ]; then
 	missing_argument
    else
 	[ $# -eq 2 ] || too_many_arguments $3
@@ -3959,7 +3964,7 @@ get_config() {
    ensure_config_path
-    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -4113,15 +4118,15 @@ start_command() {
 	rc=0
 	[ -n "$g_nolock" ] || mutex_on
-	if [ -x ${VARDIR}/firewall ]; then
+	if [ -x $g_firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
-		run_it ${VARDIR}/firewall $g_debugging start
+		run_it $g_firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
-	    error_message "${VARDIR}/firewall is missing or is not executable"
+	    error_message "$g_firewall is missing or is not executable"
 	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4250,11 +4255,11 @@ restart_command() {
    [ -n "$g_nolock" ] || mutex_on
-    if [ -x ${VARDIR}/firewall ]; then
+    if [ -x $g_firewall ]; then
-	run_it ${VARDIR}/firewall $g_debugging $COMMAND
+	run_it $g_firewall $g_debugging $COMMAND
 	rc=$?
    else
-	error_message "${VARDIR}/firewall is missing or is not executable"
+	error_message "$g_firewall is missing or is not executable"
 	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi
@@ -4264,10 +4269,10 @@ restart_command() {
 }
 run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
+    if [ -x $g_firewall ] ; then
-	run_it ${VARDIR}/firewall $g_debugging $@
+	run_it $g_firewall $g_debugging $@
    else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+	fatal_error "$g_firewall does not exist or is not executable"
    fi
 }
@@ -4325,7 +4330,6 @@ usage() # $1 = exit status
    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   reenable <interface>"
    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
    if [ -n "$g_lite" ]; then
@@ -4335,9 +4339,11 @@ usage() # $1 = exit status
    fi
    if [ -z "$g_lite" ]; then
-	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-getrc [ -T ] [ -c ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
-	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-getcaps [ -T ] [ -R ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
-	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
 	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
 	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
    fi
    echo "   reset [ <chain> ... ]"
@@ -4380,7 +4386,9 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] nfacct"
    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
    echo "   [ show | list | ls ] rc"
    echo "   [ show | list | ls ] routing"
    echo "   [ show | list | ls ] saves"
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
@@ -4429,7 +4437,6 @@ shorewall_cli() {
    g_use_verbosity=
    g_debug=
    g_export=
    g_refreshchains=:none:
    g_confess=
    g_update=
    g_annotate=
@@ -4448,6 +4455,7 @@ shorewall_cli() {
    g_nopager=
    g_blacklistipset=
    g_disconnect=
    g_havemutex=
    VERBOSE=
    VERBOSITY=1
@@ -4653,7 +4661,7 @@ shorewall_cli() {
 	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it ${VARDIR}/firewall $g_debugging $@
+		run_it $g_firewall $g_debugging $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
 #     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
@@ -754,7 +754,7 @@ mutex_on()
    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
-    if [ $MUTEX_TIMEOUT -gt 0 ]; then
+    if [ -z "$g_havemutex" -a $MUTEX_TIMEOUT -gt 0 ]; then
 	lockd=$(dirname $LOCKFILE)
@@ -762,7 +762,7 @@ mutex_on()
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
@@ -775,12 +775,14 @@ mutex_on()
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
 	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock ${lockf}
+	    lock ${lockf}
-            chmod u=r ${lockf}
+	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
 	    chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -790,10 +792,15 @@ mutex_on()
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
 		g_havemutex="rm -f ${lockf}"
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
 	if [ -n "$g_havemutex" ]; then
 	    trap mutex_off EXIT
 	fi
    fi
 }
@@ -802,7 +809,10 @@ mutex_on()
 #
 mutex_off()
 {
-    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
+    if [ -n "$g_havemutex" ]; then
-    rm -f ${LOCKFILE:=${VARDIR}/lock}
+	eval $g_havemutex
 	g_havemutex=
 	trap '' exit
    fi
 }
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.core
+# Shorewall 5.2 -- /usr/share/shorewall/lib.core
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -1,6 +1,5 @@
 #
-#
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
 # Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -1,6 +1,5 @@
 #
-#
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
 # Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -405,20 +405,6 @@
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>options</arg>
      <arg
      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
      <replaceable>directory</replaceable> </arg><arg
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>
@@ -459,6 +445,54 @@
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>options</arg>
      <arg choice="plain"><option>remote-getcaps</option></arg>
      <arg><option>-s</option></arg>
      <arg><option>-R</option></arg>
      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
      <arg><option>-T</option></arg>
      <arg><option>-i</option></arg>
      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>options</arg>
      <arg choice="plain"><option>remote-getrc</option></arg>
      <arg><option>-s</option></arg>
      <arg><option>-c</option></arg>
      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
      <arg><option>-T</option></arg>
      <arg><option>-i</option></arg>
      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
@@ -813,7 +847,7 @@
      <arg choice="req"><option>show | list | ls </option></arg>
-      <arg choice="plain"><option>tc</option></arg>
+      <arg choice="plain"><option>saves</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -1316,7 +1350,7 @@
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
+          role="bold">reload</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
@@ -1773,63 +1807,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
        </option><replaceable>directory</replaceable> ] [
        <replaceable>chain</replaceable>... ]</term>
        <listitem>
          <para>Not available with Shorewall[6]-lite.</para>
          <para>All steps performed by <command>restart</command> are
          performed by <command>refresh</command> with the exception that
          <command>refresh</command> only recreates the chains specified in
          the command while <command>restart</command> recreates the entire
          Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
          the static blacklisting chain <emphasis
          role="bold">blacklst</emphasis> is assumed.</para>
          <para>The listed chains are assumed to be in the filter table. You
          can refresh chains in other tables by prefixing the chain name with
          the table name followed by ":" (e.g., nat:net_dnat). Chain names
          which follow are assumed to be in that table until the end of the
          list or until an entry in the list names another table. Built-in
          chains such as FORWARD may not be refreshed.</para>
          <para>The <option>-n</option> option was added in Shorewall 4.5.3
          causes Shorewall to avoid updating the routing table(s).</para>
          <para>The <option>-d</option> option was added in Shorewall 4.5.3
          causes the compiler to run under the Perl debugger.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
          <emphasis>directory</emphasis> first for configuration files.</para>
          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
          <para>The <emphasis role="bold">refresh</emphasis> command has
          slightly different behavior. When no chain name is given to the
          <emphasis role="bold">refresh</emphasis> command, the mangle table
          is refreshed along with the blacklist chain (if any). This allows
          you to modify <filename>/etc/shorewall/tcrules </filename>and
          install the changes using <emphasis
          role="bold">refresh</emphasis>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reject</emphasis><replaceable>
        address</replaceable></term>
@@ -1941,6 +1918,57 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">remote-getcaps</emphasis>
        [-<option>R</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [ [ -D ]
        <replaceable>directory</replaceable> ] [
        <replaceable>system</replaceable> ]</term>
        <listitem>
          <para>Added in Shoreall 5.2.0, this command executes <emphasis
          role="bold">shorewall[6]-lite show capabilities -f &gt;
          /var/lib/shorewall[6]-lite/capabilities</emphasis> on the remote
          <replaceable>system</replaceable> via ssh then the generated file is
          copied to <replaceable>directory</replaceable> on the local system.
          If no <replaceable>directory</replaceable> is given, the current
          working directory is assumed.</para>
          <para>if <emphasis role="bold">-R</emphasis> is included, the remote
          shorewallrc file is also copied to
          <replaceable>directory</replaceable>.</para>
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">remote-getrc</emphasis>
        [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [ [ -D ]
        <replaceable>directory</replaceable> ] [
        <replaceable>system</replaceable> ]</term>
        <listitem>
          <para>Added in Shoreall 5.2.0, this command copies the shorewallrc
          file from the remote <replaceable>system</replaceable> to
          <replaceable>directory</replaceable> on the local system. If no
          <replaceable>directory</replaceable> is given, the current working
          directory is assumed.</para>
          <para>if <emphasis role="bold">-c</emphasis> is included, the remote
          capabilities are also copied to
          <replaceable>directory</replaceable>, as is done by the
          <command>remote-getcaps</command> command.</para>
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">remote-start</emphasis>
        [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
@@ -1992,9 +2020,9 @@
          role="bold">shorewall-lite save</emphasis> via ssh.</para>
          <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall-lite show capabilities -f
+          command <emphasis role="bold">shorewall[6]-lite show capabilities -f
-          &gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
+          &gt; /var/lib/shorewall[6]-lite/capabilities</emphasis> is executed
-          ssh then the generated file is copied to
+          via ssh then the generated file is copied to
          <replaceable>directory</replaceable> using scp. This step is
          performed before the configuration is compiled.</para>
@@ -2005,13 +2033,6 @@
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -2430,11 +2451,11 @@
        <replaceable>filename</replaceable> ]</term>
        <listitem>
-          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
+          <para>Creates a snapshot of the currently running firewall. The
-          The state of the firewall is stored in
+          dynamic blacklist is stored in /var/lib/shorewall/save. The state of
          the firewall is stored in
          /var/lib/shorewall/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall restore</emphasis> and <emphasis
+          <emphasis role="bold">shorewall restore</emphasis> command. If
          role="bold">shorewall -f start</emphasis> commands. If
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
@@ -2737,6 +2758,15 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">rc</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.2.0. Displays the contents of
                $SHAREDIR/shorewall/shorewallrc.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>c</option>]<emphasis role="bold">
              routing</emphasis></term>
@@ -2762,6 +2792,20 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>saves</term>
              <listitem>
                <para>Added in Shorewall 5.2.0. Lists snapshots created by the
                <command>save</command> command. Each snapshot is listed with
                the date and time when it was taken. If there is a snapshot
                with the name specified in the RESTOREFILE option in <ulink
                url="shorewall.conf.html">shorewall.conf(5</ulink>), that
                snapshot is listed as the <emphasis>default</emphasis>
                snapshot for the <command>restore</command> command.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>
@@ -2921,7 +2965,7 @@
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
+          role="bold">reload</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.0 rc file
+# Apple OS X Shorewall 5.2 rc file
 #
 BUILD=apple
 HOST=apple
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.0 rc file
+# Arch Linux Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.0 rc file
+# Cygwin Shorewall 5.2 rc file
 #
 BUILD=cygwin
 HOST=cygwin
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -13,9 +13,9 @@ MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-zero, annotated configuration files are installed
+ANNOTATED=				#If non-empty, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian.systemd	#Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.0 rc file
+# Default Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,5 +1,5 @@
 #
-# OpenWRT Shorewall 5.0 rc file
+# OpenWRT/LEDE Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.0 rc file
+# RedHat/FedoraShorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat
--- a/Shorewall-core/shorewallrc.sandbox
+++ b/Shorewall-core/shorewallrc.sandbox
@@ -0,0 +1,28 @@
 #
 # Shorewall 5.2 rc file for installing into a Sandbox
 #
 BUILD=                                       # Default is to detect the build system
 HOST=linux
 INSTALLDIR=				     # Set this to the directory where you want Shorewall installed
 PREFIX=${INSTALLDIR}/usr		     # Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share		     # Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share		     # Directory for executable scripts.	
 PERLLIBDIR=${PREFIX}/share/shorewall	     # Directory to install Shorewall Perl module directory	
 CONFDIR=${INSTALLDIR}/etc		     # Directory where subsystem configurations are installed				
 SBINDIR=${INSTALLDIR}/sbin		     # Directory where system administration programs are installed			
 MANDIR=		     			     # Leave empty
 INITDIR=				     # Leave empty				     				
 INITSOURCE=				     # Leave empty
 INITFILE=				     # Leave empty
 AUXINITSOURCE=				     # Leave empty
 AUXINITFILE=				     # Leave empty
 SERVICEDIR=				     # Leave empty
 SERVICEFILE=    			     # Leave empty
 SYSCONFFILE=				     # Leave empty
 SYSCONFDIR=				     # Leave empty			
 SPARSE=					     # Leave empty			
 ANNOTATED=				     # If non-empty, annotated configuration files are installed				
 VARLIB=${INSTALLDIR}/var/lib		     # Directory where product variable data is stored.				
 VARDIR=${VARLIB}/$PRODUCT		     # Directory where product variable data is stored.		
 DEFAULT_PAGER=/usr/bin/less		     # Pager to use if none specified in shorewall[6].conf
 SANDBOX=Yes				     # Indicates SANDBOX installation
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.0 rc file
+# Slackware Shorewall 5.2 rc file
 #
 BUILD=slackware
 HOST=slackware
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.0 rc file
+# SuSE Shorewall 5.2 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -1,5 +1,5 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall/Actions/action.A_AllowICMPs.deprecated
+++ b/Shorewall/Actions/action.A_AllowICMPs.deprecated
@@ -1,9 +0,0 @@
 #
 # Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
 #
 # This action A_ACCEPTs needed ICMP types
 #
 ###############################################################################
 #ACTION		SOURCE		DEST	PROTO		DPORT
 AllowICMPs(A_ACCEPT)
--- a/Shorewall/Actions/action.A_Drop.deprecated
+++ b/Shorewall/Actions/action.A_Drop.deprecated
@@ -1,57 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.A_Drop
 #
 # The audited default DROP common rules
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ?require AUDIT_TARGET
 ?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Special Handling for Auth
 #
 Auth(A_DROP)
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before broadcast Drop.
 #
 A_AllowICMPs	-	-	icmp
 #
 # Don't log broadcasts and multicasts
 #
 dropBcast(audit)
 dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
 dropInvalid(audit)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(A_DROP)
 A_DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn(audit)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 A_DropDNSrep
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
@@ -1,54 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.A_Reject
 #
 # The audited default REJECT action common rules
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ?require AUDIT_TARGET
 ?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before broadcast Drop.
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop Broadcasts and multicasts so they don't clutter up the log
 # (these must *not* be rejected).
 #
 dropBcast(audit)
 dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid(audit)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(A_REJECT)
 A_DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn(audit)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 A_DropDNSrep
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -1,84 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Drop
 #
 # The former default DROP common rules. Use of this action is now deprecated
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # The action accepts six optional parameters:
 #
 # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #     actions.
 # 2 - Action to take with Auth requests. Default is to do nothing special
 #     with them.
 # 3 - Action to take with SMB requests. Default is DROP or A_DROP,
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
 # 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 ?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
 ?if passed(@1)
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
    ?else
        ?error The first parameter to Drop must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
 ?endif
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Special Handling for Auth
 #
 ?if passed(@2)
 Auth(@2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before silent broadcast Drop.
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Don't log broadcasts or multicasts
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
 Invalid(DROP,@1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
 DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DropDNSrep(@5)
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
    #
    # if the event is armed, remove it and perform the action
    #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
 } elsif ( $command & $UPDATE_CMD ) {
    perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -1,85 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Reject
 #
 # The former default REJECT action common rules. Use of this action is deprecated.
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # The action accepts six optional parameters:
 #
 # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #     actions.
 # 2 - Action to take with Auth requests. Default is to do nothing
 #     special with them.
 # 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
 # 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 ?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
 ?if passed(@1)
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
    ?else
 	?error The first parameter to Reject must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
 ?endif
 #ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Special handling for Auth
 #
 ?if passed(@2)
 Auth(@2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before silent broadcast Drop.
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 Invalid(DROP,@1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
 DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DropDNSrep(@5)
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
@@ -1,9 +1,9 @@
 #
-# Shorewall - /usr/share/shorewall/macro.SNMPtrap
+# Shorewall -- /usr/share/shorewall/macro.Apcupsd
 #
-# This macro deprecated by SNMPtrap.
+# This macro handles apcupsd traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-SNMPtrap
+PARAM	-	-	tcp	3551
--- a/Shorewall/Macros/macro.FreeIPA
+++ b/Shorewall/Macros/macro.FreeIPA
@@ -0,0 +1,16 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.FreeIPA
 #
 # This macro handles FreeIPA server traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 DNS
 HTTP
 HTTPS
 Kerberos
 Kpasswd
 LDAP
 LDAPS
 NTP
--- a/Shorewall/Macros/macro.IPFS-API
+++ b/Shorewall/Macros/macro.IPFS-API
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.IPFS-API
 #
 # This macro handles IPFS API port (commands for the IPFS daemon).
 #
 ###############################################################################
 #ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
 PARAM   -       -       tcp     5001
--- a/Shorewall/Macros/macro.IPFS-gateway
+++ b/Shorewall/Macros/macro.IPFS-gateway
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.IPFS-gateway
 #
 # This macro handles the IPFS gateway to HTTP.
 #
 ###############################################################################
 #ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
 PARAM   -       -       tcp     8080
--- a/Shorewall/Macros/macro.IPFS-swarm
+++ b/Shorewall/Macros/macro.IPFS-swarm
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
 #
 # This macro handles IPFS data traffic (the connection to IPFS swarm).
 #
 ###############################################################################
 #ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
 PARAM   -       -       tcp     4001
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -11,14 +11,20 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	623		# RMCP
 PARAM	-	-	udp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
+PARAM	-	-	tcp	5120,5122,5123	# CD,FD,HD (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
-PARAM	-	-	tcp	3520		# Remote Console (Redfish)
+PARAM	-	-	tcp	8889		# WS-MAN
 PARAM	-	-	udp	623		# RMCP
 HTTP
 HTTPS
 SNMP
 SSH						# Serial over Lan
 Telnet
 SNMP
 # TLS/secure ports
 PARAM	-	-	tcp	3520		# Remote Console (Redfish)
 PARAM	-	-	tcp	3669		# Virtual Media (Dell)
 PARAM	-	-	tcp	5124,5126,5127	# CD,FD,HD (AMI)
 PARAM	-	-	tcp	7582		# Remote Console (AMI)
 HTTPS
 SSH						# Serial over Lan
--- a/Shorewall/Macros/macro.Kpasswd
+++ b/Shorewall/Macros/macro.Kpasswd
@@ -0,0 +1,10 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Kpasswd
 #
 # This macro handles Kerberos "passwd" traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	464
 PARAM	-	-	udp	464
--- a/Shorewall/Macros/macro.RedisSecure
+++ b/Shorewall/Macros/macro.RedisSecure
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.RedisSecure
 #
 # This macro handles Redis Secure (SSL/TLS) traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	6380
--- a/Shorewall/Macros/macro.Rwhois
+++ b/Shorewall/Macros/macro.Rwhois
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Rwhois
 #
 # This macro handles Remote Who Is (rwhois) traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	4321
--- a/Shorewall/Macros/macro.SSDP
+++ b/Shorewall/Macros/macro.SSDP
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.SSDP
 #
 # This macro handles SSDP (used by DLNA/UPnP) client traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	1900
--- a/Shorewall/Macros/macro.SSDPserver
+++ b/Shorewall/Macros/macro.SSDPserver
@@ -0,0 +1,10 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.SSDPserver
 #
 # This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	1900
 PARAM	DEST	SOURCE	udp	-	1900
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -282,7 +282,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_rules_chain ( 'accountout' ) ,
+			    ensure_chain ( $config{ACCOUNTING_TABLE}, 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $prerule ,
 			    $rule ,
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -172,6 +172,12 @@ our %EXPORT_TAGS = (
 				       related_chain
 				       invalid_chain
 				       untracked_chain
 				       rules_log
 				       blacklist_log
 				       established_log
 				       related_log
 				       invalid_log
 				       untracked_log
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -335,7 +341,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               logchains    => { <key1> = <chainref1>, ... }
 #                                               references   => { <ref1> => <refs>, <ref2> => <refs>, ... }
 #                                               blacklistsection
-#                                                            => Chain was created by entries in the BLACKLIST section of the rules file
+#                                                            => Chain was created by entries in the blrules file
 #                                               action       => <action tuple that generated this chain>
 #                                               restricted   => Logical OR of restrictions of rules in this chain.
 #                                               restriction  => Restrictions on further rules in this chain.
@@ -361,13 +367,13 @@ our $VERSION = 'MODULEVERSION';
 #
 #       Only 'referenced' chains get written to the iptables-restore input.
 #
-#       'loglevel', 'synparams', 'synchain', 'audit', 'default' abd 'origin' only apply to policy chains.
+#       'loglevel', 'synparams', 'synchain', 'audit', 'default' and 'origin' only apply to policy chains.
 ###########################################################################################################################################
 #
 # For each ordered pair of zones, there may exist a 'canonical rules chain' in the filter table; the name of this chain is formed by
 # joining the names of the zones using the ZONE_SEPARATOR ('2' or '-'). This chain contains the rules that specifically deal with
 # connections from the first zone to the second. These chains will end with the policy rules when EXPAND_POLICIES=Yes and when there is an
-# explicit policy for the order pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a
+# explicit policy for the ordered pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a
 # wildcard policy chain (all[2-]zone, zone[2-]all, or all[2-]all).
 #
 # Except in the most trivial one-interface configurations, each zone has a "forward chain" which is branched to from the filter table
@@ -397,7 +403,7 @@ our $VERSION = 'MODULEVERSION';
 #      MAC Recent      - <dev>_rec
 #      SNAT            - <dev>_snat
 #      ECN             - <dev>_ecn
-#      FORWARD Options - <dev>_fop
+#      INPUT Options   - <dev>_iop
 #      OUTPUT Options  - <dev>_oop
 #      FORWARD Options - <dev>_fop
 #
@@ -874,6 +880,9 @@ sub validate_port( $$ ) {
    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }
 #
 # Port or port-pair separated by ':'. Either port may be omitted in the pair
 #
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
@@ -914,15 +923,15 @@ sub validate_portpair( $$ ) {
 }
 #
 # Port or port-pair separated by '-'. Neither port may be omitted in the pair
 #
 sub validate_portpair1( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
    my @ports = split /-/, $portpair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
@@ -1316,14 +1325,14 @@ sub pop_match( $$ ) {
 sub clone_irule( $ );
-sub format_rule( $$;$ ) {
+sub format_rule( $$ ) {
-    my ( $chainref, $rulerefp, $suppresshdr ) = @_;
+    my ( $chainref, $rulerefp ) = @_;
    return $rulerefp->{cmd} if exists $rulerefp->{cmd};
-    my $rule = $suppresshdr ? '' : "-A $chainref->{name}";
+    my $rule = "-A $chainref->{name}";
    #
-    # The code the follows can be destructive of the rule so we clone it
+    # The code that follows can be destructive of the rule so we clone it
    #
    my $ruleref = $rulerefp->{complex} ? clone_irule( $rulerefp ) : $rulerefp;
    my $nfacct  = $rulerefp->{nfacct};
@@ -2263,6 +2272,56 @@ sub untracked_chain($$) {
    '&' . &rules_chain(@_);
 }
 #
 # Logname for chains between an ordered pair of zones
 #
 sub rules_log( $$ ) {
    my $logchain = $config{LOG_ZONE};
    if ( $logchain eq 'both' ) {
 	join "$config{ZONE2ZONE}", @_;
    } elsif ( $logchain eq 'src' ) {
 	$_[0];
    } else {
 	$_[1];
    }
 }
 #
 # Log name of the blacklist chain between an ordered pair of zones
 #
 sub blacklist_log($$) {
    &rules_log(@_) . '~';
 }
 #
 # Log name of the established chain between an ordered pair of zones
 #
 sub established_log($$) {
    '^' . &rules_log(@_)
 }
 #
 # Log name of the related chain between an ordered pair of zones
 #
 sub related_log($$) {
    '+' . &rules_log(@_);
 }
 #
 # Log name of the invalid chain between an ordered pair of zones
 #
 sub invalid_log($$) {
    '_' . &rules_log(@_);
 }
 #
 # Name of the untracked chain between an ordered pair of zones
 #
 sub untracked_log($$) {
    '&' . &rules_log(@_);
 }
 #
 # Create the base for a chain involving the passed interface -- we make this a function so it will be
 # easy to change the mapping should the need ever arrive.
@@ -2298,8 +2357,6 @@ sub use_forward_chain($$) {
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};
    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
    #
    # Use it if we already have jumps to it
    #
@@ -2374,8 +2431,6 @@ sub use_input_chain($$) {
    my ( $interface, $chainref ) = @_;
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};
    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
    #
    # We must use the interfaces's chain if the interface is associated with multiple Zones
    #
@@ -2455,8 +2510,6 @@ sub use_output_chain($$) {
    my ( $interface, $chainref)  = @_;
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};
    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
    #
    # We must use the interfaces's chain if the interface is associated with multiple Zones
    #
@@ -2588,13 +2641,14 @@ sub reserved_name( $ ) {
 #
 # Create a new chain and return a reference to it.
 #
-sub new_chain($$)
+sub new_chain($$;$)
 {
-    my ($table, $chain) = @_;
+    my ($table, $chain, $logchain) = @_;
    assert( $chain_table{$table} && ! ( $chain_table{$table}{$chain} || $builtin_target{ $chain } ) );
    my $chainref = { name           => $chain,
 		     logname        => $logchain || $chain,
 		     rules          => [],
 		     table          => $table,
 		     loglevel       => '',
@@ -2615,7 +2669,7 @@ sub new_chain($$)
 #
 # Find a chain
 #
-sub find_chain($$) {
+sub find_chain($$;$) {
    my ($table, $chain) = @_;
    assert( $table && $chain && $chain_table{$table} );
@@ -2626,7 +2680,7 @@ sub find_chain($$) {
 #
 # Create a chain if it doesn't exist already
 #
-sub ensure_chain($$)
+sub ensure_chain($$;$)
 {
    &find_chain( @_ ) || &new_chain( @_ );
 }
@@ -3179,6 +3233,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain 'nat', $chain, 'ACCEPT';
 	}
 	new_builtin_chain 'nat', 'INPUT', 'ACCEPT' if have_capability('NAT_INPUT_CHAIN');
 	for my $chain ( qw(PREROUTING INPUT OUTPUT ) ) {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
@@ -3241,6 +3297,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain 'nat', $chain, 'ACCEPT';
 	}
 	new_builtin_chain 'nat', 'INPUT', 'ACCEPT' if have_capability('NAT_INPUT_CHAIN');
 	for my $chain ( qw(PREROUTING INPUT OUTPUT FORWARD POSTROUTING ) ) {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
@@ -3266,7 +3324,7 @@ sub initialize_chain_table($) {
 	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
    }
-    if ( my $docker = $config{DOCKER} ) {
+    if ( $config{DOCKER} ) {
 	add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
 	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
 	$chainref = new_standard_chain( 'DOCKER' );
@@ -3376,15 +3434,43 @@ sub delete_references( $ ) {
 #
 # Calculate a digest for the passed chain and store it in the {digest} member.
 #
 # First, a lightweight version of format_rule()
 #
 sub irule_to_string( $ ) {
    my ( $ruleref ) = @_;
    return $ruleref->{cmd} if exists $ruleref->{cmd};
    my $string = '';
    for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}} ) {
 	my $value = $ruleref->{$_};
 	if ( reftype $value ) {
 	    $string .= "$_=" . join( ',', @$value ) . ' ';
 	} else {
 	    $string .= "$_=$value ";
 	}
    }
    if ( $ruleref->{target} ) {
 	$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
 	$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
    }
    $string .= join( '', ' -m comment --comment "', $ruleref->{comment}, '"' ) if $ruleref->{comment};
    $string;
 }
 sub calculate_digest( $ ) {
    my $chainref = shift;
    my $rules = '';
    for ( @{$chainref->{rules}} ) {
 	if ( $rules ) {
-	    $rules .= ' |' . format_rule( $chainref, $_, 1 );
+	    $rules .= ' |' . irule_to_string( $_ );
 	} else {
-	    $rules = format_rule( $chainref, $_, 1 );
+	    $rules = irule_to_string( $_ );
 	}
    }
@@ -3746,7 +3832,7 @@ sub optimize_level4( $$ ) {
    #
    # In this loop, we look for chains that end in an unconditional jump. The jump is replaced by
    # the target's rules, provided that the target chain is short (< 4 rules) or has only one
-    # reference. This prevents multiple copies of long chains being created.
+    # reference. This prevents multiple copies of long chains from being created.
    #
    $progress = 1;
@@ -3856,7 +3942,10 @@ sub optimize_level8( $$$ ) {
    %renamed = ();
    while ( $progress ) {
-	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} &&
 							   @{$_->{rules}}        &&
 							   ! $_->{builtin},
 							   values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -3876,12 +3965,11 @@ sub optimize_level8( $$$ ) {
 	    # Shift the current $chainref off of @chains1
 	    #
 	    shift @chains1;
-	    #
+
-	    # Skip empty chains
+	    for my $chainref1 (grep ! ( $_->{optflags} & DONT_DELETE ), @chains1 ) {
-	    #
+		#
-	    for my $chainref1 ( @chains1 ) {
+		# Chains identical?
-		next unless @{$chainref1->{rules}};
+		#
 		next if $chainref1->{optflags} & DONT_DELETE;
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
@@ -3892,7 +3980,7 @@ sub optimize_level8( $$$ ) {
 					'',      # Origin
 					1 );     # Recalculate digests of modified chains
-		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
+		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
 			#
 			# For simple use of the BLACKLIST section, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
@@ -4311,7 +4399,7 @@ sub get_conntrack( $ ) {
 }
 #
-# Return an array of keys for the passed rule. 'conntrack',  'comment' & origin are omitted;
+# Return an array of keys for the passed rule. 'conntrack',  'comment' & 'origin' are omitted;
 #
 sub get_keys1( $ ) {
    my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
@@ -4475,16 +4563,22 @@ sub valid_tables() {
 sub optimize_ruleset() {
    my $optimize = $config{OPTIMIZE};
    for my $table ( valid_tables ) {
 	my $tableref = $chain_table{$table};
 	my $passes   = 0;
 	my $optimize = $config{OPTIMIZE};
 	$passes = optimize_level4(  $table, $tableref )           if $optimize & 4;
 	$passes = optimize_level8(  $table, $tableref , $passes ) if $optimize & 8;
 	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16;
 	my $savepasses = $passes;
 	$passes = optimize_level8(  $table, $tableref , $passes ) if $optimize & 8;
 	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16 && $passes > $savepasses + 1;
 	progress_message "  Table $table Optimized -- Passes = $passes";
 	progress_message '';
    }
@@ -4597,7 +4691,7 @@ sub logchain( $$$$$$ ) {
 	log_irule_limit(
 		       $loglevel ,
 		       $logchainref ,
-		       $chainref->{name} ,
+		       $chainref->{logname} ,
 		       $disposition ,
 		       [] ,
 		       $logtag,
@@ -6776,13 +6870,13 @@ sub log_irule_limit( $$$$$$$$@ ) {
 sub log_rule( $$$$ ) {
    my ( $level, $chainref, $disposition, $matches ) = @_;
-    log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
+    log_rule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
 }
 sub log_irule( $$$;@ ) {
    my ( $level, $chainref, $disposition, @matches ) = @_;
-    log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
+    log_irule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
 }
 #
@@ -7003,14 +7097,17 @@ sub interface_address( $ ) {
 #
 sub get_interface_address ( $;$ ) {
    my ( $logical, $provider ) = @_;
    my $interface = get_physical( $logical );
    my $variable = interface_address( $interface );
    my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
    $global_variables |= ALL_COMMANDS;
-    $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
+    if ( $interface eq loopback_interface ) {
 	$interfaceaddr{$interface} = "$variable=" . loopback_address;
    } else {
 	my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
 	$interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
    }
    set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;
@@ -8198,19 +8295,8 @@ sub add_interface_options( $ ) {
 	# Generate a digest for each chain
 	#
 	for my $chainref ( values %input_chains, values %forward_chains ) {
 	    my $digest = '';
 	    assert( $chainref );
-
+	    calculate_digest( $chainref );
 	    for ( @{$chainref->{rules}} ) {
 		if ( $digest ) {
 		    $digest .= ' |' . format_rule( $chainref, $_, 1 );
 		} else {
 		    $digest = format_rule( $chainref, $_, 1 );
 		}
 	    }
 	    $chainref->{digest} = sha1_hex $digest;
 	}
 	#
 	# Insert jumps to the interface chains into the rules chains
@@ -8499,7 +8585,7 @@ sub save_dynamic_chains() {
    my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
-    emit ( 'if [ "$COMMAND" = reload -o "$COMMAND" = refresh ]; then' );
+    emit ( 'if [ "$COMMAND" = reload ]; then' );
    push_indent;
    emit( 'if [ -n "$g_counters" ]; then' ,
@@ -8508,7 +8594,7 @@ sub save_dynamic_chains() {
 	);
    if ( have_capability 'IPTABLES_S' ) {
-	emit <<"EOF";
+	emithd <<"EOF";
 if chain_exists 'UPnP -t nat'; then
    $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
 else
@@ -8529,6 +8615,7 @@ fi
 EOF
 	if ( $config{MINIUPNPD} ) {
 	    emit << "EOF";
 if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
    $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
 else
@@ -8537,7 +8624,7 @@ fi
 EOF
 	}
    } else {
-	emit <<"EOF";
+	emithd <<"EOF";
 if chain_exists 'UPnP -t nat'; then
    $utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
 else
@@ -8557,7 +8644,8 @@ else
 fi
 EOF
 	if ( $config{MINIUPNPD} ) {
-	    emit << "EOF";
+	    emithd << "EOF";
 if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
    $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
 else
@@ -8571,7 +8659,7 @@ EOF
    emit ( 'else' );
    push_indent;
-emit <<"EOF";
+emithd <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
 EOF
@@ -8608,7 +8696,7 @@ sub ensure_ipsets( @ ) {
 	pop_indent;
-	emit( qq(    fi\n) );
+	emit( q(    fi) );
    }
@@ -8784,7 +8872,6 @@ sub create_load_ipsets() {
 		  '        $IPSET flush $set' ,
 		  '        $IPSET destroy $set' ,
 		  "    done" ,
 		  '',
 		);
 	} else {
 	    #
@@ -8796,7 +8883,7 @@ sub create_load_ipsets() {
 		   '    fi' );
 	};
-	emit( '}' );
+	emit( "}\n" );
    }
    #
    # Now generate load_ipsets()
@@ -8863,22 +8950,16 @@ sub create_load_ipsets() {
 	    emit ( 'elif [ "$COMMAND" = reload ]; then' );   ################### Reload Command ####################
 	    ensure_ipsets( @ipsets );
 	    emit( 'elif [ "$COMMAND" = refresh ]; then' );   ################### Refresh Command ###################
 	    emit ( '' );
 	    ensure_ipsets( @ipsets );
 	    emit ( '' );
 	};
-	emit ( 'fi' ,
+	emit ( 'fi' );
 	       '' );
    } else {
 	emit 'true';
    }
    pop_indent;
-    emit '}';	    
+    emit "}\n";	    
 }
 #
@@ -9051,7 +9132,7 @@ sub create_netfilter_load( $ ) {
 	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
 	  'if [ $? != 0 ]; then',
 	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
-	  "fi\n"
+	  'fi'
 	);
    pop_indent;
@@ -9143,156 +9224,6 @@ sub preview_netfilter_load() {
    print "\n";
 }
 #
 # Generate the netfilter input for refreshing a list of chains
 #
 sub create_chainlist_reload($) {
    my $chains = $_[0];
    my @chains;
    unless ( $chains eq ':none:' ) {
 	if ( $chains eq ':refresh:' ) {
 	    $chains = '';
 	} else {
 	    @chains =  split_list $chains, 'chain';
 	}
 	unless ( @chains ) {
 	    @chains = qw( blacklst ) if $filter_table->{blacklst};
 	    push @chains, 'blackout' if $filter_table->{blackout};
 	    for ( grep $_->{blacklistsection} && $_->{referenced}, values %{$filter_table} ) {
 		push @chains, $_->{name} if $_->{blacklistsection};
 	    }
 	    push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
 	    $chains = join( ',', @chains ) if @chains;
 	}
    }
    $mode = NULL_MODE;
    emit(  'chainlist_reload()',
 	   '{'
 	   );
    push_indent;
    if ( @chains ) {
 	my $word = @chains == 1 ? 'chain' : 'chains';
 	progress_message2 "Compiling iptables-restore input for $word @chains...";
 	save_progress_message "Preparing iptables-restore input for $word @chains...";
 	emit '';
 	my $table = 'filter';
 	my %chains;
 	my %tables;
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
 	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
 	    $chains{$table} = {} unless $chains{$table};
 	    if ( $chain ) {
 		my $chainref;
 		fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain};
 		fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin};
 		if ( $chainseq{$table} && @{$chainref->{rules}} ) {
 		    $tables{$table} = 1;
 		} else {
 		    $chains{$table}{$chain} = $chainref;
 		}
 	    } else {
 		$tables{$table} = 1;
 	    }
 	}
 	for $table ( keys %tables ) {
 	    while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
 		$chains{$table}{$chain} = $chainref if $chainref->{referenced} && ! $chainref->{builtin};
 	    }
 	}
 	emit 'exec 3>${VARDIR}/.iptables-restore-input';
 	enter_cat_mode;
 	for $table ( qw(raw nat mangle filter) ) {
 	    my $tableref=$chains{$table};
 	    next unless $tableref;
 	    @chains = sort keys %$tableref;
 	    emit_unindented "*$table";
 	    for my $chain ( @chains ) {
 		my $chainref = $tableref->{$chain};
 		emit_unindented ":$chainref->{name} - [0:0]";
 	    }
 	    for my $chain ( @chains ) {
 		my $chainref = $tableref->{$chain};
 		my @rules = @{$chainref->{rules}};
 		my $name = $chainref->{name};
 		@rules = () unless @rules;
 		#
 		# Emit the chain rules
 		#
 		emitr($chainref, $_) for @rules;
 	    }
 	    #
 	    # Commit the changes to the table
 	    #
 	    enter_cat_mode unless $mode == CAT_MODE;
 	    emit_unindented 'COMMIT';
 	}
 	enter_cmd_mode;
 	#
 	# Now generate the actual ip[6]tables-restore command
 	#
 	emit(  'exec 3>&-',
 	       '' );
 	if ( $family == F_IPV4 ) {
 	    emit ( 'progress_message2 "Running iptables-restore..."',
 		   '',
 		   'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
 		   'if [ $? != 0 ]; then',
 		   '    fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
 		   "fi\n"
 		 );
 	} else {
 	    emit ( 'progress_message2 "Running ip6tables-restore..."',
 		   '',
 		   'cat ${VARDIR}/.iptables-restore-input | $IP6TABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
 		   'if [ $? != 0 ]; then',
 		   '    fatal_error "ip6tables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
 		   "fi\n"
 		 );
 	}
    } else {
 	emit('true');
    }
    pop_indent;
    emit "}\n";
 }
 #
 # Generate the netfilter input to stop the firewall
 #
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -103,13 +103,13 @@ sub generate_script_1( $ ) {
    copy2( $lib, $debug ) if -f $lib;
-    emit <<'EOF';
+    emithd<<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear restored enabled disabled/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -125,7 +125,7 @@ EOF
 	emit '}';
    }
-    emit <<'EOF';
+    emithd <<'EOF';
 ################################################################################
 # End user exit functions
 ################################################################################
@@ -270,12 +270,11 @@ sub generate_script_2() {
 	    );
 	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
 	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
 	emit( '' );
    }
    pop_indent;
-    emit "\n}\n"; # End of initialize()
+    emit "}\n"; # End of initialize()
    emit( '' ,
 	  '#' ,
@@ -312,10 +311,9 @@ sub generate_script_2() {
 	    push_indent;
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-
+		verify_required_interfaces(0);
 		set_global_variables(0, 0);
-
+		handle_optional_interfaces;
 		handle_optional_interfaces(0);
 	    }
 	    emit ';;';
@@ -327,19 +325,19 @@ sub generate_script_2() {
 	    push_indent;
 	}
 	verify_required_interfaces(1);
 	set_global_variables(1,1);
 	handle_optional_interfaces;
 	if ( $global_variables & NOT_RESTORE ) {
 	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
 	} else {
 	    handle_optional_interfaces(1);
 	}
    } else {
-	emit( 'true' ) unless handle_optional_interfaces(1);
+	verify_required_interfaces(1);
 	emit( 'true' ) unless handle_optional_interfaces;
    }
    pop_indent;
@@ -358,7 +356,7 @@ sub generate_script_2() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_3($) {
+sub generate_script_3() {
    if ( $family == F_IPV4 ) {
 	progress_message2 "Creating iptables-restore input...";
@@ -368,7 +366,6 @@ sub generate_script_3($) {
    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    create_load_ipsets;
@@ -400,16 +397,10 @@ sub generate_script_3($) {
 	emit 'load_kernel_modules Yes';
    }
-    emit '';
+    emit( '' ,
-
+	  'run_init_exit',
-    emit ( 'if [ "$COMMAND" = refresh ]; then' ,
+	  '' ,
-	   '   run_refresh_exit' ,
+	  'load_ipsets' ,
 	   'else' ,
 	   '    run_init_exit',
 	   'fi',
 	   '' );
    emit( 'load_ipsets' ,
 	  '' );
    create_nfobjects;
@@ -467,11 +458,6 @@ sub generate_script_3($) {
    dump_proxy_arp;
    emit_unindented '__EOF__';
    emit( '',
 	  'if [ "$COMMAND" != refresh ]; then' );
    push_indent;
    emit 'cat > ${VARDIR}/zones << __EOF__';
    dump_zone_contents;
    emit_unindented '__EOF__';
@@ -484,10 +470,6 @@ sub generate_script_3($) {
    dump_mark_layout;
    emit_unindented '__EOF__';
    pop_indent;
    emit "fi\n";
    emit '> ${VARDIR}/nat';
    add_addresses;
@@ -526,29 +508,12 @@ sub generate_script_3($) {
    my $config_dir = $globals{CONFIGDIR};
-    emit<<"EOF";
+    emithd <<"EOF";
    set_state Started $config_dir
    run_restored_exit
-elif [ \$COMMAND = refresh ]; then
+else
-    chainlist_reload
+    setup_netfilter
 EOF
    push_indent;
    setup_load_distribution;
    setup_forwarding( $family , 0 );
    pop_indent;
    #
    # Use a parameter list rather than 'here documents' to avoid an extra blank line
    #
    emit( '    run_refreshed_exit',
 	  '    do_iptables -N shorewall' );
    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
    emit( "    set_state Started $config_dir",
 	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
 	  'else',
 	  '    setup_netfilter'	);
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
@@ -573,7 +538,7 @@ EOF
 	  '    run_started_exit',
 	  "fi\n" );
-    emit<<'EOF';
+    emithd<<'EOF';
 date > ${VARDIR}/restarted
 case $COMMAND in
@@ -583,9 +548,6 @@ case $COMMAND in
    reload)
        mylogger kern.info "$g_product reloaded"
        ;;
    refresh)
        mylogger kern.info "$g_product refreshed"
        ;;
    restore)
        mylogger kern.info "$g_product restored"
        ;;
@@ -620,8 +582,8 @@ sub compile_info_command() {
 #
 sub compiler {
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 , $inline ) =
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
+       ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
    $export         = 0;
    $test           = 0;
@@ -650,7 +612,6 @@ sub compiler {
 		  timestamp     => { store => \$timestamp,     validate => \&validate_boolean   } ,
 		  debug         => { store => \$debug,         validate => \&validate_boolean   } ,
 		  export        => { store => \$export ,       validate => \&validate_boolean   } ,
 		  chains        => { store => \$chains },
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
@@ -658,7 +619,6 @@ sub compiler {
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
 		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -695,7 +655,7 @@ sub compiler {
    #                                      S H O R E W A L L R C ,
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export , $update , $annotate , $inline );
+    get_configuration( $export , $update , $annotate );
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
@@ -818,7 +778,7 @@ sub compiler {
    #
    # Setup Masquerade/SNAT
    #
-    setup_snat( $update );
+    setup_snat;
    #
    # Setup Nat
    #
@@ -899,7 +859,7 @@ sub compiler {
 	optimize_level0;
-	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
+	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -921,7 +881,7 @@ sub compiler {
 	#                          N E T F I L T E R   L O A D
 	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
-	generate_script_3( $chains );
+	generate_script_3();
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Config.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Config.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -189,6 +189,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 		                       in_hex8
 		                       in_hexp
 				       emit
 				       emithd
 				       emitstd
 				       emit_unindented
 				       save_progress_message
@@ -302,10 +303,10 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       DO_SECTION
 				       NORMAL_READ
 				       OPTIMIZE_MASK
 				       OPTIMIZE_POLICY_MASK
 				       OPTIMIZE_POLICY_MASK2n4
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_USE_FIRST
 				       OPTIMIZE_ALL
 				     ) , ] ,
 		   protocols => [ qw (
@@ -413,7 +414,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		                    'Old conntrack match syntax',
 		 NEW_CONNTRACK_MATCH =>
 		                    'Extended Connection Tracking Match',
 		 USEPKTTYPE      => 'Packet Type Match',
 		 POLICY_MATCH    => 'Policy Match',
 		 PHYSDEV_MATCH   => 'Physdev Match',
 		 PHYSDEV_BRIDGE  => 'Physdev-is-bridged support',
@@ -496,6 +496,10 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                 NFLOG_SIZE      => '--nflog-size support',
 		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
                 NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
 		 #
 		 # Helpers
 		 #
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -543,9 +547,8 @@ use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
 	       OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
 	       OPTIMIZE_RULESET_MASK   => 0x1C , # Call optimize_ruleset()
               OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
 	       OPTIMIZE_USE_FIRST      => 0x1000 # Always use interface 'first' chains -- undocumented
 	     };
 our %helpers = ( amanda          => UDP,
@@ -559,7 +562,9 @@ our %helpers = ( amanda          => UDP,
 		 sip             => UDP,
 		 snmp            => UDP,
 		 tftp            => UDP,
-	       );
+    );
 use constant { INCLUDE_LIMIT     => 20 };
 our %helpers_map;
@@ -590,8 +595,6 @@ our %config_files = ( #accounting      => 1,
 		      policy	       => 1,
 		      providers	       => 1,
 		      proxyarp	       => 1,
 		      refresh	       => 1,
 		      refreshed	       => 1,
 		      restored	       => 1,
 		      rawnat	       => 1,
 		      route_rules      => 1,
@@ -666,7 +669,6 @@ our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
 our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive
 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
@@ -709,13 +711,13 @@ our %validlevels;            # Valid log levels.
 # Deprecated options with their default values
 #
 our %deprecated = (
-		   LEGACY_RESTART => 'no'
+		   LEGACY_RESTART => 'no' ,
 		  );
 #
 # Deprecated options that are eliminated via update
 #
 our %converted = (
-		  LEGACY_RESTART => 1
+		    LEGACY_RESTART => 1 ,
 		 );
 #
 # Eliminated options
@@ -730,6 +732,8 @@ our %eliminated = ( LOGRATE          => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
                    MODULE_SUFFIX    => 1,
                    MAPOLDACTIONS    => 1,
 		    INLINE_MATCHES   => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -834,8 +838,8 @@ sub initialize( $;$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.8-Beta1",
+		    VERSION                 => '5.2.0-Beta1',
-		    CAPVERSION              => 50106 ,
+		    CAPVERSION              => 50200 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -879,6 +883,7 @@ sub initialize( $;$$$) {
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  LOG_LEVEL => undef,
 	  LOG_ZONE => undef,
 	  #
 	  # Location of Files
 	  #
@@ -937,7 +942,6 @@ sub initialize( $;$$$) {
 	  MACLIST_TTL => undef,
 	  SAVE_IPSETS => undef,
 	  SAVE_ARPTABLES => undef,
 	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
 	  IPSET_WARNINGS => undef,
@@ -980,7 +984,6 @@ sub initialize( $;$$$) {
 	  USE_RT_NAMES => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
 	  WORKAROUNDS => undef ,
 	  LEGACY_RESTART => undef ,
@@ -994,6 +997,7 @@ sub initialize( $;$$$) {
 	  BALANCE_PROVIDERS => undef ,
 	  PERL_HASH_SEED => undef ,
 	  USE_NFLOG_SIZE => undef ,
 	  RENAME_COMBINED => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1051,7 +1055,6 @@ sub initialize( $;$$$) {
 	       CONNTRACK_MATCH => undef,
 	       NEW_CONNTRACK_MATCH => undef,
 	       OLD_CONNTRACK_MATCH => undef,
 	       USEPKTTYPE => undef,
 	       POLICY_MATCH => undef,
 	       PHYSDEV_MATCH => undef,
 	       PHYSDEV_BRIDGE => undef,
@@ -1129,6 +1132,7 @@ sub initialize( $;$$$) {
 	       NETMAP_TARGET => undef,
 	       NFLOG_SIZE => undef,
 	       RESTORE_WAIT_OPTION => undef,
 	       NAT_INPUT_CHAIN => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1688,6 +1692,7 @@ sub emit {
 		$line =~ s/^\n// if $lastlineblank;
 		$line =~ s/^/$indent/gm if $indent;
 		$line =~ s/        /\t/gm;
 		$line =~ s/[ \t]+\n/\n/gm;
 		print $script "$line\n" if $script;
 		$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
@@ -1708,6 +1713,15 @@ sub emit {
    }
 }
 #
 # Used to emit a 'here documents' string without introducing an unwanted blank line at the end
 #
 sub emithd( $ ) {
    my ( $line ) = @_; #make writable
    chomp $line;
    emit $line;
 }
 #
 # Version of emit() that writes to standard out unconditionally
 #
@@ -1718,6 +1732,7 @@ sub emitstd {
 	    $line =~ s/^\n// if $lastlineblank;
 	    $line =~ s/^/$indent/gm if $indent;
 	    $line =~ s/        /\t/gm;
 	    $line =~ s/[ \t]+\n/\n/gm;
 	    print "$line\n";
 	    $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 	} else {
@@ -2380,8 +2395,6 @@ sub clear_comment();
 sub split_line2( $$;$$$ ) {
    my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
    my $inlinematches = $config{INLINE_MATCHES};
    my ( $columns, $pairs, $rest );
    my $currline = $currentline;
@@ -2404,16 +2417,20 @@ sub split_line2( $$;$$$ ) {
 	    fatal_error "Only one set of double semicolons (';;') allowed on a line" if defined $rest;
 	    $currline = $columns;
 	    #
 	    # Remove trailing white space
 	    #
 	    $currline =~ s/\s*$//;
 	    $inline_matches = $pairs;
 	    #
 	    # Don't look for matches below
 	    #
-	    $inline = $inlinematches = '';
+	    $inline = '';
 	}
    }
    #
-    # Next, see if there is a semicolon on the line; what follows will be column/value pairs or raw iptables input
+    # Next, see if there is a single semicolon on the line; what follows will be column/value pairs
    #
    ( $columns, $pairs, $rest ) = split( ';', $currline );
@@ -2422,42 +2439,6 @@ sub split_line2( $$;$$$ ) {
 	# Found it -- be sure there wasn't more than one.
 	#
 	fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
 	if ( $inlinematches ) {
 	    fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)" unless $inline;
 	    $inline_matches = $pairs;
 	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
 		#
 		# Pairs are enclosed in curly brackets.
 		#
 		$columns = $1;
 		$pairs   = $2;
 	    } else {
 		$pairs = '';
 	    }
 	} elsif ( $inline ) {
 	    #
 	    # This file supports INLINE or IPTABLES
 	    #
 	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;
 		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
 		    #
 		    # Pairs are enclosed in curly brackets.
 		    #
 		    $columns = $1;
 		    $pairs   = $2;
 		} else {
 		    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes" if $checkinline;
 		    $pairs = '';
 		}
 	    } 
 	} elsif ( $checkinline ) {
 	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
 	}
    } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
@@ -2548,6 +2529,10 @@ sub split_rawline2( $$;$$$ ) {
    # Delete trailing comment
    #
    $currentline =~ s/\s*#.*//;
    #
    # Convert ${...} to $...
    #
    $currentline =~ s/\$\{(.*?)\}/\$$1/g;
    my @result = &split_line2( @_ );
@@ -3045,9 +3030,9 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2 || 'chain';
 		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
 		      my $val = $actparams{$var} = evaluate_expression ( $expression,
-									$filename,
+									 $filename,
-									$linenumber,
+									 $linenumber,
-									0  );
+									 0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
@@ -3341,7 +3326,7 @@ sub copy1( $ ) {
 			my @line = split / /;
 			fatal_error "Invalid INCLUDE command"    if @line != 2;
-			fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+			fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
 			my $filename = find_file $line[1];
@@ -3551,7 +3536,7 @@ sub read_a_line($);
 sub embedded_shell( $ ) {
    my $multiline = shift;
-    fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+    fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
    my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );
    $directive_callback->( 'SHELL', $currentline ) if $directive_callback;
@@ -3638,7 +3623,7 @@ sub embedded_perl( $ ) {
    $embedded--;
    if ( $perlscript ) {
-	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+	fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
 	assert( close $perlscript );
@@ -3992,7 +3977,7 @@ sub read_a_line($) {
 		my @line = split ' ', $currentline;
 		fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
+		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= INCLUDE_LIMIT;
 		my $filename = find_file $line[1];
@@ -4446,6 +4431,12 @@ sub Nat_Enabled() {
    qt1( "$iptables $iptablesw -t nat -L -n" );
 }
 sub Nat_Input_Chain {
    have_capability( 'NAT_ENABLED' ) || return '';
    qt1( "$iptables $iptablesw -t nat -L INPUT -n" );
 }
 sub Persistent_Snat() {
    have_capability( 'NAT_ENABLED' ) || return '';
@@ -4769,10 +4760,6 @@ sub IPSET_V5() {
    $result;
 }
 sub Usepkttype() {
    qt1( "$iptables $iptablesw -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
 }
 sub Addrtype() {
    qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }
@@ -5091,6 +5078,7 @@ our %detect_capability =
      MASQUERADE_TGT => \&Masquerade_Tgt,
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
      NAT_INPUT_CHAIN => \&Nat_Input_Chain,
      NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
      NETMAP_TARGET => \&Netmap_Target,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -5127,7 +5115,6 @@ our %detect_capability =
      TIME_MATCH => \&Time_Match,
      TPROXY_TARGET => \&Tproxy_Target,
      UDPLITEREDIRECT => \&Udpliteredirect,
      USEPKTTYPE => \&Usepkttype,
      XCONNMARK_MATCH => \&Xconnmark_Match,
      XCONNMARK => \&Xconnmark,
      XMARK => \&Xmark,
@@ -5190,6 +5177,7 @@ sub determine_capabilities() {
 	#
 	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
 	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
 	$capabilities{NAT_INPUT_CHAIN} = detect_capability( 'NAT_INPUT_CHAIN' );
 	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
 	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
@@ -5237,7 +5225,6 @@ sub determine_capabilities() {
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
 	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
 	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
 	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
@@ -5476,6 +5463,32 @@ sub update_config_file( $ ) {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
    }
    for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
 	my $policy = $config{ $_ };
 	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
 	    if ( $family == F_IPV4 ) {
 		$policy =~ s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
 	    } else {
 		$policy =~ s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
 	    }
 	} elsif ( $policy =~ /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
 	    if ( $family == F_IPV4 ) {
 		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
 	    } else {
 		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
 	    }
 	} elsif ( $policy =~ /\b(?:Drop|Reject)\b/ ) {
 	    if ( $family == F_IPV4 ) {
 		$policy =~ s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
 	    } else {
 		$policy =~ s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
 	    }
 	}
 	$config{$_} = $policy;
    }
    my $fn;
    unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -5515,7 +5528,13 @@ sub update_config_file( $ ) {
 			#
 			# OPTION='' - use default if 'Yes' or 'No'
 			#
-			$config{$var} = $val = $default if $default eq 'Yes' || $default eq 'No';
+			if ( $default eq 'Yes' || $default eq 'No' ) {
 			    $config{$var} = $val = $default;
 			} elsif ( $var eq 'CONFIG_PATH' ) {
 			    $val =~ s|^/etc/|\${CONFDIR}|;
 			    $val =~ s|:/etc/|:\${CONFDIR}/g|;
 			    $val =~ s|:/usr/share/|:\${SHAREDIR}|g;
 			}
 		    } else {
 			#
 			# Wasn't mentioned in old file - use default value
@@ -5523,7 +5542,6 @@ sub update_config_file( $ ) {
 			$config{$var} = $val = $default;
 		    }
 		}
 		if ( supplied $val ) {
 		    #
@@ -6004,9 +6022,12 @@ sub export_params() {
 }
 #
-# Walk the CONFIG_PATH converting FORMAT and COMMENT lines to compiler directives
+# Walk the CONFIG_PATH converting
 # - FORMAT and COMMENT lines to compiler directives
 # - single semicolons to double semicolons in lines beginning with 'INLINE', IPTABLES or IP6TABLES
 # - Rename macros/actions to their 5.2 counterparts
 #
-sub convert_to_directives() {
+sub convert_to_version_5_2() {
    my $sharedir = $shorewallrc{SHAREDIR};
    #
    # Make a copy of @config_path so that the for-loop below doesn't clobber that list
@@ -6017,7 +6038,7 @@ sub convert_to_directives() {
    my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;
-    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives...";
+    progress_message3 "Performing Shorewall 5.2 conversions...";
    for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -6028,40 +6049,129 @@ sub convert_to_directives() {
 		opendir( my $dirhandle, $dir ) || fatal_error "Cannot open directory $dir for reading:$!";
-		while ( my $file = readdir( $dirhandle ) ) {
+		while ( my $fname = readdir( $dirhandle ) ) {
-		    unless ( $file eq 'capabilities'       ||
+		    unless ( $fname eq 'capabilities'       ||
-			     $file eq 'params'             ||
+			     $fname eq 'params'             ||
-			     $file =~ /^shorewall6?.conf$/ ||
+			     $fname =~ /^shorewall6?.conf$/ ||
-			     $file =~ /\.bak$/ ) {
+			     $fname =~ /\.bak$/ ) {
-			$file = "$dir/$file";
+			#
 			# File we are interested in
 			#
 			my $fullname = "$dir/$fname";
-			if ( -f $file && -w _ ) {
+			if ( -f $fullname && -w _ ) {
 			    #
 			    # writeable regular file
 			    #
-			    my $result = system << "EOF";
+			    my $v5_2_update = ( $fname eq 'rules'          ||
-			    perl -pi.bak -e '/^\\s*FORMAT\\s+/ && s/FORMAT/?FORMAT/;
+						$fname =~ /^action\./      ||
-                                             /^\\s*SECTION\\s+/ && s/SECTION/?SECTION/;
+						$fname =~ /^macro\./       ||
-                                             if ( /^\\s*COMMENT\\s+/ ) {
+						$fname eq 'snat'           ||
-                                                 s/COMMENT/?COMMENT/;
+						$fname eq 'mangle'         ||
-                                             } elsif ( /^\\s*COMMENT\\s*\$/ ) {
+						$fname eq 'conntrack'      ||
-                                                 s/COMMENT/?COMMENT/;
+						$fname eq 'accounting'     ||
-                                             }' $file
+						$fname eq 'masq'           ||
-EOF
+						$fname eq 'policy' );
-			    if ( $result == 0 ) {
+			    my $is_policy   = ( $fname eq 'policy' );
-				if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
+			    my @file;
-				    progress_message3 "   File $file updated - old file renamed ${file}.bak";
+			    my ( $ifile, $ofile );
-				} elsif ( rename "${file}.bak" , $file ) {
+			    my $omitting = 0;
-				    progress_message "   File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found";
+			    my $changed;
-				    progress_message "   File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found";
+
 			    open $ifile, '<', "$fullname" or fatal_error "Unable to open $fullname: $!";
 			    while ( <$ifile> ) {
 				if ( $omitting ) {
 				    $omitting = 0, next if /\s*\??end\s+(?:perl|shell)/i;
 				} else {
-				    warning message "Unable to rename ${file}.bak to $file:$!";
+				    $omitting = 1, next if /\s*\??begin\s+(?:perl|shell)/i;
 				}
 				unless ( $omitting || /^\s*[#?]/ ) {
 				    if ( /^\s*FORMAT\s+/ ) {
 					s/FORMAT/?FORMAT/;
 					$changed = 1;
 				    }
 				    if ( /^\s*SECTION\s+/ ) {
 					s/SECTION/?SECTION/;
 					$changed = 1;
 				    }
 				    if ( /^\s*COMMENT\s+/ ) {
 					s/COMMENT/?COMMENT/;
 					$changed = 1;
 				    } elsif ( /^\\s*COMMENT\\s*\$/ ) {
 					s/COMMENT/?COMMENT/;
 				    }
 				    if ( $v5_2_update ) {
 					if ( /\bA_AllowICMPs\b/ ) {
 					    s/A_AllowICMPs/AllowICMPs(A_ACCEPT)/;
 					    $changed = 1;
 					}
 					if ( $is_policy ) {
 					    if ( /\bA_(?:Drop|Reject)\b/ ) {
 						if ( $family == F_IPV4 ) {
 						    s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
 						} else {
 						    s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
 						}
 						$changed = 1;
 					    } elsif ( /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
 						if ( $family == F_IPV4 ) {
 						    s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
 						} else {
 						    s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
 						}
 						$changed = 1;
 					    } elsif ( /\b(?:Drop|Reject)\b/ ) {
 						if ( $family == F_IPV4 ) {
 						    s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
 						} else {
 						    s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
 						}
 						$changed = 1;
 					    }
 					} else {
 					    unless ( /;;/ ) {
 						if ( /^\s*(?:INLINE|IP6?TABLES)/ ) {
 						    s/;/;;/;
 						    $changed = 1;
 						} elsif ( /^[^#]*;\s*-[mgj]/ ) {
 						    s/;/;;/;
 						    $changed = 1;
 						}
 					    }
 					    if ( /\bSMTPTrap\b/ ) {
 						s/SMTPTrap/SMTPtrap/;
 						$changed = 1;
 					    }
 					}
 				    }
 				}
 				push @file, $_;
 			    }
 			    close $ifile;
 			    if ( $changed ) {
 				fatal_error "Can't rename $fullname to $fullname.bak" unless rename $fullname, "$fullname.bak";
 				open $ofile, '>', "$fullname" or fatal_error "Unable to open $fullname: $!";
 				print $ofile $_ for @file;
 				close $ofile;
 				progress_message3 "   File $fullname updated - old file renamed ${fullname}.bak";
 			    } else {
-				warning_message ("Unable to update file $file" );
+				progress_message "   File $file not updated -- no update required";
 			    }
 			} else {
-			    warning_message( "$file skipped (not writeable)" ) unless -d _;
+			    warning_message( "$fullname skipped (not writeable)" ) unless -d _;
 			}
 		    }
 		}
@@ -6078,9 +6188,9 @@ EOF
 # - Read the capabilities file, if any
 # - establish global hashes %params, %config , %globals and %capabilities
 #
-sub get_configuration( $$$$ ) {
+sub get_configuration( $$$ ) {
-    ( my ( $export, $update, $annotate ) , $checkinline ) = @_;
+    my ( $export, $update, $annotate ) = @_;
    $globals{EXPORT} = $export;
@@ -6382,7 +6492,6 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
    default_yes_no 'MAPOLDACTIONS'              , 'Yes';
    warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};
@@ -6438,6 +6547,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
    default_yes_no 'RENAME_COMBINED'            , 'Yes';
    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6457,7 +6567,6 @@ sub get_configuration( $$$$ ) {
 	$origin{$_} ||= '';
    }
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
    default_yes_no 'DOCKER'                     , '';
@@ -6490,11 +6599,14 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'MANGLE_ENABLED'             , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
    default_yes_no 'USE_DEFAULT_RT'             , '';
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'TRACK_PROVIDERS'            , 'Yes';
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
    default_yes_no 'USE_NFLOG_SIZE'             , '';
    if ( ( $val = ( $config{AUTOMAKE} || '' ) ) !~ /^[Rr]ecursive$/ ) {
 	default_yes_no( 'AUTOMAKE' , '' ) unless $val && $val =~ /^\d{1,2}$/;
    }
    if ( $config{USE_NFLOG_SIZE} ) {
 	if ( have_capability( 'NFLOG_SIZE' ) ) {
 	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
@@ -6691,6 +6803,13 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_BACKEND} = $val;
    }
    if ( supplied( $val = $config{LOG_ZONE} ) ) {
 	fatal_error "Invalid LOG_ZONE setting ($val)" unless $val =~ /^(src|dst|both)$/i;
 	$config{LOG_ZONE} = lc( $val );
    } else {
 	$config{LOG_ZONE} = 'both';
    }
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
    default_log_level 'SMURF_LOG_LEVEL',     '';
@@ -6867,7 +6986,7 @@ sub get_configuration( $$$$ ) {
    } else {
 	$val = numeric_value $config{OPTIMIZE};
-	fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ~OPTIMIZE_USE_FIRST ) <= OPTIMIZE_ALL;
+	fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && $val <= OPTIMIZE_ALL;
    }
    require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16;
@@ -6936,7 +7055,7 @@ sub get_configuration( $$$$ ) {
 	$variables{$var} = $config{$val};
    }
-    convert_to_directives if $update;
+    convert_to_version_5_2 if $update;
    cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY};
 }
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -60,6 +60,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  decompose_net
 		  decompose_net_u32
 		  compare_nets
 		  loopback_address
 		  validate_host
 		  validate_range
 		  ip_range_explicit
@@ -98,12 +99,14 @@ our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
 our $loopback_address;
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
 	       IPv4_LOOPBACK       => '127.0.0.1' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
@@ -370,6 +373,10 @@ sub rfc1918_networks() {
    @rfc1918_networks
 }
 sub loopback_address() {
    $loopback_address;
 }
 #
 # Protocol/port validation
 #
@@ -755,6 +762,7 @@ sub initialize( $ ) {
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$vlsm_width       = VLSMv4;
 	$loopback_address = IPv4_LOOPBACK;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -767,6 +775,7 @@ sub initialize( $ ) {
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$vlsm_width       = VLSMv6;
 	$loopback_address = IPv6_LOOPBACK;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -718,7 +718,7 @@ sub add_common_rules ( $ ) {
    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
-	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+	fatal_error( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
    } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
@@ -810,7 +810,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -2554,9 +2554,6 @@ EOF
 	        reload)
 	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
 	        refresh)
 	            mylogger kern.err "ERROR:$g_product refresh failed"
 	            ;;
                enable)
                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
@@ -2646,7 +2643,6 @@ EOF
        rm -f ${VARDIR}/proxyarp
    fi
 EOF
    } else {
 	emit <<'EOF';
@@ -2660,7 +2656,6 @@ EOF
        rm -f ${VARDIR}/proxyndp
    fi
 EOF
    }
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -37,7 +37,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();
 Exporter::export_ok_tags('rules');
@@ -587,11 +587,11 @@ EOF
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
    my $have_masq_rules;
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );
 	my $have_masq_rules;
 	directive_callback(
 	    sub ()
 	    {
@@ -647,6 +647,8 @@ sub convert_masq() {
 	close $snat, directive_callback( 0 );
    }
    $have_masq_rules;
 }
 #
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -338,22 +338,22 @@ sub balance_default_route( $$$$ ) {
    if ( $first_default_route ) {
 	if ( $balanced_providers == 1 ) {
 	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+		emit qq(DEFAULT_ROUTE="via $gateway dev $interface $realm");
 	    } else {
-		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+		emit qq(DEFAULT_ROUTE="dev $interface $realm");
 	    }
 	} elsif ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="nexthop dev $interface weight $weight $realm");
 	}
 	$first_default_route = 0;
    } else {
 	if ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm");
 	}
    }
 }
@@ -368,22 +368,22 @@ sub balance_fallback_route( $$$$ ) {
    if ( $first_fallback_route ) {
 	if ( $fallback_providers == 1 ) {
 	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+		emit qq(FALLBACK_ROUTE="via $gateway dev $interface $realm");
 	    } else {
-		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+		emit qq(FALLBACK_ROUTE="dev $interface $realm");
 	    }
 	} elsif ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="nexthop dev $interface weight $weight $realm");
 	}
 	$first_fallback_route = 0;
    } else {
 	if ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm");
 	}
    }
 }
@@ -876,7 +876,7 @@ sub add_a_provider( $$ ) {
 	    }
 	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
-	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
+	    emit( qq(echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 	if ( ! $noautosrc ) {
@@ -885,7 +885,8 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( "find_interface_addresses $physical | while read address; do",
+		emit  ( '',
 			"find_interface_addresses $physical | while read address; do",
 			"    qt \$IP -$family rule del from \$address",
 			"    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
@@ -1250,7 +1251,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled",
 		   "fi\n",
 		 );
 	}
@@ -1593,7 +1594,8 @@ sub finish_providers() {
 	}
 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit  ( "    while qt \$IP -$family route del default table $main; do",
+	    emit  ( '',
 		    "    while qt \$IP -$family route del default table $main; do",
 		    '        true',
 		    '    done',
 		    ''
@@ -1739,7 +1741,7 @@ sub process_providers( $ ) {
    add_a_provider( $providers{$_}, $tcdevices ) for @providers;
-    emit << 'EOF';;
+    emithd << 'EOF';;
 #
 # Enable an optional provider
@@ -1785,12 +1787,11 @@ EOF
    pop_indent;
    pop_indent;
-    emit << 'EOF';;
+    emithd << 'EOF';;
        *)
            startup_error "$g_interface is not an optional provider or interface"
            ;;
    esac
 }
 #
@@ -1894,20 +1895,19 @@ sub setup_providers() {
 	start_providers;
-	setup_null_routing if $config{NULL_ROUTE_RFC1918};
+	setup_null_routing, emit '' if $config{NULL_ROUTE_RFC1918};
-	emit '';
+	if ( @providers ) {
-
+	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	emit "start_$providers{$_}->{what}_$_" for @providers;
+	    emit '';
-
+	}
 	emit '';
 	finish_providers;
 	emit "\nrun_ip route flush cache";
 	pop_indent;
-	emit "fi\n";
+	emit 'fi';
 	setup_route_marking if @routemarked_interfaces || @load_interfaces;
    } else {
@@ -1918,9 +1918,10 @@ sub setup_providers() {
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
 	    emit '';
 	}
-	emit "\nundo_routing";
+	emit "undo_routing";
 	emit "restore_default_route $config{USE_DEFAULT_RT}";
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
@@ -1945,7 +1946,7 @@ sub setup_providers() {
 	pop_indent;
-	emit "fi\n";
+	emit 'fi';
    }
 }
@@ -2195,17 +2196,13 @@ sub provider_realm( $ ) {
 }
 #
-# This function is called by the compiler when it is generating the detect_configuration() function.
+# Perform processing related to optional interfaces. Returns true if there are optional interfaces.
-# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
+
 # ..._IS_USABLE interface variables appropriately for the  optional interfaces
 #
-# Returns true if there were required or optional interfaces
+sub handle_optional_interfaces() {
 #
 sub handle_optional_interfaces( $ ) {
    my @interfaces;
    my $wildcards;
    #
    # First do the provider interfacess. Those that are real providers will never have wildcard physical
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
@@ -2229,10 +2226,6 @@ sub handle_optional_interfaces( $ ) {
    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
 	verify_required_interfaces( $gencase );
 	emit '' if $gencase;
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -2375,7 +2368,7 @@ sub handle_optional_interfaces( $ ) {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
-		  '        start|reload|restore|refresh)'
+		  '        start|reload|restore)'
 		);
 	    if ( $family == F_IPV4 ) {
@@ -2396,8 +2389,6 @@ sub handle_optional_interfaces( $ ) {
 	return 1;
    }
    verify_required_interfaces( shift );
 }
 #
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -96,6 +96,7 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
    }
    emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
 	   '' ,
 	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );
    push @proxyarp, "$address $interface $external $haveroute";
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Rules.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Rules.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -112,6 +112,13 @@ our %section_functions = ( ALL_SECTION ,        \&rules_chain,
 			   UNTRACKED_SECTION,   \&untracked_chain,
 			   NEW_SECTION,         \&rules_chain );
 our %log_functions = ( ALL_SECTION ,         \&rules_log ,
 		       BLACKLIST_SECTION ,   \&blacklist_log ,
 		       ESTABLISHED_SECTION , \&established_log ,
 		       RELATED_SECTION ,     \&related_log ,
 		       INVALID_SECTION ,     \&invalid_log ,
 		       UNTRACKED_SECTION ,   \&untracked_log ,
 		       NEW_SECTION ,         \&rules_log );
 #
 # Section => STATE map - initialized in process_rules().
 #
@@ -403,8 +410,8 @@ sub initialize( $ ) {
 #
 # Create a rules chain
 #
-sub new_rules_chain( $ ) {
+sub new_rules_chain( $$ ) {
-    my $chainref = new_chain( 'filter', $_[0] );
+    my $chainref = new_chain( 'filter', &rules_chain( @_ ), &rules_log( @_ ) );
    if ( $config{FASTACCEPT} ) {
 	if ( $globals{RELATED_TARGET} eq 'ACCEPT' && ! $config{RELATED_LOG_LEVEL} ) {
@@ -445,7 +452,7 @@ sub new_policy_chain($$$$$)
 {
    my ($source, $dest, $policy, $provisional, $audit) = @_;
-    my $chainref = new_rules_chain( rules_chain( ${source}, ${dest} ) );
+    my $chainref = new_rules_chain( ${source}, ${dest} );
    convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional, $audit );
@@ -455,9 +462,11 @@ sub new_policy_chain($$$$$)
 #
 # Set the passed chain's policychain and policy to the passed values.
 #
-sub set_policy_chain($$$$$$)
+sub set_policy_chain($$$$$)
 {
-    my ( $chain, $source, $dest, $polchainref, $policy, $intrazone ) = @_;
+    my ( $source, $dest, $polchainref, $policy, $intrazone ) = @_;
    my $chain = rules_chain( $source, $dest );
    my $chainref = $filter_table->{$chain};
@@ -467,7 +476,7 @@ sub set_policy_chain($$$$$$)
 	    $chainref->{provisional} = '';
 	}
    } else {
-	$chainref = new_rules_chain $chain;
+	$chainref = new_rules_chain( $source, $dest );
    }
    unless ( $chainref->{policychain} ) {
@@ -483,6 +492,7 @@ sub set_policy_chain($$$$$$)
 	    if ( defined $polchainref->{synparams} ) {
 		$chainref->{synparams}   = $polchainref->{synparams};
 		$chainref->{synchain}    = $polchainref->{synchain};
 		$chainref->{synlog}      = $polchainref->{synlog};
 	    }
 	    $chainref->{pactions}    = $polchainref->{pactions} || [];
@@ -580,7 +590,7 @@ sub process_policy_actions( $$$ ) {
 	    for my $paction ( split_list3( $pactions, 'Policy Action' ) ) {
 		my ( $action, $level, $remainder ) = split( /:/, $paction, 3 );
-		fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder;
+		fatal_error "Invalid policy action ($paction)" if defined $remainder;
 		push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level );
 	    }
@@ -743,7 +753,8 @@ sub process_a_policy1($$$$$$$) {
 	$value  = do_ratelimit $synparams, 'ACCEPT'  if $synparams ne '';
 	$value .= do_connlimit $connlimit            if $connlimit ne '';
 	$chainref->{synparams} = $value;
-	$chainref->{synchain}  = $chain
+	$chainref->{synchain}  = $chain;
 	$chainref->{synlog}    = '@' . $chainref->{logname};
    }
    $chainref->{pactions} = $pactionref;
@@ -753,19 +764,19 @@ sub process_a_policy1($$$$$$$) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
+		    set_policy_chain $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
+		set_policy_chain $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
+	    set_policy_chain $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
    } else {
@@ -832,6 +843,8 @@ sub save_policies() {
    }
 }
 sub ensure_rules_chain( $$ );
 #
 # Process the policy file
 #
@@ -881,19 +894,15 @@ sub process_policies()
 	if ( $type == LOCAL ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 ) {
-		    my $name  = rules_chain( $zone,  $zone1 );
+		    set_policy_chain( $zone,  $zone1, ensure_rules_chain( $zone, $zone1  ), 'NONE', 0 );
-		    my $name1 = rules_chain( $zone1, $zone  );
+		    set_policy_chain( $zone1, $zone,  ensure_rules_chain( $zone1, $zone ), 'NONE', 0 );
 		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
 		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
-		    my $name  = rules_chain( $zone,  $zone1 );
+		    set_policy_chain( $zone,  $zone1, ensure_rules_chain( $zone, $zone1  ), 'NONE', 0 );
-		    my $name1 = rules_chain( $zone1, $zone  );
+		    set_policy_chain( $zone1, $zone,  ensure_rules_chain( $zone1, $zone ), 'NONE', 0 );
 		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
 		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	}
@@ -953,13 +962,9 @@ sub add_policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
    unless ( $target eq 'NONE' ) {
 	my @pactions;
 	@pactions = @$pactions;
 	add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	for my $paction ( @pactions ) {
+	for my $paction ( @$pactions ) {
 	    my ( $action ) = split ':', $paction;
 	    if ( ( $targets{$action} || 0 ) & ACTION ) {
@@ -1005,7 +1010,7 @@ sub add_policy_rules( $$$$$ ) {
 	}
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
-	fatal_error "Null target in policy_rules()" unless $target;
+	assert( $target );
 	if ( $target eq 'BLACKLIST' ) {
 	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
@@ -1066,7 +1071,7 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
    progress_message_nocompress "   Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
 }
-sub ensure_rules_chain( $ );
+sub finish_chain_sections( $ );
 #
 # Finish all policy Chains
@@ -1080,7 +1085,7 @@ sub complete_policy_chains() {
 	    my $provisional = $chainref->{provisional};
 	    my $defaults    = $chainref->{pactions};
 	    my $name        = $chainref->{name};
-	    my $synparms    = $chainref->{synparms};
+	    my $synparams   = $chainref->{synparams};
 	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
 		if ( $config{OPTIMIZE} & 2 ) {
@@ -1090,13 +1095,13 @@ sub complete_policy_chains() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    ensure_rules_chain $name if ( @$defaults         ||
+		    finish_chain_sections( $chainref ) if ( @$defaults         ||
-						  $loglevel          ||
+							    $loglevel          ||
-						  $synparms          ||
+							    $synparams         ||
-						  $config{MULTICAST} ||
+							    $config{MULTICAST} ||
-						  ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
+							    ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
 		} else {
-		    ensure_rules_chain $name;
+		    finish_chain_sections( $chainref );
 		}
 	    }
@@ -1153,13 +1158,14 @@ sub setup_syn_flood_chains() {
 	my $limit = $chainref->{synparams};
 	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
 	    my $level = $chainref->{loglevel};
-	    my $synchainref = @zones > 1 ?
+	    my $synchainref =
-		    new_chain 'filter' , syn_flood_chain $chainref :
+		@zones > 1 ?
-		    new_chain( 'filter' , '@' . $chainref->{name} );
+		new_chain( 'filter' , syn_flood_chain $chainref , $chainref->{synlog} ) :
 		new_chain( 'filter' , '@' . $chainref->{name}   , '@' . $chainref->{logname} );
 	    add_rule $synchainref , "${limit}-j RETURN";
 	    log_irule_limit( $level ,
 			     $synchainref ,
-			     $synchainref->{name} ,
+			     $synchainref->{logname} ,
 			     'DROP',
 			     @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
 			    '' ,
@@ -1226,12 +1232,12 @@ sub finish_chain_section ($$$) {
 		    if ( $twochains ) {
 			$chain2ref = $chainref;
 		    } else {
-			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" );
+			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
 		    }
 		    log_rule_limit( $level,
 				    $chain2ref,
-				    $chain2ref->{name},
+				    $chain2ref->{logname},
 				    uc $target,
 				    $globals{LOGLIMIT},
 				    $tag ,
@@ -1310,20 +1316,9 @@ sub finish_chain_section ($$$) {
    pop_comment( $save_comment );
 }
-#
+sub finish_chain_sections( $ ) {
-# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
+    my ( $chainref ) = @_;
 #
 # Return a reference to the chain's table entry.
 #
 sub ensure_rules_chain( $ )
 {
    my ($chain) = @_;
    my $chainref = $filter_table->{$chain};
    $chainref = new_rules_chain( $chain ) unless $chainref;
    unless ( $chainref->{referenced} ) {
 	if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID,UNTRACKED';
 	} elsif ( $section == UNTRACKED_SECTION ) {
@@ -1335,7 +1330,24 @@ sub ensure_rules_chain( $ )
 	}
 	$chainref->{referenced} = 1;
-    }
+}
 #
 # Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
 #
 # Return a reference to the chain's table entry.
 #
 sub ensure_rules_chain( $$ )
 {
    my ($source, $dest) = @_;
    my $chain = rules_chain( $source, $dest );
    my $chainref = $filter_table->{$chain};
    $chainref = new_rules_chain( $source, $dest ) unless $chainref;
    finish_chain_sections( $chainref ) unless $chainref->{referenced};
    $chainref;
 }
@@ -1718,34 +1730,6 @@ sub isolate_basic_target( $ ) {
    $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
 }
 #
 # Map pre-3.0 actions to the corresponding Macro invocation
 #
 sub find_old_action ( $$$ ) {
    my ( $target, $macro, $param ) = @_;
    if ( my $actiontype = find_macro( $macro ) ) {
 	( $macro, $actiontype , $param );
    } else {
 	( $target, 0, '' );
    }
 }
 sub map_old_actions( $ ) {
    my $target = shift;
    if ( $target =~ /^Allow(.*)$/ ) {
 	find_old_action( $target, $1, 'ACCEPT' );
    } elsif ( $target =~ /^Drop(.*)$/ ) {
 	find_old_action( $target, $1, 'DROP' );
    } elsif ( $target = /^Reject(.*)$/ ) {
 	find_old_action( $target, $1, 'REJECT' );
    } else {
 	( $target, 0, '' );
    }
 }
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
@@ -2634,10 +2618,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    $actiontype = $targets{$basictarget} || find_macro( $basictarget );
    if ( $config{ MAPOLDACTIONS } ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
    }
    fatal_error "Unknown ACTION ($action)" unless $actiontype;
    $usergenerated = $actiontype & IPTABLES;
@@ -3003,7 +2983,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Mark the chain as referenced and add appropriate rules from earlier sections.
 	#
-	$chainref = ensure_rules_chain $chain;
+	$chainref = ensure_rules_chain ${sourcezone}, ${destzone};
 	#
 	# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
 	#
@@ -3013,7 +2993,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    unless ( $auxref ) {
 		my $save_comment = push_comment;
-		$auxref = new_chain 'filter', $auxchain;
+		$auxref = new_chain 'filter', $auxchain, $log_functions{$section}->( $sourcezone, $destzone );
 		$auxref->{blacklistsection} = 1 if $blacklist;
 		add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
@@ -5505,22 +5485,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$interfaces    = $dest;
    }
    #
    # Handle IPSEC options, if any
    #
    if ( $ipsec ne '-' ) {
 	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
 	if ( $ipsec =~ /^yes$/i ) {
 	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
 	} elsif ( $ipsec =~ /^no$/i ) {
 	    $baserule .= do_ipsec_options 'out', 'none', '';
 	} else {
 	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
 	}
    } elsif ( have_ipsec ) {
 	$baserule .= '-m policy --pol none --dir out ';
    }
    #
    # Handle Protocol, Ports and Condition
    #
    $baserule .= do_proto( $proto, $ports, '' );
@@ -5531,7 +5495,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
    $baserule .= do_user( $user )                    if $user ne '-';
    $baserule .= do_probability( $probability )      if $probability ne '-';
-    for my $fullinterface ( split_list( $interfaces, 'interface' ) ) {
+    my @interfaces = split_list( $interfaces, 'interface' );
    for my $fullinterface ( @interfaces ) {
 	my $rule = '';
 	my $saveaddresses = $addresses;
@@ -5539,36 +5505,71 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	my $savebaserule  = $baserule;
 	my $interface = $fullinterface;
-	$interface =~ s/:.*//;   #interface name may include 'alias'
+	if ( $inaction ) {
-
+	    $interface =~ s/:.*// if $family == F_IPV4;   #interface name may include 'alias'
-	unless ( $inaction ) {
+	} else {
-	    if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
+	    if ( $interface eq firewall_zone ) {
-		$interface    = $1;
+		if ( @interfaces == 1 ) {
-		my $provider  = $2;
+		    fatal_error q('+' not valid when the DEST is $FW) if $pre_nat;
-
+		    fatal_error q('MASQUERADE' not allowed when DEST is $FW) if $action eq 'MASQUERADE';
-		fatal_error "Missing Provider ($dest)" unless supplied $provider;
+		    require_capability 'NAT_INPUT_CHAIN', '$FW in the DEST column', 's';
-
+		    $interface = '';
-		$dest =~ s/[(]\w*[)]//;
+		} else {
-		my $realm = provider_realm( $provider );
+		    fatal_error q($FW may not appear in a list of interfaces);
-
+		}
 		fatal_error "$provider is not a shared-interface provider" unless $realm;
 		$rule .= "-m realm --realm $realm ";
 	    }
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 	    if ( $interfaceref->{root} ) {
 		$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
 	    } else {
-		$rule .= match_dest_dev( $interface );
+		$interface =~ s/:.*// if $family == F_IPV4;   #interface name may include 'alias'
-		$interface = $interfaceref->{name};
+
 		if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
 		    $interface    = $1;
 		    my $provider  = $2;
 		    fatal_error "Missing Provider ($dest)" unless supplied $provider;
 		    $dest =~ s/[(]\w*[)]//;
 		    my $realm = provider_realm( $provider );
 		    fatal_error "$provider is not a shared-interface provider" unless $realm;
 		    $rule .= "-m realm --realm $realm ";
 		}
 		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 		if ( $interfaceref->{root} ) {
 		    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
 		} else {
 		    $rule .= match_dest_dev( $interface );
 		    $interface = $interfaceref->{name};
 		}
 	    }
-	    $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
+	    $chainref = $interface ? ensure_chain('nat',  $pre_nat ? snat_chain $interface : masq_chain $interface) : $nat_table->{INPUT};
 	}
 	$baserule .= do_condition( $condition , $chainref->{name} );
 	#
 	# Handle IPSEC options, if any
 	#
 	if ( $ipsec ne '-' ) {
 	    fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
 	    my $dir = $interface ? 'out' : 'in';
 	    if ( $ipsec =~ /^yes$/i ) {
 		$baserule .= do_ipsec_options $dir, 'ipsec', '';
 	    } elsif ( $ipsec =~ /^no$/i ) {
 		$baserule .= do_ipsec_options $dir, 'none', '';
 	    } else {
 		$baserule .= do_ipsec_options $dir, 'ipsec', $ipsec;
 	    }
 	} elsif ( have_ipsec ) {
 	    if ( $interface ) {
 		$baserule .= '-m policy --pol none --dir out ';
 	    } else {
 		$baserule .= '-m policy --pol none --dir in ';
 	    }
 	}
 	my $detectaddress = 0;
 	my $exceptionrule = '';
@@ -5576,6 +5577,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	if ( $action eq 'SNAT' ) {
 	    if ( $addresses eq 'detect' ) {
 		fatal_error q('detect' not allowed when the destination is $FW) unless $interface;
 		my $variable = get_interface_address $interface;
 		$target .= " --to-source $variable";
@@ -5702,6 +5704,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		$target .= $addrlist;
 	    }
 	} elsif ( $action eq 'MASQUERADE' ) {
 	    fatal_error q('MASQUERADE' not allowed when the destination is $FW') unless $interface;
 	    if ( supplied $addresses ) {
 		validate_portpair1($proto, $addresses );
 		$target .= " --to-ports $addresses";
@@ -5719,7 +5722,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 				 $params,
 				 $loglevel,
 				 $source,
-				 supplied $destnets && $destnets ne '-' ? $inaction ? $destnets : join( ':', $interface, $destnets ) : $inaction ? '-' : $interface,
+				 supplied( $destnets ) && $destnets ne '-' ? $inaction || $interface ? join( ':', $interface, $destnets ) : $destnets : $inaction ? '-' : $interface,
 				 $proto,
 				 $ports,
 				 $ipsec,
@@ -5784,7 +5787,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $destnets = ALLIP unless supplied $destnets && $destnets ne '-';
 	    expand_rule( $chainref ,
-			 POSTROUTE_RESTRICT ,
+			 $interface ? POSTROUTE_RESTRICT : INPUT_RESTRICT ,
 			 $prerule ,
 			 $baserule . $inlinematches . $rule ,
 			 $source ,
@@ -5799,7 +5802,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    conditional_rule_end( $chainref ) if $detectaddress || $conditional;
-	    if ( $add_snat_aliases && $addresses ) {
+	    if ( $interface && $add_snat_aliases && $addresses ) {
 		my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 		fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
 		for my $address ( split_list $addresses, 'address' ) {
@@ -5848,23 +5851,15 @@ sub process_snat( )
 }
 #
-# Process the masq or snat file
+# Process the snat file. Convert the masq file if found and non-empty
 #
-sub setup_snat( $ ) # Convert masq->snat if true
+sub setup_snat()
 {
    my $fn;
    my $have_masq;
-    if ( $_[0] ) {
+    unless ( convert_masq ) {
 	convert_masq();
    } elsif ( $fn = open_file( 'masq', 1, 1 ) ) {
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
 	process_one_masq(0), $have_masq = 1 while read_a_line( NORMAL_READ );
    }
    unless ( $have_masq ) {
 	#
-	# Masq file empty or didn't exist
+	# Masq file was empty or didn't exist
 	#
 	if ( $fn = open_file( 'snat', 1, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
@@ -85,8 +85,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+		$inchainref  = ensure_rules_chain( ${zone}, ${fw} );
-		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+		$outchainref = ensure_rules_chain( ${fw}, ${zone} );
 		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  p => 50, @$source;
@@ -250,8 +250,8 @@ sub setup_tunnels() {
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );
-	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+	my $inchainref  = ensure_rules_chain( ${zone}, ${fw}   );
-	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+	my $outchainref = ensure_rules_chain( ${fw},   ${zone} );
 	$gateways = ALLIP if $gateways eq '-';
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -2021,6 +2021,7 @@ sub verify_required_interfaces( $ ) {
 	emit( "esac\n" );
 	$returnvalue = 1;
    }
    $interfaces = find_interfaces_by_option( 'required' );
@@ -2030,7 +2031,7 @@ sub verify_required_interfaces( $ ) {
 	if ( $generate_case ) {
 	    emit( 'case "$COMMAND" in' );
 	    push_indent;
-	    emit( 'start|reload|restore|refresh)' );
+	    emit( 'start|reload|restore)' );
 	    push_indent;
 	}
@@ -2066,7 +2067,7 @@ sub verify_required_interfaces( $ ) {
 	    emit( ';;' );
 	    pop_indent;
 	    pop_indent;
-	    emit( 'esac' );
+	    emit( "esac\n" );
 	}
 	$returnvalue = 1;
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -32,7 +32,6 @@
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
 #         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
@@ -40,7 +39,6 @@
 #         --shorewallrc=<path>        # Path to global shorewallrc file.
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
 #    If the <filename> is omitted, then a 'check' operation is performed.
@@ -64,7 +62,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --timestamp ]
    [ --debug ]
    [ --confess ]
    [ --refresh=<chainlist> ]
    [ --log=<filename> ]
    [ --log-verbose={-1|0-2} ]
    [ --test ]
@@ -75,7 +72,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --shorewallrc=<pathname> ]
    [ --shorewallrc1=<pathname> ]
    [ --config_path=<path-list> ]
    [ --inline ]
 _EOF_
 exit shift @_;
@@ -90,7 +86,6 @@ my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
 my $confess       = 0;
 my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
@@ -102,7 +97,6 @@ my $update        = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 my $shorewallrc1  = '';
 my $inline        = 0;
 Getopt::Long::Configure ('bundling');
@@ -117,8 +111,6 @@ my $result = GetOptions('h'               => \$help,
 			'timestamp'       => \$timestamp,
 			't'               => \$timestamp,
 		        'debug'           => \$debug,
 			'r=s'             => \$chains,
 			'refresh=s'       => \$chains,
 			'log=s'           => \$log,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
@@ -132,7 +124,6 @@ my $result = GetOptions('h'               => \$help,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
 			'inline'          => \$inline,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -147,7 +138,6 @@ compiler( script          => $ARGV[0] || '',
 	  timestamp       => $timestamp,
 	  debug           => $debug,
 	  export          => $export,
 	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
@@ -159,5 +149,4 @@ compiler( script          => $ARGV[0] || '',
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc,
 	  shorewallrc1    => $shorewallrc1,
 	  inline          => $inline,
 	);
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -675,7 +675,7 @@ interface_is_usable() # $1 = interface
    status=0
    if ! loopback_interface $1; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -1101,7 +1101,7 @@ interface_is_usable() # $1 = interface
    status=0
    if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -45,6 +45,8 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
@@ -183,8 +185,6 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
@@ -199,8 +199,6 @@ MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
@@ -219,6 +217,8 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=Yes
 RESTART=restart
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -56,6 +56,8 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
@@ -194,8 +196,6 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Off
@@ -210,8 +210,6 @@ MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
@@ -230,6 +228,8 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=No
 RESTART=restart
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -53,6 +53,8 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
@@ -191,8 +193,6 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
@@ -207,8 +207,6 @@ MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
@@ -227,6 +225,8 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=No
 RESTART=restart
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -56,6 +56,8 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
@@ -194,8 +196,6 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
@@ -210,8 +210,6 @@ MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
@@ -230,6 +228,8 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=No
 RESTART=restart
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,11 +8,8 @@
 #
 ###############################################################################
 #ACTION
 A_AllowICMPs inline		# Audited version of AllowICMPs
 A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
 A_Reject			# Audited Default action for REJECT policy
 AllowICMPs   inline		# Allow Required ICMP packets
 allowBcast   inline		# Silently Allow Broadcast
 allowinUPnP  inline		# Allow UPnP inbound (to firewall) traffic
@@ -27,7 +24,6 @@ Broadcast    inline,audit	# Handles Broadcast/Anycast
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
 ?endif
 DNSAmp	     proto=17		# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
@@ -54,7 +50,6 @@ New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline,audit,\	# Handles TCP packets which do not have SYN=1 and ACK=0
 	     proto=6
 rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
 Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -1,10 +0,0 @@
 #
 # Shorewall -- /etc/shorewall/masq
 #
 # For information about entries in this file, type "man shorewall-masq"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###################################################################################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -45,6 +45,8 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
@@ -183,8 +185,6 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Keep
@@ -199,8 +199,6 @@ MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
@@ -219,6 +217,8 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=No
 RESTART=restart
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -1231,6 +1231,19 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 #
 # Remove deleted actions and macros
 #
 if [ $PRODUCT = shorewall ]; then
    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.A_AllowICMPs
    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.A_Drop
    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.A_Reject
    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.Drop
    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.Reject
    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/macro.SMTPTraps
 fi
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
    if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.cli-std.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.cli-std
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
@@ -281,10 +281,18 @@ get_config() {
    case $AUTOMAKE in
 	Yes|yes)
 	    AUTOMAKE=1
 	    ;;
 	No|no)
 	    AUTOMAKE=
 	    ;;
 	[1-9])
 	    ;;
 	[1-9][0-9])
 	    ;;
 	[Rr]ecursive)
 	    AUTOMAKE=recursive
 	    ;;
 	*)
 	    if [ -n "$AUTOMAKE" ]; then
 		fatal_error "Invalid AUTOMAKE setting ($AUTOMAKE)"
@@ -397,10 +405,22 @@ uptodate() {
 	    #
 	    # Busybox 'find' doesn't support -quit.
 	    #
-	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print)" ]; then
+	    if [ $AUTOMAKE = recursive ]; then
 		if [ -n "$(${find} ${dir} -newer $1 -print)" ]; then
 		    return 1;
 		fi
 	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
 		return 1;
 	    fi
-	elif [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
+	elif [ "$AUTOMAKE" = recursive ]; then
 	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
 		return 1;
 	    fi
 	elif [ -z "$AUTOMAKE" ]; then
 	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
 		return 1;
 	    fi
 	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
 	    return 1;
 	fi
    done
@@ -445,7 +465,7 @@ compiler() {
    get_config Yes
    case $COMMAND in
-	*start|try|refresh|reload|restart|safe-*)
+	*start|try|reload|restart|safe-*)
 	    ;;
 	*)
 	    STARTUP_LOG=
@@ -487,11 +507,9 @@ compiler() {
    [ -n "$g_test" ]           && options="$options --test"
    [ -n "$g_preview" ]        && options="$options --preview"
    [ "$g_debugging" = trace ] && options="$options --debug"
    [ -n "$g_refreshchains" ]  && options="$options --refresh=$g_refreshchains"
    [ -n "$g_confess" ]        && options="$options --confess"
    [ -n "$g_update" ]         && options="$options --update"
    [ -n "$g_annotate" ]       && options="$options --annotate"
    [ -n "$g_inline" ]         && options="$options --inline"
    if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -596,10 +614,6 @@ start_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			i*)
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
@@ -641,24 +655,24 @@ start_command() {
    esac
    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if ! uptodate ${VARDIR}/firewall; then
+	if ! uptodate $g_firewall; then
 	    g_fast=
 	    AUTOMAKE=
 	fi
    fi
    if [ -n "$AUTOMAKE" ]; then
-	[ -n "$nolock" ] || mutex_on
+	[ -n "$g_nolock" ] || mutex_on
-	run_it ${VARDIR}/firewall $g_debugging start
+	run_it $g_firewall $g_debugging start
 	rc=$?
-	[ -n "$nolock" ] || mutex_off
+	[ -n "$g_nolock" ] || mutex_off
    else
 	g_file="${VARDIR}/.start"
-	if compiler $g_debugging $nolock compile "$g_file"; then
+	if compiler $g_debugging $g_nolock compile "$g_file"; then
-	    [ -n "$nolock" ] || mutex_on
+	    [ -n "$g_nolock" ] || mutex_on
 	    run_it ${VARDIR}/.start $g_debugging start
 	    rc=$?
-	    [ -n "$nolock" ] || mutex_off
+	    [ -n "$g_nolock" ] || mutex_off
 	else
 	    rc=$?
 	    mylogger kern.err "ERROR:$g_product start failed"
@@ -710,10 +724,6 @@ compile_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			i*)
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			-)
 			    finished=1
 			    option=
@@ -734,7 +744,7 @@ compile_command() {
    case $# in
 	0)
-	    [ -n "$g_export" ] && g_file=firewall || g_file=${VARDIR}/firewall
+	    [ -n "$g_export" ] && g_file=firewall || g_file=$g_firewall
 	    ;;
 	1)
 	    g_file=$1
@@ -808,10 +818,6 @@ check_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			i*)
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -848,7 +854,7 @@ check_command() {
    g_doing="Checking"
-    compiler $g_debugging $nolock check
+    compiler $g_debugging $g_nolock check
 }
 #
@@ -896,16 +902,11 @@ update_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			i*)
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			a*)
 			    g_annotate=Yes
 			    option=${option#a}
 			    ;;
 			A*)
 			    g_inline=Yes
 			    option=${option#A}
 			    ;;
 			*)
@@ -944,7 +945,7 @@ update_command() {
    g_doing="Updating"
-    compiler $g_debugging $nolock check
+    compiler $g_debugging $g_nolock check
 }
 #
@@ -995,7 +996,6 @@ restart_command() {
 			    option=${option#T}
 			    ;;
 			i*)
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
@@ -1041,117 +1041,65 @@ restart_command() {
    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
    if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then
-	uptodate ${VARDIR}/firewall && g_fast=Yes
+	uptodate $g_firewall && g_fast=Yes
    fi
    g_file="${VARDIR}/.${COMMAND}"
    if [ -z "$g_fast" ]; then
-	if compiler $g_debugging $nolock compile "$g_file"; then
+	if compiler $g_debugging $g_nolock compile "$g_file"; then
-	    [ -n "$nolock" ] || mutex_on
+	    [ -n "$g_nolock" ] || mutex_on
 	    run_it ${VARDIR}/.${COMMAND} $g_debugging ${COMMAND}
 	    rc=$?
-	    [ -n "$nolock" ] || mutex_off
+	    [ -n "$g_nolock" ] || mutex_off
 	else
 	    rc=$?
 	    mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
 	fi
    else
-	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
+	[ -x $g_firewall ] || fatal_error "No $g_firewall file found"
-	[ -n "$nolock" ] || mutex_on
+	[ -n "$g_nolock" ] || mutex_on
-	run_it ${VARDIR}/firewall $g_debugging $COMMAND
+	run_it $g_firewall $g_debugging $COMMAND
 	rc=$?
-	[ -n "$nolock" ] || mutex_off
+	[ -n "$g_nolock" ] || mutex_off
    fi
    return $rc
 }
-#
+read_yesno_with_timeout() {
-# Refresh Command Executor
+    local timeout
-#
+    timeout=${1:-60}
 refresh_command() {
    local finished
    finished=0
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
+    case $timeout in
-	option=$1
+	*s)
-	case $option in
+	    ;;
-	    -*)
+	*m)
-		option=${option#-}
+	    timeout=$((${timeout%m} * 60))
 	    ;;
 	*h)
 	    timeout=$((${timeout%h} * 3600))
 	    ;;
    esac
-		while [ -n "$option" ]; do
+    read -t $timeout yn 2> /dev/null
-		    case $option in
+    if [ $? -eq 2 ]
-			-)
+    then
-			    finished=1
+	# read doesn't support timeout
-			    option=
+	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
-			    ;;
+	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
-			d*)
+	return $?
-			    g_debug=Yes
+    else
-			    option=${option#d}
+	# read supports timeout
-			    ;;
+	case "$yn" in
-			n*)
+	    y|Y)
-			    g_noroutes=Yes
+		return 0
 			    option=${option#n}
 			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			i*)
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			D)
 			    if [ $# -gt 1 ]; then
 				g_shorewalldir="$2"
 				option=
 				shift
 			    else
 				fatal_error "The -D option requires a directory name"
 			    fi
 			    ;;
 			*)
 			    option_error $option
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
-		finished=1
+		return 1
 		;;
 	esac
    done
    if [ $# -gt 0 ]; then
 	g_refreshchains=$1
 	shift
 	while [ $# -gt 0 ]; do
 	    g_refreshchains="$g_refreshchains,$1"
 	    shift
 	done
    else
 	g_refreshchains=:refresh:
    fi
    product_is_started || fatal_error "$g_product is not running"
    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
    g_file="${VARDIR}/.refresh"
    if compiler $g_debugging $nolock compile "$g_file"; then
 	[ -n "$nolock" ] || mutex_on
 	run_it ${VARDIR}/.refresh $g_debugging refresh
 	rc=$?
 	[ -n "$nolock" ] || mutex_off
    else
 	rc=$?
    fi
    return $rc
 }
 #
@@ -1276,7 +1224,7 @@ safe_commands() {
 	    ;;
    esac
-    [ -n "$nolock" ] || mutex_on
+    [ -n "$g_nolock" ] || mutex_on
    if run_it ${VARDIR}/.$command $g_debugging $command; then
@@ -1291,7 +1239,7 @@ safe_commands() {
 		run_it ${VARDIR}/.$command clear
 	    fi
-	    [ -n "$nolock" ] || mutex_off
+	    [ -n "$g_nolock" ] || mutex_off
 	    echo "New configuration has been rejected and the old one restored"
 	    exit 2
@@ -1299,7 +1247,7 @@ safe_commands() {
    fi
-    [ -n "$nolock" ] || mutex_off
+    [ -n "$g_nolock" ] || mutex_off
 }
 #
@@ -1389,7 +1337,7 @@ try_command() {
    g_file="${VARDIR}/.$command"
-    if ! compiler $g_debugging $nolock compile "$g_file"; then
+    if ! compiler $g_debugging $g_nolock compile "$g_file"; then
 	status=$?
 	exit $status
    fi
@@ -1409,7 +1357,7 @@ try_command() {
 	    ;;
    esac
-    [ -n "$nolock" ] || mutex_on
+    [ -n "$g_nolock" ] || mutex_on
    if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
 	sleep $timeout
@@ -1421,7 +1369,7 @@ try_command() {
 	fi
    fi
-    [ -n "$nolock" ] || mutex_off
+    [ -n "$g_nolock" ] || mutex_off
    return 0
 }
@@ -1439,10 +1387,163 @@ rcp_command() {
    eval $RCP_COMMAND
 }
 #
 # Remote-{getcaps|getrc} command executer
 #
 remote_capture() # $* = original arguments less the command.
 {
    local verbose
    verbose=$(make_verbose)
    local finished
    finished=0
    local system
    local getrc
    getrc=
    local getcaps
    getcaps=
    local remote_sw_dir_path
    remote_sw_dir_path=
    local root
    root=root
    local libexec
    libexec=${LIBEXECDIR}
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			R*)
 			    getrc=Yes
 			    option=${option#R}
 			    ;;
 			c*)
 			    getcaps=Yes
 			    option=${option#c}
 			    ;;
 			r)
 			    [ $# -gt 1 ] || fatal_error "Missing Root User name"
 			    root=$2
 			    option=
 			    shift
 			    ;;
 			D)
 			    [ $# -gt 1 ] || fatal_error "Missing directory name"
 			    g_shorewalldir=$2
 			    option=
 			    shift
 			    ;;
 			p)
 			    [ $# -gt 1 ] || fatal_error "Missing directory name"
 			    remote_sw_dir_path=$2
 			    option=
 			    shift
 			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			*)
 			    option_error $option
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    case $# in
 	0)
 	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
 	    ;;
 	1)
 	    g_shorewalldir="."
 	    system=$1
 	    ;;
 	2)
 	    g_shorewalldir=$1
 	    system=$2
 	    ;;
 	*)
 	    too_many_arguments $3
 	    ;;
    esac
    g_export=Yes
    ensure_config_path
    get_config Yes
    g_haveconfig=Yes
    if [ -z "$system" ]; then
        system=$FIREWALL
        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
    fi
    case $COMMAND in
        remote-getrc)
            getrc=Yes
            ;;
        remote-getcaps)
            getcaps=Yes
            ;;
    esac
    [ -n "$getcaps" ] && getrc=Yes
    if [ -n "$getrc" -o ! -s $g_shorewalldir/shorewallrc ]; then
        progress_message2 "Getting shorewallrc file on system $system..."
        if [ -n "$remote_sw_dir_path" ]; then
            if ! rsh_command "/sbin/shorewall-lite show rc $remote_sw_dir_path" > $g_shorewalldir/shorewallrc; then
                fatal_error "Capturing RC file on system $system failed"
            fi
        elif ! rsh_command "/sbin/shorewall-lite show rc" > $g_shorewalldir/shorewallrc; then
            fatal_error "Capturing RC file on system $system failed"
        fi
    fi
    remote_sw_dir_path=
    if [ -n "$getcaps" -o ! -s $g_shorewalldir/capabilities ]; then
        if [ -f $g_shorewalldir/shorewallrc -a -s $g_shorewalldir/shorewallrc ]; then
            . $g_shorewalldir/shorewallrc
            libexec="$LIBEXECDIR"
            [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
            progress_message2 "Getting Capabilities on system $system..."
            if [ $g_family -eq 4 ]; then
                if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
                    fatal_error "Capturing capabilities on system $system failed"
                fi
            elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
                fatal_error "Capturing capabilities on system $system failed"
            fi
        else
            fatal_error "$g_shorewalldir/shorewallrc is not present."
        fi
    fi
 }
 #
 # Remote-{start|reload|restart} command executor
 #
-remote_reload_command() # $* = original arguments less the command.
+remote_commands() # $* = original arguments less the command.
 {
    local verbose
    verbose=$(make_verbose)
@@ -1508,10 +1609,6 @@ remote_reload_command() # $* = original arguments less the command.
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			i*)
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -1559,34 +1656,26 @@ remote_reload_command() # $* = original arguments less the command.
    g_export=Yes
-    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
+    ensure_config_path
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
 	fi
-	ensure_config_path
+    get_config Yes
-	get_config No
+    g_haveconfig=Yes
-	g_haveconfig=Yes
+    if [ -z "$system" ]; then
-
+        system=$FIREWALL
-	if [ -z "$system" ]; then
+        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
 	    system=$FIREWALL
 	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
 	fi
    else
 	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
    fi
    if [ -z "$getcaps" ]; then
 	capabilities=$(find_file capabilities)
-	[ -f $capabilities ] || getcaps=Yes
+	[ ! -f $capabilities -o ! -s $capabilities ] && getcaps=Yes
    fi
    if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
-	progress_message "Getting Capabilities on system $system..."
+	progress_message2 "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
 	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
@@ -1602,6 +1691,7 @@ remote_reload_command() # $* = original arguments less the command.
    #
    # Handle nonstandard remote VARDIR
    #
    progress_message2 "Getting VARDIR on system $system..."
    temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
    [ -n "$temp" ] && litedir="$temp"
@@ -1742,11 +1832,11 @@ export_command() # $* = original arguments less the command.
 }
 run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
+    if [ -x $g_firewall ] ; then
-	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
+	uptodate $g_firewall || echo "   WARNING: $g_firewall is not up to date" >&2
-	run_it ${VARDIR}/firewall $g_debugging $@
+	run_it $g_firewall $g_debugging $@
    else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+	fatal_error "$g_firewall does not exist or is not executable"
    fi
 }
@@ -1757,12 +1847,6 @@ compiler_command() {
 	    shift
 	    compile_command $@
 	    ;;
 	refresh)
 	    only_root
 	    get_config Yes Yes
 	    shift
 	    refresh_command $@
 	    ;;
 	check|ck)
 	    shift
 	    check_command $@
@@ -1773,7 +1857,7 @@ compiler_command() {
 	    ;;
 	remote-start|remote-reload|remote-restart)
 	    shift
-	    remote_reload_command $@
+	    remote_commands $@
 	    ;;
 	export)
 	    shift
@@ -1791,6 +1875,10 @@ compiler_command() {
 	    shift
 	    safe_commands $@
 	    ;;
        remote-getrc|remote-getcaps)
            shift
            remote_capture $@
            ;;
 	*)
 	    fatal_error "Invalid command: $COMMAND"
 	    ;;
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -84,7 +84,7 @@
        role="bold">CT</emphasis>:<emphasis
        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
        role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new</emphasis><emphasis
-        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
+        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IP[6]TABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
        <listitem>
          <para>This column is only present when FORMAT &gt;= 2. Values other
@@ -272,9 +272,32 @@
              will also be logged at that level.</para>
            </listitem>
            <listitem>
              <para><option>IP6TABLES</option>(<replaceable>target</replaceable>)</para>
              <para>IPv6 only.</para>
              <para>Added in Shorewall 4.6.0. Allows you to specify any
              iptables <replaceable>target</replaceable> with target options
              (e.g., "IP6TABLES(AUDIT --type drop)"). If the target is not one
              recognized by Shorewall, the following error message will be
              issued:</para>
              <simplelist>
                <member>ERROR: Unknown target
                (<replaceable>target</replaceable>)</member>
              </simplelist>
              <para>This error message may be eliminated by adding
              <replaceable>target</replaceable> as a builtin action in <ulink
              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
            </listitem>
            <listitem>
              <para><option>IPTABLES</option>(<replaceable>target</replaceable>)</para>
              <para>IPv4 only.</para>
              <para>Added in Shorewall 4.6.0. Allows you to specify any
              iptables <replaceable>target</replaceable> with target options
              (e.g., "IPTABLES(AUDIT --type drop)"). If the target is not one
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -374,7 +374,8 @@ DIVERTHA        -               -               tcp</programlisting>
              <listitem>
                <para>Allows you to place your own ip[6]tables matches at the
-                end of the line following a semicolon (";"). If an
+                end of the line following a semicolon (";") (deprecated) or
                two semicolons (";;") (preferred since Shoreall 5.0.0). If an
                <replaceable>action</replaceable> is specified, the compiler
                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
@@ -391,22 +392,10 @@ DIVERTHA        -               -               tcp</programlisting>
                <programlisting>2:P                   eth0              -         tcp 22
 INLINE(MARK(2)):P     eth0              -         tcp 22
-INLINE(MARK(2)):P     eth0              -                 ; -p tcp
+INLINE(MARK(2)):P     eth0              -                 ;; -p tcp
-INLINE                eth0              -         tcp 22  ; -j MARK --set-mark 2
+INLINE                eth0              -         tcp 22  ;; -j MARK --set-mark 2
-INLINE                eth0              -                 ; -p tcp -j MARK --set-mark 2
+INLINE                eth0              -                 ;; -p tcp -j MARK --set-mark 2
 </programlisting>
                <para>If INLINE_MATCHES=Yes in <ulink
                url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
                then the third rule above can be specified as follows:</para>
                <programlisting>MARK(2):P             eth0              -                 ; -p tcp</programlisting>
                <para>Beginning with Shorewall 5.0.0, the rule may also be
                written this way, irrespective of the setting of
                INLINE_MATCHES:</para>
                <programlisting>MARK(2):P             eth0              -                 ;; -p tcp</programlisting>
              </listitem>
            </varlistentry>
@@ -518,12 +507,39 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">IP6TABLES({<replaceable>target</replaceable>
              [<replaceable>option</replaceable> ...])</emphasis></term>
              <listitem>
                <para>IPv6 only.</para>
                <para>This action allows you to specify an iptables target
                with options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'.
                If the target is not one recognized by Shorewall, the
                following error message will be issued:</para>
                <simplelist>
                  <member>ERROR: Unknown target
                  (<replaceable>target</replaceable>)</member>
                </simplelist>
                <para>This error message may be eliminated by adding the
                <replaceable>target</replaceable> as a builtin action in
                <ulink
                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">IPTABLES({<replaceable>target</replaceable>
              [<replaceable>option</replaceable> ...])</emphasis></term>
              <listitem>
                <para>IPv4 only.</para>
                <para>This action allows you to specify an iptables target
                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
                the target is not one recognized by Shorewall, the following
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -1,781 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-masq</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
    <refname>masq</refname>
    <refpurpose>Shorewall Masquerade/SNAT definition file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall[6]/masq</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>This file is used to define dynamic NAT (Masquerading) and to define
    Source NAT (SNAT). While still supported, its use is deprecated in favor
    of <ulink url="shorewall-snat.html">shorewall-snat</ulink>(5) which was
    introduced in Shorewall 5.0.14.</para>
    <warning>
      <para>The entries in this file are order-sensitive. The first entry that
      matches a particular connection will be the one that is used.</para>
    </warning>
    <warning>
      <para>If you have more than one ISP link, adding entries to this file
      will <emphasis role="bold">not</emphasis> force connections to go out
      through a particular link. You must use entries in <ulink
      url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
      PREROUTING entries in <ulink
      url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
      that.</para>
    </warning>
    <para>The columns in the file are as follows.</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">INTERFACE:DEST</emphasis> - {[<emphasis
        role="bold">+</emphasis>]<emphasis>interfacelist</emphasis>[<emphasis
        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|?COMMENT}</term>
        <listitem>
          <para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
          comma-separated list of interface names. This is usually your
          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
          may add ":" and a <emphasis>digit</emphasis> to indicate that you
          want the alias added with that name (e.g., eth0:0). This will allow
          the alias to be displayed with ifconfig. <emphasis role="bold">That
          is the only use for the alias name; it may not appear in any other
          place in your Shorewall configuration.</emphasis></para>
          <para>Each interface must match an entry in <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
          Shorewall allows loose matches to wildcard entries in <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
          For example, <filename class="devicefile">ppp0</filename> in this
          file will match a <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          entry that defines <filename
          class="devicefile">ppp+</filename>.</para>
          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
          internet provider share a single interface</ulink>, the provider is
          specified by including the provider name or number in
          parentheses:</para>
          <programlisting>        eth0(Avvanta)</programlisting>
          <para>In that case, you will want to specify the interface's address
          for that provider in the ADDRESS column.</para>
          <para>The interface may be qualified by adding the character ":"
          followed by a comma-separated list of destination host or subnet
          addresses to indicate that you only want to change the source IP
          address for packets being sent to those particular destinations.
          Exclusion is allowed (see <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
          as are ipset names preceded by a plus sign '+';</para>
          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
          entry then include the ":" but omit the digit:</para>
          <programlisting>        eth0(Avvanta):
        eth2::192.0.2.32/27</programlisting>
          <para>Normally Masq/SNAT rules are evaluated after those for
          one-to-one NAT (defined in <ulink
          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
          want the rule to be applied before one-to-one NAT rules, prefix the
          interface name with "+":</para>
          <programlisting>        +eth0
        +eth0:192.0.2.32/27
        +eth0:2</programlisting>
          <para>This feature should only be required if you need to insert
          rules in this file that preempt entries in <ulink
          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
          <para>Comments may be attached to Netfilter rules generated from
          entries in this file through the use of ?COMMENT lines. These lines
          begin with ?COMMENT; the remainder of the line is treated as a
          comment which is attached to subsequent rules until another ?COMMENT
          line is found or until the end of the file is reached. To stop
          adding comments to rules, use a line containing only
          ?COMMENT.</para>
          <para>Beginning with Shorewall 4.6.0, a new syntax is also accepted.
          With the exception of the leading '+', the interfacelist and
          qualifiers may appear within the parentheses of <emphasis
          role="bold">INLINE</emphasis>(...).</para>
          <para>Example:</para>
          <programlisting>        +INLINE(eth0)</programlisting>
          <para>When this is done, you may augment the rule generated by
          Shorewall with iptables matches of your own. These matches appear
          after a semicolon (';') at the end of the line.</para>
          <para>See example 8 below.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET
        - Optional) -
        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
        <listitem>
          <para>Set of hosts that you wish to masquerade. You can specify this
          as an <emphasis>address</emphasis> (net or host) or as an
          <emphasis>interface</emphasis> (use of an
          <emphasis>interface</emphasis> is deprecated). If you give the name
          of an interface, the interface must be up before you start the
          firewall and the Shorewall rules compiler will warn you of that
          fact. (Shorewall will use your main routing table to determine the
          appropriate addresses to masquerade).</para>
          <para>The preferred way to specify the SOURCE is to supply one or
          more host or network addresses separated by comma. You may use ipset
          names preceded by a plus sign (+) to specify a set of hosts.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
        role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
        role="bold">:random</emphasis>][:persistent]|<emphasis
        role="bold">detect</emphasis>|<emphasis
        role="bold">random</emphasis>]</term>
        <listitem>
          <para>If you specify an address here, SNAT will be used and this
          will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
          in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
          Shorewall will automatically add this address to the INTERFACE named
          in the first column.</para>
          <para>You may also specify a range of up to 256 IP addresses if you
          want the SNAT address to be assigned from that range in a
          round-robin fashion by connection. The range is specified by
          <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
          You may follow the port range with<emphasis role="bold">
          :random</emphasis> in which case assignment of ports from the list
          will be random. <emphasis role="bold">random</emphasis> may also be
          specified by itself in this column in which case random local port
          assignments are made for the outgoing connections.</para>
          <para>Example: 206.124.146.177-206.124.146.180</para>
          <para>You may follow the port range (or <emphasis
          role="bold">:random</emphasis>) with <emphasis
          role="bold">:persistent</emphasis>. This is only useful when an
          address range is specified and causes a client to be given the same
          source/destination IP pair. This feature replaces the SAME modifier
          which was removed from Shorewall in version 4.4.0. Unlike <emphasis
          role="bold">random</emphasis>, <emphasis
          role="bold">persistent</emphasis> may not be used by itself.</para>
          <para>You may also use the special value "detect" which causes
          Shorewall to determine the IP addresses configured on the interface
          named in the INTERFACES column and substitute them in this
          column.</para>
          <para>Finally, you may also specify a comma-separated list of ranges
          and/or addresses in this column.</para>
          <para>This column may not contain DNS Names.</para>
          <para>Normally, Netfilter will attempt to retain the source port
          number. You may cause netfilter to remap the source port by
          following an address or range (if any) by ":" and a port range with
          the format
          <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If this
          is done, you must specify "tcp" or "udp" in the PROTO column.</para>
          <para>Examples:</para>
          <programlisting>        192.0.2.4:5000-6000
        :4000-5000</programlisting>
          <para>If you simply place <emphasis role="bold">NONAT</emphasis> in
          this column, no rewriting of the source IP address or port number
          will be performed. This is useful if you want particular traffic to
          be exempt from the entries that follow in the file.</para>
          <para>If you want to leave this column empty but you need to specify
          the next column then place a hyphen ("-") here.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
        <listitem>
          <para>If you wish to restrict this entry to a particular protocol
          then enter the protocol name (from protocols(5)) or number
          here.</para>
          <para>Beginning with Shorewall 4.5.12, this column can accept a
          comma-separated list of protocols.</para>
          <para>Beginning with Shorewall 4.6.0, an
          <replaceable>ipset</replaceable> name can be specified in this
          column. This is intended to be used with
          <firstterm>bitmap:port</firstterm> ipsets.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">PORT</emphasis> (Optional) -
        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
        <listitem>
          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
          SCTP (132) or UDPLITE (136) then you may list one or more port
          numbers (or names from services(5)) or port ranges separated by
          commas.</para>
          <para>Port ranges are of the form
          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
          <para>Beginning with Shorewall 4.6.0, an
          <replaceable>ipset</replaceable> name can be specified in this
          column. This is intended to be used with
          <firstterm>bitmap:port</firstterm> ipsets.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
        [<emphasis>option</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
        <listitem>
          <para>If you specify a value other than "-" in this column, you must
          be running kernel 2.6 and your kernel and iptables must include
          policy match support.</para>
          <para>Comma-separated list of options from the following. Only
          packets that will be encrypted via an SA that matches these options
          will have their source address changed.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
              <listitem>
                <para>where <emphasis>number</emphasis> is specified using
                setkey(8) using the 'unique:<emphasis>number</emphasis> option
                for the SPD level.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
              <listitem>
                <para>where <emphasis>number</emphasis> is the SPI of the SA
                used to encrypt/decrypt packets.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">proto=</emphasis><emphasis
              role="bold">ah</emphasis>|<emphasis
              role="bold">esp</emphasis>|<emphasis
              role="bold">ipcomp</emphasis></term>
              <listitem>
                <para>IPSEC Encapsulation Protocol</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
              <listitem>
                <para>sets the MSS field in TCP packets</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">mode=</emphasis><emphasis
              role="bold">transport</emphasis>|<emphasis
              role="bold">tunnel</emphasis></term>
              <listitem>
                <para>IPSEC mode</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
              <listitem>
                <para>only available with mode=tunnel</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
              <listitem>
                <para>only available with mode=tunnel</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">strict</emphasis></term>
              <listitem>
                <para>Means that packets must match all rules.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">next</emphasis></term>
              <listitem>
                <para>Separates rules; can only be used with strict</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">yes</emphasis></term>
              <listitem>
                <para>When used by itself, causes all traffic that will be
                encrypted/encapsulated to match the rule.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
        role="bold">:C</emphasis>]</term>
        <listitem>
          <para>Defines a test on the existing packet or connection mark. The
          rule will match only if the test returns true.</para>
          <para>If you don't want to define a test but need to specify
          anything in the following columns, place a "-" in this field.</para>
          <variablelist>
            <varlistentry>
              <term>!</term>
              <listitem>
                <para>Inverts the test (not equal)</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>value</emphasis></term>
              <listitem>
                <para>Value of the packet or connection mark.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>mask</emphasis></term>
              <listitem>
                <para>A mask to be applied to the mark before testing.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">:C</emphasis></term>
              <listitem>
                <para>Designates a connection mark. If omitted, the packet
                mark's value is tested.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
        <listitem>
          <para>This column was formerly labelled USER/GROUP.</para>
          <para>Only locally-generated connections will match if this column
          is non-empty.</para>
          <para>When this column is non-empty, the rule matches only if the
          program generating the output is running under the effective
          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
          specified (or is NOT running under that id if "!" is given).</para>
          <para>Examples:</para>
          <variablelist>
            <varlistentry>
              <term>joe</term>
              <listitem>
                <para>program must be run by joe</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>:kids</term>
              <listitem>
                <para>program must be run by a member of the 'kids'
                group</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>!:kids</term>
              <listitem>
                <para>program must not be run by a member of the 'kids'
                group</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>+upnpd</term>
              <listitem>
                <para>#program named upnpd</para>
                <important>
                  <para>The ability to specify a program name was removed from
                  Netfilter in kernel version 2.6.14.</para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SWITCH -
        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
          rule without requiring <command>shorewall restart</command>.</para>
          <para>The rule is enabled if the value stored in
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
          if the file contains 0.</para>
          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
          '@{0}' are replaced by the name of the chain to which the rule is a
          added. The <replaceable>switch-name</replaceable> (after '@...'
          expansion) must begin with a letter and be composed of letters,
          decimal digits, underscores or hyphens. Switch names must be 30
          characters or less in length.</para>
          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
          <simplelist>
            <member><command>echo 1 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
          <simplelist>
            <member><command>echo 0 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
          <para>Beginning with Shorewall 4.5.10, when the
          <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
          <command>start</command> command. Other commands do not affect the
          switch setting.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
        <listitem>
          <para>(Optional) Added in Shorewall 4.5.6. This column may be
          included and may contain one or more addresses (host or network)
          separated by commas. Address ranges are not allowed. When this
          column is supplied, rules are generated that require that the
          original destination address matches one of the listed addresses. It
          is useful for specifying that SNAT should occur only for connections
          that were acted on by a DNAT when they entered the firewall.</para>
          <para>This column was formerly labelled ORIGINAL DEST.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">PROBABILITY</emphasis> -
        [<replaceable>probability</replaceable>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.0. When non-empty, requires the
          <firstterm>Statistics Match</firstterm> capability in your kernel
          and ip6tables and causes the rule to match randomly but with the
          given <replaceable>probability</replaceable>. The
          <replaceable>probability</replaceable> is a number 0 &lt;
          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
          at up to 8 decimal points of precision.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>Examples</title>
    <variablelist>
      <varlistentry>
        <term>IPv4 Example 1:</term>
        <listitem>
          <para>You have a simple masquerading setup where eth0 connects to a
          DSL or cable modem and eth1 connects to your local network with
          subnet 192.168.0.0/24.</para>
          <para>Your entry in the file will be:</para>
          <programlisting>        #INTERFACE   SOURCE
        eth0    192.168.0.0/24</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv4 Example 2:</term>
        <listitem>
          <para>You add a router to your local network to connect subnet
          192.168.1.0/24 which you also want to masquerade. You then add a
          second entry for eth0 to this file:</para>
          <programlisting>        #INTERFACE   SOURCE
        eth0         192.168.1.0/24</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv4 Example 3:</term>
        <listitem>
          <para>You have an IPSEC tunnel through ipsec0 and you want to
          masquerade packets coming from 192.168.1.0/24 but only if these
          packets are destined for hosts in 10.1.1.0/24:</para>
          <programlisting>        #INTERFACE              SOURCE
        ipsec0:10.1.1.0/24      196.168.1.0/24</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv4 Example 4:</term>
        <listitem>
          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
          to use source address 206.124.146.176 which is NOT the primary
          address of eth0. You want 206.124.146.176 to be added to eth0 with
          name eth0:0.</para>
          <programlisting>        #INTERFACE              SOURCE          ADDRESS
        eth0:0                  192.168.1.0/24  206.124.146.176</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv4 Example 5:</term>
        <listitem>
          <para>You want all outgoing SMTP traffic entering the firewall from
          172.20.1.0/29 to be sent from eth0 with source IP address
          206.124.146.177. You want all other outgoing traffic from
          172.20.1.0/29 to be sent from eth0 with source IP address
          206.124.146.176.</para>
          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
        eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
        eth0         172.20.1.0/29    206.124.146.176</programlisting>
          <warning>
            <para>The order of the above two rules is significant!</para>
          </warning>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv4 Example 6:</term>
        <listitem>
          <para>Connections leaving on eth0 and destined to any host defined
          in the ipset <emphasis>myset</emphasis> should have the source IP
          address changed to 206.124.146.177.</para>
          <programlisting>        #INTERFACE              SOURCE          ADDRESS
        eth0:+myset[dst]        -               206.124.146.177</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv4 Example 7:</term>
        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
          (Shorewall 4.5.9 and later).</para>
          <programlisting>/etc/shorewall/tcrules:
       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
 /etc/shorewall/masq:
       #INTERFACE SOURCE         ADDRESS     ...
       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
       eth0       192.168.1.0/24 1.1.1.9 ; mark=3:C</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv4 Example 8:</term>
        <listitem>
          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
          70.90.191.123. You want to use the iptables statistics match to
          masquerade outgoing connections evenly between these two
          addresses.</para>
          <programlisting>/etc/shorewall/masq:
       #INTERFACE    SOURCE         ADDRESS 
       INLINE(eth1)  0.0.0.0/0      70.90.191.121 ;  -m statistic --mode random --probability 0.50
       eth1          0.0.0.0/0      70.90.191.123 
 </programlisting>
          <para>If INLINE_MATCHES=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
          these rules may be specified as follows:</para>
          <programlisting>/etc/shorewall/masq:
       #INTERFACE    SOURCE         ADDRESS 
       eth1          0.0.0.0/0      70.90.191.121 ;  -m statistic --mode random --probability 0.50
       eth1          0.0.0.0/0      70.90.191.123 
 </programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 1:</term>
        <listitem>
          <para>You have a simple 'masquerading' setup where eth0 connects to
          a DSL or cable modem and eth1 connects to your local network with
          subnet 2001:470:b:787::0/64</para>
          <para>Your entry in the file will be:</para>
          <programlisting>        #INTERFACE   SOURCE                  ADDRESS
        eth0         2001:470:b:787::0/64    -</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 2:</term>
        <listitem>
          <para>Your sit1 interface has two public IP addresses:
          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
          iptables statistics match to masquerade outgoing connections evenly
          between these two addresses.</para>
          <programlisting>/etc/shorewall/masq:
       #INTERFACE    SOURCE         ADDRESS 
       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
       sit1          ::/0           2001:470:a:227::2 
 </programlisting>
          <para>If INLINE_MATCHES=Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
          then these rules may be specified as follows:</para>
          <programlisting>/etc/shorewall/masq:
       #INTERFACE    SOURCE         ADDRESS 
       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
       sit1          ::/0           2001:470:a:227::2</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall/masq</para>
    <para>/etc/shorewall6/masq</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
    <para>shorewall(8)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-params.xml
+++ b/Shorewall/manpages/shorewall-params.xml
@@ -26,10 +26,8 @@
    <title>Description</title>
    <para>Assign any shell variables that you need in this file. The file is
-    always processed by <filename>/bin/sh</filename> or by the shell specified
+    always processed by <filename>/bin/sh</filename> so the full range of
-    through SHOREWALL_SHELL in <ulink
+    shell capabilities may be used.</para>
    url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full
    range of shell capabilities may be used.</para>
    <para>It is suggested that variable names begin with an upper case letter
    to distinguish them from variables used internally within the Shorewall
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -84,8 +84,8 @@
          <para>If PROVIDER_OFFSET is non-zero in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the
+          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases,
-          number of significant bits may not exceed PROVIDER_OFFSET +
+          the number of significant bits may not exceed PROVIDER_OFFSET +
          PROVIDER_BITS.</para>
        </listitem>
      </varlistentry>
@@ -117,6 +117,12 @@
          specified unless <option>loose</option> is given in the OPTIONS
          column of this entry.</para>
          <important>
            <para>For IPv6, if the interface is an Ethernet device and an IP
            address is supplied, it should be the upstream router's link-level
            address, not its global address.</para>
          </important>
          <para>Where more than one provider is serviced through a single
          interface, the <emphasis>interface</emphasis> must be followed by a
          colon and the IP <emphasis>address</emphasis> of the interface that
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -461,12 +461,13 @@
              <listitem>
                <para>Added in Shorewall 4.5.16. This action allows you to
                construct most of the rule yourself using iptables syntax. The
-                part that you specify must follow a semicolon (';') and is
+                part that you specify must follow two semicolons (';;')
 		and is
                completely free-form. If the target of the rule (the part
                following 'j') is something that Shorewall supports in the
                ACTION column, then you may enclose it in parentheses (e.g.,
                INLINE(ACCEPT)). Otherwise, you can include it after the
-                semicolon. In this case, you must declare the target as a
+                semicolon(s). In this case, you must declare the target as a
                builtin action in <ulink
                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
@@ -489,7 +490,7 @@
                    necessarily be at the end of the generated rule. For
                    example, if addresses are specified in the SOURCE and/or
                    DEST columns, their generated matches will appear after
-                    those specified using ';'.</para>
+                    those specified using ';;' or ';'.</para>
                  </listitem>
                </itemizedlist>
              </listitem>
--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -253,10 +253,10 @@
        <listitem>
          <para>Set of hosts that you wish to masquerade. You can specify this
          as an <emphasis>address</emphasis> (net or host) or as an
-          <emphasis>interface</emphasis> (use of an
+          <emphasis>interface</emphasis>. Unless you want to perform SNAT in
-          <emphasis>interface</emphasis> is deprecated). If you give the name
+          the INPUT chain (see DEST below), if you give the name of an
-          of an interface, the interface must be up before you start the
+          interface (deprecated), the interface must be up before you start
-          firewall and the Shorewall rules compiler will warn you of that
+          the firewall and the Shorewall rules compiler will warn you of that
          fact. (Shorewall will use your main routing table to determine the
          appropriate addresses to masquerade).</para>
@@ -267,15 +267,18 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">DEST</emphasis> - {[<emphasis
+        <term><emphasis role="bold">DEST</emphasis> -
-        role="bold">+</emphasis>]<emphasis>interface</emphasis>[<emphasis
+        {<emphasis>interface</emphasis>[<emphasis
-        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
+        role="bold">:</emphasis><emphasis>digit][,</emphasis><emphasis>interface</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>digit</emphasis>]]...|$FW}[<emphasis
        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]}</term>
+        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]</term>
        <listitem>
-          <para>Outgoing <emphasis>interface</emphasis>. This is usually your
+          <para>Outgoing <emphasis>interface</emphasis>s and destination
-          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
+          networks. Multiple interfaces may be listed when the ACTION is
          MASQUERADE, but this is usually just your internet interface. If
          ADD_SNAT_ALIASES=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
          may add ":" and a <emphasis>digit</emphasis> to indicate that you
          want the alias added with that name (e.g., eth0:0). This will allow
@@ -283,6 +286,10 @@
          is the only use for the alias name; it may not appear in any other
          place in your Shorewall configuration.</emphasis></para>
          <para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
          nat table's INPUT chain by specifying $FW rather than one or more
          interfaces. </para>
          <para>Each interface must match an entry in <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
          Shorewall allows loose matches to wildcard entries in <ulink
--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@@ -112,7 +112,7 @@
          ppp interfaces, you need to put them all in here!</para>
          <para>If the device doesn't exist, a warning message will be issued
-          during "shorewall [re]start" and "shorewall refresh" and traffic
+          during "shorewall [re]start" and "shorewall reload" and traffic
          shaping configuration will be skipped for that device.</para>
          <para>Shorewall assigns a sequential <firstterm>interface
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -463,7 +463,8 @@
      <varlistentry>
        <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+        role="bold">Yes</emphasis>|<emphasis
        role="bold">No</emphasis>|<option>recursive</option>|<replaceable>depth</replaceable>]</term>
        <listitem>
          <para>If set, the behavior of the <command>start</command>,
@@ -481,6 +482,27 @@
          <command>restart</command> command includes a directory name
          (e.g.,<command> shorewall restart
          /etc/shorewall.new</command>).</para>
          <para>When AUTOMAKE=Yes, each directory in the CONFIG_PATH was
          originally searched recursively for files newer than the compiled
          script. That was changed in Shorewall 5.1.10.2 such that only the
          listed directories themselves were searched. That broke some
          configurations that played tricks with embedded SHELL such as
          "<command>SHELL cat /etc/shorewall/rules.d/loc/*.rules".</command>
          Prior to 5.1.10.2, a change to a file in or adding a file to
          /etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
          with 5.1.10.2, such changes would not trigger recompilation.
          Beginning with Shorewall 5.2.0, the pre-5.1.10.2 behavior can be
          obtained by setting AUTOMAKE=recursive.</para>
          <para>Also beginning with Shorewall 5.2.0, AUTOMAKE may be set to a
          numeric <replaceable>depth</replaceable> which specifies how deeply
          each listed directory is to be searched. AUTOMAKE=1 only searches
          each directory itself and is equivalent to AUTOMAKE=Yes. AUTOMAKE=2
          will search each directory and its immediate sub-directories;
          AUTOMAKE=3 will search each diretory, each of its immediate
          sub-directories, and each of their immediate sub-directories,
          etc.</para>
        </listitem>
      </varlistentry>
@@ -565,13 +587,12 @@
          respectively and were added in Shorewall 4.4.20. They require
          AUDIT_TARGET in the kernel and iptables.</para>
-          <para>The BLACKLIST_DISPOSITION setting has no effect on entries in
+          <para>The BLACKLIST_DISPOSITION setting determines the disposition
-          the BLACKLIST section of <ulink
+          of packets sent to the <emphasis role="bold">blacklog</emphasis>
-          url="/manpages/shorewall-rules.html">shorewall-rules</ulink> (5). It
+          target of <ulink
          determines the disposition of packets sent to the <emphasis
          role="bold">blacklog</emphasis> target of <ulink
          url="/manpages/shorewall-blrules.html">shorewall-blrules
-          </ulink>(5).</para>
+          </ulink>(5), but otherwise does not affect entries in that
          file.</para>
        </listitem>
      </varlistentry>
@@ -1142,36 +1163,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">INLINE_MATCHES=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
          <para>Added in Shorewall 4.6.0. Traditionally in <ulink
          url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5), a
          semicolon separates column-oriented specifications on the left from
          <ulink url="/configuration_file_basics.htm#Pairs">alternative
          specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
          specified, the specifications on the right are interpreted as if
          INLINE had been specified in the ACTION column. This also applies to
          <ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink>
          and <ulink
          url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>)
          which also support INLINE. If not specified or if specified as the
          empty value, the value 'No' is assumed for backward
          compatibility.</para>
          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
          set INLINE_MATCHES=Yes in order to be able to specify your own
          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
          Beginning with 5.0.0, you may simply preface your text with a pair
          of semicolons (";;"). If alternate input is also specified in the
          rule, it should appear before the semicolons and may be separated
          from normal column input by a single semicolon or enclosed in curly
          braces ("{....}").</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
@@ -1349,10 +1340,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            running, you should remove the file
            <filename>/var/lib/shorewall/rt_tables</filename>
            (<filename>/var/lib/shorewall-lite/rt_tables</filename>) before
-            your next <command>stop</command>, <command>refresh</command>,
+            your next <command>stop</command>, <command>restore</command>,
-            <command>restore</command>, <emphasis
+            <emphasis role="bold">reload</emphasis> or
-            role="bold">reload</emphasis> or <command>restart</command>
+            <command>restart</command> command.</para>
            command.</para>
          </blockquote>
          <para>IPv6:</para>
@@ -1366,10 +1356,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            is running, you should remove the file
            <filename>/var/lib/shorewall6/rt_tables</filename>
            (<filename>/var/lib/shorewall6-lite/rt_tables</filename>) before
-            your next <command>stop</command>, <command>refresh</command>,
+            your next <command>stop</command>, <command>restore</command>,
-            <command>restore</command>, <emphasis
+            <emphasis role="bold">reload</emphasis> or
-            role="bold">reload</emphasis> or <command>restart</command>
+            <command>restart</command> command.</para>
            command.</para>
          </blockquote>
          <important>
@@ -1451,6 +1440,24 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">LOG_ZONE=</emphasis>[<emphasis
        role="bold"><option>src</option>|<option>dst</option>|<option>both</option></emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.2.0. When a log message is issued from a
          chain that relates to a pair of zones (e.g, 'fw-net'), the chain
          name normally appears in the log message (unless LOGTAGONLY=Yes and
          a log tag is specified). This can prevent OPTIMIZE category 8 from
          combining chains which are identical except for the names of the
          zones involved. LOG_ZONE allows for only the source or destination
          zone to appear in the messages by setting LOG_ZONE to
          <option>src</option> or <option>dest</option> respectively. If
          LOG_ZONE=<option>both</option> (the default), then the full chain
          name is included in log messages.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replaceable>log-tag</replaceable>]</term>
@@ -1810,19 +1817,6 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">MAPOLDACTIONS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>IPv4 only.</para>
          <para>This option is included for compatibility with old Shorewall
          configuration. New installs should always have
          MAPOLDACTIONS=No.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2148,6 +2142,14 @@ LOG:info:,bar                        net                    fw</programlisting>
              <para>Optimization category 8 - Added in Shorewall 4.4.9. When
              set, causes chains with identical rules to be collapsed into a
              single chain.</para>
              <warning>
                <para>While Optimization category 8 can significantly reduce
                the size of the generated iptables ruleset, it can also take
                significant system resources during compilation. If you find
                that compilation takes an unreasonably long time, try
                disabling this category by setting OPTIMIZE=23.</para>
              </warning>
            </listitem>
            <listitem>
@@ -2220,7 +2222,8 @@ LOG:info:,bar                        net                    fw</programlisting>
          <para>In versions prior to 5.1.0, the default value is zero which
          disables all optimizations. Beginning with Shorewall 5.1.0, the
-          default value is All which enables all optimizations.</para>
+          default value is <emphasis role="bold">All</emphasis> which enables
          all optimizations.</para>
        </listitem>
      </varlistentry>
@@ -2466,6 +2469,20 @@ INLINE          -       -       -       ;; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">RENAME_COMBINED=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.2.0. Traditionally, when OPTIMIZE
          category 8 is enabled, identical chains are combined under a name
          beginning with '~comb' or '~blacklist'. This behavior is maintained
          under the default setting RENAME_COMBINED=Yes. If
          RENAMED_COMBINED=No, the chains are combined under the original name
          of one of the chains.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">REQUIRE_INTERFACE=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2765,7 +2782,6 @@ INLINE          -       -       -       ;; -j REJECT
          of each <emphasis role="bold">start</emphasis>, <emphasis
          role="bold">reload</emphasis>, <emphasis
          role="bold">restart</emphasis>, <emphasis
          role="bold">refresh</emphasis>, <emphasis
          role="bold">try</emphasis>, and <emphasis
          role="bold">safe-</emphasis>* command. Logging verbosity is
          determined by the setting of LOG_VERBOSITY above.</para>
--- a/Shorewall6-lite/lib.base
+++ b/Shorewall6-lite/lib.base
@@ -1,5 +1,5 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall6-lite/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall6-lite/lib.base
 #
 #     (c) 2011, 2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -44,6 +44,8 @@ LOG_BACKEND=
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=
@@ -170,8 +172,6 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Keep
@@ -200,6 +200,8 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=Yes
 RESTART=restart
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -45,6 +45,8 @@ LOG_BACKEND=
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=
@@ -171,8 +173,6 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Keep
@@ -201,6 +201,8 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=No
 RESTART=restart
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -44,6 +44,8 @@ LOG_BACKEND=
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
@@ -170,8 +172,6 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Keep
@@ -200,6 +200,8 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=No
 RESTART=restart
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -44,6 +44,8 @@ LOG_BACKEND=
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
@@ -170,8 +172,6 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Keep
@@ -200,6 +200,8 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=No
 RESTART=restart
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -8,9 +8,6 @@
 #
 ###############################################################################
 #ACTION
 A_Drop				# Audited Default Action for DROP policy
 A_Reject			# Audited Default Action for REJECT policy
 A_AllowICMPs proto=58		# Audited Accept needed ICMP6 types
 AllowICMPs   proto=58		# Accept needed ICMP6 types
 allowBcast   inline		# Silently Allow Broadcast
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
@@ -19,7 +16,6 @@ AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 Broadcast    noinline		# Handles Broadcast/Anycast
 Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
@@ -38,7 +34,6 @@ Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 Multicast    noinline		# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline,proto=6	# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject				# Default Action for REJECT policy (deprecated)
 rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -44,6 +44,8 @@ LOG_BACKEND=
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
@@ -170,8 +172,6 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Keep
@@ -200,6 +200,8 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=No
 RESTART=restart
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -81,8 +81,9 @@
    <orderedlist>
      <listitem>
        <para>Built-in Actions. These actions are known by the Shorewall code
-        itself. They are listed in the comments at the top of the file
+        itself. They were formerly listed in the comments at the top of the
-        <filename>/usr/share/shorewall/actions.std</filename>.</para>
+        file <filename>/usr/share/shorewall/actions.std</filename>. They have
        now been replaced by Standard Actions.</para>
      </listitem>
      <listitem>
@@ -115,8 +116,11 @@ ACCEPT   -              -               tcp     135,139,445</programlisting>
        file to <filename class="directory">/etc/shorewall</filename> (or
        somewhere else on your CONFIG_PATH) and modify the copy.</para>
-        <para>Standard Actions have been largely replaced by <ulink
+        <para>You can see a list of the standard actions with a short
-        url="Macros.html">macros</ulink> .</para>
+        description of each action using the <command>shorewall show
        actions</command> command. You can display the contents of
        action.<replaceable>name </replaceable>by typing s<command>horewall
        show action <replaceable>name</replaceable></command>.</para>
      </listitem>
      <listitem>
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@@ -762,7 +762,6 @@ MANGLE_ENABLED=Yes
 MULTIPORT=Yes
 XMULTIPORT=Yes
 CONNTRACK_MATCH=Yes
 USEPKTTYPE=Yes
 POLICY_MATCH=Yes
 PHYSDEV_MATCH=Yes
 PHYSDEV_BRIDGE=Yes
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -680,7 +680,7 @@ Knock                                          #Port Knocking</programlisting>
      <para><filename>/etc/shorewall/action.Knock</filename>:</para>
      <programlisting>#
-# Shorewall version 4 - SSH_BLACKLIST Action
+# Shorewall version 4 - Port-Knocking Action
 #
 ?format 2
 ###############################################################################
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -2225,7 +2225,8 @@ Creating input Chains...
        <listitem>
          <para>Don't start Shorewall at boot time (Debian and Ubuntu users
          may simply set startup=0 in
-          <filename>/etc/default/shorewall</filename>).</para>
+          <filename>/etc/default/shorewall</filename>) or disable in systemd
          using <command>systemctl disable shorewall.service</command>.</para>
        </listitem>
        <listitem>
@@ -2349,6 +2350,22 @@ gateway:~# </programlisting>
          <command>reload</command> avoids the <command>stop</command>
          part.</para>
        </listitem>
        <listitem>
          <para>Use a capabilities file:</para>
          <itemizedlist>
            <listitem>
              <para>Run <command>shorewall show -f capabilties &gt;
              /etc/shorewall/capabilities </command></para>
            </listitem>
            <listitem>
              <para>Rerun that command each time you install a new kernel or a
              new version of shorewall.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </orderedlist>
    </section>
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -107,7 +107,7 @@
    requires an appropriate SA to exist. SAs may be created manually using
    <command>setkey</command>(8) but most often, they are created by a
    cooperative process involving the ISAKMP protocol and a daemon included in
-    your IPSEC package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
+    your IPsec package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
    Incoming traffic is verified against the SPD to ensure that no unencrypted
    traffic is accepted in violation of the administrator's policies.</para>
@@ -227,7 +227,7 @@
    <important>
      <para>This article provides guidance regarding configuring Shorewall to
-      use with IPSEC. For configuring IPSEC itself, consult your IPSEC
+      use with IPsec. For configuring IPsec itself, consult your IPsec
      product's documentation.</para>
    </important>
  </section>
@@ -681,4 +681,75 @@ ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</prog
      the INPUT chain.</para>
    </important>
  </section>
  <section>
    <title>Using SNAT to Force Traffic over an IPsec Tunnel</title>
    <para>Cases can arise where you need to use an IPsec tunnel to access a
    remote network, but you have no control over the associated security
    polices. In such cases, the resulting tunnel is accessible from your
    firewall but not from your local networks.</para>
    <para>Let's take an example:</para>
    <itemizedlist>
      <listitem>
        <para>Remote gateway 192.0.2.26</para>
      </listitem>
      <listitem>
        <para>Remote subnet 172.22.4.0/24</para>
      </listitem>
      <listitem>
        <para>Your public IP address is 192.0.2.199</para>
      </listitem>
      <listitem>
        <para>Your Internet-facing interface is eth0</para>
      </listitem>
      <listitem>
        <para>Your local network is 192.168.219.0/24</para>
      </listitem>
      <listitem>
        <para>You want to access 172.22.4.0/24 from 192.168.219.0/24</para>
      </listitem>
      <listitem>
        <para>The IPsec tunnel is configured between 172.22.4.0/24 and
        192.0.2.199</para>
      </listitem>
    </itemizedlist>
    <para>You need to configure as follows.</para>
    <para>/etc/shorewall/zones:</para>
    <programlisting>#ZONE        TYPE       OPTIONS
 ...
 vpn          ip         # Note that the zone <emphasis role="bold">cannot</emphasis> be declared as type ipsec
 ...</programlisting>
    <para>/etc/shorewall/interfaces:</para>
    <programlisting>#ZONE         INTERFACE                 OPTIONS
 net           eth0                      nets=(!172.22.4.0/24),...   # You must exclude the remote network from the net zone</programlisting>
    <para>/etc/shorewall/hosts:</para>
    <programlisting>#ZONE         HOSTS                     OPTIONS
 vpn           eth0:172.22.4.0/24        mss=1380,destonly
 vpn           eth0:0.0.0.0/0            mss=1380,ipsec</programlisting>
    <para>/etc/shorewall/snat:</para>
    <programlisting>SNAT(192.0.2.199)    192.168.219.0/24      eth0:172.22.4.0/24</programlisting>
    <para>/etc/shorewall/tunnels:</para>
    <programlisting>#TYPE            ZONE      GATEWAY            GATEWAY_ZONE
 ipsec            net       192.0.2.26         vpn</programlisting>
  </section>
 </article>
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -102,6 +102,14 @@ PARAM    -       -       tcp     135,139,445</programlisting>
        somewhere else on your CONFIG_PATH) and modify the copy.</para>
      </listitem>
      <listitem>
        <para>You can see a list of the Standard Macros in your version of
        Shorewall using the <command>shorewall show macros</command> command.
        You can see the contents of the file
        macro.<replaceable>name</replaceable> by typing <command>shorewall
        show macro <replaceable>name</replaceable></command>.</para>
      </listitem>
      <listitem>
        <para>User-defined Macros. These macros are created by end-users. They
        are defined in macro.* files in /etc/shorewall or in another directory
@@ -796,19 +804,20 @@ bar:debug</programlisting>
    <orderedlist>
      <listitem>
-        <para>You can not associate an Extension Script with a macro <ulink
+        <para>Embedded Perl is <ulink url="???">much more useful in an
-        url="Actions.html#Extension">the way that you can with an
+        action</ulink> than it is in a macro. So if you need access to
-        Action</ulink>. So if you need access to iptables features not
+        iptables features not directly supported by Shorewall then you should
-        directly supported by Shorewall then you must use an action.</para>
+        use an action.</para>
      </listitem>
      <listitem>
-        <para>Macros are expanded in-line while each action is its own chain.
+        <para>Macros are expanded in-line while each action (that doesn't
-        So if there are a lot of rules involved in your new action/macro then
+        specify the inline option) is its own chain. So if there are a lot of
-        it is generally better to use an action than a macro. Only the packets
+        rules involved in your new action/macro then it is generally better to
-        selected when you invoke the action are directed to the corresponding
+        use an action than a macro. Only the packets selected when you invoke
-        chain. On the other hand, if there are only one or two rules involved
+        the action are directed to the corresponding chain. On the other hand,
-        in what you want to do then a macro is more efficient.</para>
+        if there are only one or two rules involved in what you want to do
        then a macro is more efficient.</para>
      </listitem>
    </orderedlist>
--- a/docs/Manpages.xml
+++ b/docs/Manpages.xml
@@ -93,7 +93,7 @@
        Supersedes tcrules and describes packet/connection marking.</member>
        <member><ulink url="manpages/shorewall-masq.html">masq</ulink> -
-        Define Masquerade/SNAT</member>
+        Define Masquerade/SNAT (deprecated)</member>
        <member><ulink url="manpages/shorewall-modules.html">modules</ulink> -
        Specify which kernel modules to load.</member>
@@ -137,6 +137,9 @@
        <member><ulink url="manpages/shorewall-secmarks.html">secmarks</ulink>
        - Attach an SELinux context to a packet.</member>
        <member><ulink url="manpages/shorewall-snat.html">snat</ulink> -
        Define Masquerade/SNAT</member>
        <member><ulink
        url="manpages/shorewall-tcclasses.html">tcclasses</ulink> - Define htb
        classes for traffic shaping.</member>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -1233,7 +1233,7 @@ gateway:~ #</programlisting>
        those clients. See<link linkend="Openvpn"> Example 2</link>
        below.</para>
-        <para>If you have an IPSEC gateway on your firewall, be sure to
+        <para>If you have an IPsec gateway on your firewall, be sure to
        arrange for ESP packets to be routed out of the same interface that
        you have configured your keying daemon to use.</para>
      </section>
--- a/docs/PortKnocking.xml
+++ b/docs/PortKnocking.xml
@@ -42,7 +42,8 @@
  <note>
    <para>The techniques described in this article were superseded in
-    Shorewall 4.5.19 with the introduction of Shorewall Events.</para>
+    Shorewall 4.5.19 with the introduction of <ulink
    url="Events.html">Shorewall Events</ulink>.</para>
  </note>
  <note>
--- a/docs/SharedConfig.xml
+++ b/docs/SharedConfig.xml
@@ -1021,7 +1021,7 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
    <section>
      <title>tunnels</title>
-      <para>Both address families define IPSEC tunnels:</para>
+      <para>Both address families define IPsec tunnels:</para>
      <programlisting>#TYPE			ZONE		GATEWAY			GATEWAY_ZONE
 ipsecnat {ZONE=net,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
--- a/docs/Shorewall-5.xml
+++ b/docs/Shorewall-5.xml
@@ -24,6 +24,8 @@
      <year>2017</year>
      <year>2018</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -135,6 +137,21 @@
        <listitem>
          <para>CHAIN_SCRIPTS (Removed in Shorewall 5.1).</para>
        </listitem>
        <listitem>
          <para>MODULE_SUFFIX (Removed in Shorewall 5.1.7). Shorewall can now
          locate modules independent of their suffix (extension).</para>
        </listitem>
        <listitem>
          <para>INLINE_MATCHES (Removed in Shorewall 5.2). Inline matches are
          now separated from column-oriented input by two adjacent semicolons
          (";;").</para>
        </listitem>
        <listitem>
          <para>MAPOLDACTIONS (Removed in Shorewall 5.2). </para>
        </listitem>
      </itemizedlist>
      <para>A compilation warning is issued when any of these options are
@@ -173,17 +190,18 @@
      <title>Obsolete Configuration Files</title>
      <para>Support has been removed for the 'blacklist', 'tcrules',
-      'routestopped', 'notrack' and 'tos' files.</para>
+      'routestopped', 'notrack', 'tos' and 'masq' files.</para>
-      <para>The <option>-t</option> and <option>-b</option> options of the
+      <para>The <command>update</command> command is available to convert the
-      <command>update</command> command are still available to convert the
+      'tcrules' and 'tos' files to the equivalent 'mangle' file, to convert
-      'tcrules' and 'tos' files to the equivalent 'mangle' file and to convert
+      the 'blacklist' file into an equivalent 'blrules' file, and to convert
-      the 'blacklist' file into an equivalent 'blrules' file.</para>
+      the 'masq' file to the equivalent 'snat' file.</para>
-      <para>As in Shorewall 4.6.12, the <option>-s</option> option is
+      <para>As in Shorewall 4.6.12, the <command>update</command> command
-      available to convert the 'routestopped' file into the equivalent
+      converts the 'routestopped' file into the equivalent 'stoppedrules' file
-      'stoppedrules' file and the <option>-n</option> option is available to
+      and converts a 'notrack' file to the equivalent 'conntrack' file.</para>
-      convert a 'notrack' file to the equivalent 'conntrack' file.</para>
+
      <para>Note that in Shorewall 5.2, the update command </para>
    </section>
    <section>
@@ -367,6 +385,33 @@
        equivalent RESTART setting.</para>
      </note>
    </section>
    <section>
      <title>refresh</title>
      <para>Given the availability of ipset-based blacklisting, the
      <command>refresh</command> command was eliminated in Shorewall
      5.2.</para>
      <para>Some users may have been using <command>refresh</command> as a
      lightweight form of <command>reload</command>. The most common of these
      uses seem to be for reloading traffic shaping after an interface has
      gone down and come back up. The best way to handle this situation under
      5.2 is to make the interface 'optional' in your
      /etc/shorewall[6]/interfaces file, then either:</para>
      <itemizedlist>
        <listitem>
          <para>Install Shorewall-init and enable IFUPDOWN; or</para>
        </listitem>
        <listitem>
          <para>Use the <command>reenable</command> command when the interface
          comes back up in place of the <command>refresh</command>
          command.</para>
        </listitem>
      </itemizedlist>
    </section>
  </section>
  <section>
@@ -423,9 +468,14 @@
  <section>
    <title>Upgrading to Shorewall 5</title>
-    <para>It is strongly recommended that you first upgrade your installation
+    <para><important>
-    to a 4.6 release that supports the <option>-A</option> option to the
+        <para>For detailed upgrade information, please consult the 'Migration
-    <command>update</command> command; 4.6.13.2 or later is preferred.</para>
+        Issues' section of the release notes for the version that you are
        upgrading to.</para>
      </important>It is strongly recommended that you first upgrade your
    installation to a 4.6 release that supports the <option>-A</option> option
    to the <command>update</command> command; 4.6.13.2 or later is
    preferred.</para>
    <para>Once you are on that release, execute the <command>shorewall update
    -A</command> command (and <command>shorewall6 update -A</command> if you
@@ -445,7 +495,9 @@
    have been removed -- the updates triggered by those options are now
    performed unconditionally. The <option>-i </option>and <option>-A
    </option>options have been retained - both enable checking for issues that
-    could result if INLINE_MATCHES were to be set to Yes.</para>
+    could result if INLINE_MATCHES were to be set to Yes. The -i option was
    removed in Shorewall 5.2, given that the INLINE_MATCHES option was also
    removed.</para>
    <section>
      <title id="CHAIN_SCRIPTS">CHAIN_SCRIPTS Removal</title>
--- a/docs/Shorewall-Lite.xml
+++ b/docs/Shorewall-Lite.xml
@@ -709,7 +709,6 @@ MANGLE_ENABLED=Yes
 MULTIPORT=Yes
 XMULTIPORT=Yes
 CONNTRACK_MATCH=Yes
 USEPKTTYPE=Yes
 POLICY_MATCH=Yes
 PHYSDEV_MATCH=Yes
 PHYSDEV_BRIDGE=Yes
--- a/docs/VPN.xml
+++ b/docs/VPN.xml
@@ -43,7 +43,7 @@
    <para>It is often the case that a system behind the firewall needs to be
    able to access a remote network through Virtual Private Networking (VPN).
-    The two most common means for doing this are IPSEC and PPTP. The basic
+    The two most common means for doing this are IPsec and PPTP. The basic
    setup is shown in the following diagram:</para>
    <graphic fileref="images/VPN.png"/>
@@ -60,8 +60,8 @@
    modules file, Shorewall (Lite) will attempt to load these modules when
    Shorewall (Lite) is started.</para>
-    <para>If IPSEC is being used, you should configure IPSEC to use
+    <para>If IPsec is being used, you should configure IPsec to use
-    <firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPSEC
+    <firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPsec
    packets (protocol 50 or 51) are encapsulated in UDP packets (normally with
    destination port 4500). Additionally, <firstterm>keep-alive
    messages</firstterm> are sent frequently so that NATing gateways between
@@ -69,10 +69,10 @@
    way that I connect to the HP Intranet and it works flawlessly without
    anything in Shorewall other than my ACCEPT loc-&gt;net policy. NAT
    traversal is available as a patch for Windows 2K and is a standard feature
-    of Windows XP -- simply select "L2TP IPSec VPN" from the "Type of VPN"
+    of Windows XP -- simply select "L2TP IPsec VPN" from the "Type of VPN"
    pulldown.</para>
-    <para>Alternatively, if you have an IPSEC gateway behind your firewall
+    <para>Alternatively, if you have an IPsec gateway behind your firewall
    then you can try the following: only one system may connect to the remote
    gateway and there are firewall configuration requirements as
    follows:</para>
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@@ -508,7 +508,7 @@ rc-update add bridge boot
    packet arrived on and/or the bridge port that a packet will be sent over.
    The latter has proved to be problematic because it requires that the
    evaluation of rules be deferred until the destination bridge port is
-    known. This deferral has the unfortunate side effect that it makes IPSEC
+    known. This deferral has the unfortunate side effect that it makes IPsec
    Netfilter filtration incompatible with bridges. To work around this
    problem, in kernel version 2.6.20 the Netfilter developers decided to
    remove the deferred processing in two cases:</para>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -854,6 +854,12 @@ INLINE               net              $FW ; -m recent --rcheck 10 --hitcount 5 -
          semicolons (";;"). If alternate input is present, the adjacent
          semicolons should follow that input.</para>
          <caution>
            <para>INLINE_MATCHES=Yes is deprecated and will no longer be
            supported in Shorewall 5.2 and beyond. Use two adjacent semicolons
            to introduce inline matches.</para>
          </caution>
          <para>Example from the masq file that spits outgoing SNAT between
          two public IP addresses</para>
--- a/docs/images/Netfilter.dia
+++ b/docs/images/Netfilter.dia
--- a/docs/images/Netfilter.png
+++ b/docs/images/Netfilter.png
--- a/docs/ports.xml
+++ b/docs/ports.xml
@@ -242,7 +242,7 @@ IMAPS(ACCEPT)   &lt;source&gt;  &lt;destination&gt; # IMAP over SSL.</programlis
  </section>
  <section id="IPSEC">
-    <title>IPSEC</title>
+    <title>IPsec</title>
    <programlisting>#ACTION    SOURCE         DESTINATION      PROTO      DPORT
 ACCEPT     <emphasis>&lt;source&gt;</emphasis>  <emphasis>     &lt;destination&gt;</emphasis>    50     
@@ -252,8 +252,8 @@ ACCEPT     <emphasis>&lt;destination&gt;</emphasis>  <emphasis>&lt;source&gt;</e
 ACCEPT     <emphasis>&lt;destination&gt;</emphasis>  <emphasis>&lt;source&gt;</emphasis>         51
 ACCEPT     <emphasis>&lt;destination&gt;</emphasis>  <emphasis>&lt;source&gt;</emphasis>         udp        500</programlisting>
-    <para>Lots more information <ulink url="IPSEC.htm">here</ulink> and <ulink
+    <para>Lots more information <ulink url="IPSEC-2.6.html">here</ulink> and
-    url="VPN.htm">here</ulink>.</para>
+    <ulink url="VPN.htm">here</ulink>.</para>
  </section>
  <section id="LDAP">
--- a/docs/shorewall_features.xml
+++ b/docs/shorewall_features.xml
@@ -176,7 +176,7 @@
        <itemizedlist>
          <listitem>
-            <para><ulink url="manpages/shorewall-tunnels.html">IPSEC, GRE,
+            <para><ulink url="manpages/shorewall-tunnels.html">IPsec, GRE,
            IPIP and OpenVPN Tunnels</ulink>.</para>
          </listitem>
--- a/docs/simple_traffic_shaping.xml
+++ b/docs/simple_traffic_shaping.xml
@@ -268,7 +268,7 @@ eth0                   External</programlisting>
    <para>Simple Traffic Shaping is only appropriate on interfaces where
    output queuing occurs. As a consequence, you usually only use it on
-    extermal interfaces. There are cases where you may need to use it on an
+    external interfaces. There are cases where you may need to use it on an
    internal interface (a VPN interface, for example). If so, just add an
    entry to <ulink
    url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5):</para>
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -42,7 +42,7 @@
    <itemizedlist>
      <listitem>
        <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink>s are 5.0 and 5.1.</para>
+        url="ReleaseModel.html">major release</ulink>s are 5.0 , 5.1 and 5.2.</para>
        <note>
          <para>Shorewall versions earlier than 5.0.0 are no longer supported;
@@ -277,7 +277,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
          </listitem>
          <listitem>
-            <para>If your problem has anything to do with IPSEC, be sure that
+            <para>If your problem has anything to do with IPsec, be sure that
            the ipsec-tools package is installed.</para>
          </listitem>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	ec21b03c5b	Correct handling of dbl=src_dst in interface OPTIONS Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-18 10:18:09 -07:00
Tom Eastep	25dcf8c5d6	Check for linkdown in interface_is_usable() rather than ..._is_up(). Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-18 07:56:06 -07:00
Tom Eastep	c02b71b530	Correct interface_is_up() to look for the 'state' as well as 'UP' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-12 08:09:46 -07:00
Tom Eastep	78269d57bc	Handle missing AUTOMAKE Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-10 11:12:23 -07:00
Tom Eastep	fc91648315	Avoid split_line2 confusion when processing a raw line Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-10 09:30:02 -07:00
Tom Eastep	067f435ac5	Update BLACKLIST_DEFAULT if Drop or Reject Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-06 13:31:54 -07:00
Tom Eastep	2039f38faf	Fix 'show saves' when there are no saves Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-05 13:27:37 -07:00
Tom Eastep	07654d8f8d	Fix 'compile -c' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-05 13:26:58 -07:00
Tom Eastep	b5e8f9bd50	Restore the read_yesno_with_timeout() function Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-04 08:52:40 -07:00
Tom Eastep	9c950082f6	Add new IPFS macros Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-04 08:45:39 -07:00
Matt Darfeuille	fc44eb7516	Update version to 5.2 in RC files - Mention LEDE distro in OpenWRT RC file Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-27 14:08:36 -07:00
Matt Darfeuille	bb89d509ea	Ipdecimal: Correct error when missing arguments Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-27 14:08:00 -07:00
Tom Eastep	6822803802	Correct Netfilter Diagram Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-18 15:53:01 -07:00
Tom Eastep	66edd76b10	Correct typo in patch merged from 5.1.12 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-15 08:46:05 -07:00
Matt Darfeuille	99be0ce970	Use a function to load configuration files Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-14 13:06:54 -07:00
Tom Eastep	98d5bf8f55	Correct 'reset' handling in 'IfEvent' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-13 09:22:29 -07:00
Tom Eastep	370901e873	Add link to Events.html from PortKnocking.html Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-13 08:50:19 -07:00
Tom Eastep	c59ff50de4	Process params file in remote_capture() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-13 08:49:35 -07:00
Matt Darfeuille	3df5c032da	Be more verbose when executing remote commands - Reword progress messages Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-12 11:12:39 -07:00
Tom Eastep	b997bfcd97	Update copyright of Shorewall 5 Document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-10 10:44:38 -07:00
Tom Eastep	7630d3cdb1	Update Shorewall 5 Article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-10 10:00:52 -07:00
Tom Eastep	90df607d79	Finish removal of 'refresh command' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-30 15:30:34 -07:00
Matt Darfeuille	f012244acd	Add 5.2 as a supported Shorewall version Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-28 13:03:49 -07:00
Tom Eastep	5e2f1f573d	Unconditionally convert masq->snat Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-27 11:38:47 -07:00
Tom Eastep	011322992e	Revert "Delete masq file processing" This reverts commit `609ee8dea2`.	2018-03-27 11:08:33 -07:00
Tom Eastep	16bb41db15	Document 'getcaps', 'getrc' and 'show rc' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-27 09:54:32 -07:00
Tom Eastep	47a96e9ff9	Delete masq file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-26 15:57:49 -07:00
Tom Eastep	4a1d8ba0f9	delete shorewall-masq.xml Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-26 15:56:11 -07:00
Tom Eastep	7c99059a66	Supersede the masq file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-26 15:53:07 -07:00
Tom Eastep	609ee8dea2	Delete masq file processing - Automatically convert the masq file if it exists Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-26 11:40:22 -07:00
Matt Darfeuille	299ea2b41f	Update version to 5.2 - Remove unneeded punctuation marks Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-24 09:53:02 -07:00
Tom Eastep	224400833a	Correct port knocking action in the Events article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-24 09:47:56 -07:00
Tom Eastep	32f1ae1992	Make &lo work correctly Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-19 18:23:19 -07:00
Matt Darfeuille	9b5468cd4a	Add and document the show rc command Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-18 17:36:44 -07:00
Matt Darfeuille	47a59cdd7c	Add and document the remote-getcaps command Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-18 17:36:38 -07:00
Matt Darfeuille	676ca872d6	Add and document the remote-getrc command Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-18 17:36:33 -07:00
Matt Darfeuille	ef28208c0e	Use a more consistent name for function definition Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-18 17:36:20 -07:00
Matt Darfeuille	cdeb82bdab	Improve when to capture capabilities Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-18 17:35:42 -07:00
Tom Eastep	3be071ca3d	Up the INCLUDE depth limit to 20 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-12 14:39:53 -07:00
Tom Eastep	6f6abfc8cd	Clarify the processing of the params file in shorewall-params(5) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-08 08:51:36 -08:00
Tom Eastep	f99f3539d1	Recommend using the link-level IP of upstream IPv6 routers. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-05 16:42:15 -08:00
Tom Eastep	e08e239c00	Implement AUTOMAKE=recursive Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-03 15:50:56 -08:00
Tom Eastep	02ed6f26a9	Allow AUTOMAKE=<depth> to specify search depth Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-03-03 13:04:48 -08:00
Tom Eastep	9e002a7689	Be sure that mutex is released when exiting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-28 13:38:30 -08:00
Tom Eastep	34c5441768	Apply optimize category 16 again after 8 if 8 did anything Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-27 14:17:21 -08:00
Tom Eastep	c3d8cba042	Reverse the order of optimize 8 and optimize 16 application Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-23 15:01:47 -08:00
Tom Eastep	8bc97bcd35	Replace ${VARDIR}/firewall with $g_firewall in CLI Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-23 12:40:14 -08:00
Tom Eastep	c1a74b54fc	Implement RENAME_COMBINED Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-22 12:49:55 -08:00
Tom Eastep	88547f5140	Handle two-chain case when LOG_ZONE != 'Both' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-22 11:25:19 -08:00
Tom Eastep	4a714b3ab9	More INLINE_MATCHES changes Signed-off-by: Tom Eastep <teastep@shorewall.net> # Conflicts: # Shorewall/manpages/shorewall-mangle.xml # Shorewall/manpages/shorewall-rules.xml	2018-02-21 15:15:23 -08:00
Tom Eastep	7ad7598d5b	Implement LOG_ZONE Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-20 15:31:31 -08:00
Tom Eastep	4dfc6d90b9	Add 'logname' member to chain table entries. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-20 11:04:50 -08:00
Tom Eastep	0cb4a5c202	Correct "Invalid Policy Action" error message Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-19 10:04:18 -08:00
Tom Eastep	9a83365986	Remove the USEPKTTYPE capability Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-16 11:20:00 -08:00
Tom Eastep	bc65d29650	Add shorewallrc.sandbox Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-15 13:10:53 -08:00
Tom Eastep	9d3e8d6f6c	Tabify shorewalrc.debian.systemd Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-15 13:08:43 -08:00
Tom Eastep	8056b6fd85	Create the 'show saves' command. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-15 12:42:55 -08:00
Tom Eastep	db4a26cfa9	'update' changes for V5.2 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-13 09:21:15 -08:00
Tom Eastep	95e956c913	Complete removal of INLINE_MATCHES Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-13 09:20:31 -08:00
Tom Eastep	5e3795b5a4	Delete support for single semicolon in INLINE and IP[6]TABLES rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-12 19:12:03 -08:00
Tom Eastep	3402b1efb6	Correct documentation WRT ';' vs. ';;' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-12 19:11:01 -08:00
Tom Eastep	24e21e730e	Correct typo in add_common_rules() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-12 19:10:35 -08:00
Tom Eastep	421edccd3f	Delete INLINE_MATCHES from .conf files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-12 19:09:42 -08:00
Tom Eastep	cf8a48f110	Delete deprecated actions and macros Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-12 19:08:18 -08:00
Tom Eastep	12bbbbfa2a	Merge branch '5.1.12' # Conflicts: # Shorewall/Perl/Shorewall/Config.pm	2018-02-09 17:16:12 -08:00
Tom Eastep	422911f06b	Update config file basics doc to discourage INLINE_MATCHES=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-09 17:09:11 -08:00
Tom Eastep	2a12e0950a	Allow pairs in braces to appear with ';;' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-09 12:58:18 -08:00
Tom Eastep	9869dd25d7	Correct capitalization of IPsec Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-09 11:20:22 -08:00
Tom Eastep	e47b57fd4a	Replace macro.SSDPServer with corrected macro.SSDPserver Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-09 08:45:03 -08:00
Tom Eastep	3cbe0e7a1c	Describe IPSEC via SNAT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-08 14:33:54 -08:00
Tom Eastep	221753c3c0	INLINE_MATCHES=No in sample configs Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-08 12:53:20 -08:00
Tom Eastep	b14924bd64	New macros - Tuomo Soini Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-08 12:29:56 -08:00
Tom Eastep	c0a608ef84	Updated IPMI Macro (Tuomo Soini) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-08 11:59:55 -08:00
Tom Eastep	c518e85215	Clarify warning message regarding INLINE_MATCHES Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-08 11:21:38 -08:00
Roberto C. Sánchez	34fd10df41	Fix typo	2018-02-08 10:49:14 -08:00
Roberto C. Sánchez	e7004da47c	Fix typo	2018-02-08 10:49:06 -08:00
Tom Eastep	1fc97c50f1	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2018-02-08 10:47:57 -08:00
Roberto C. Sánchez	440d404780	Fix typo	2018-02-08 13:45:58 -05:00
Tom Eastep	91c76f7559	Add INLINE_MATCHES=Yes to deprecated option list - Issue a warning for each line requiring change. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-07 19:08:28 -08:00
Roberto C. Sánchez	eb224e653f	Fix typo	2018-02-07 21:53:40 -05:00
Tom Eastep	73b39abd62	Remove INLINE_MATCHES Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-07 14:41:49 -08:00
Tom Eastep	3903fe5fd9	Remove the 'refresh' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-07 12:38:24 -08:00
Tom Eastep	a3e10157de	Merge branch '5.1.12'	2018-02-06 17:35:31 -08:00
Tom Eastep	2e4af68b98	Always report IPSET_MATCH in 'show capabilities' output. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-06 13:41:28 -08:00
Tom Eastep	de9f29d7d4	Update Actions article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-05 17:11:30 -08:00
Tom Eastep	99ddb17c9e	Update the Macros article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-05 17:11:05 -08:00
Tom Eastep	8ea9d0bbef	Mention capabilities file to speed up 'start' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-02 10:45:21 -08:00
Tom Eastep	ebe09a95b8	Lightweight format_rule() for use in digest creation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-02 09:27:19 -08:00
Tom Eastep	f32b304eb6	Describe disabling shorewall under systemd in the FAQs Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-31 14:59:15 -08:00
Tom Eastep	7bdd69d151	Optimization category 8 tweaks - Document cost of the category in shorewall.conf(5) - Omit DONT_DELETE chains from consideration right off the bat Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-31 14:58:01 -08:00
Tom Eastep	a08f0cfe10	Avoid awkward blank lines Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-30 19:15:10 -08:00
Tom Eastep	09a81ae574	Omit trailing black space from the generated script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-30 14:31:54 -08:00
Tom Eastep	7042d586b2	Clarify BLACKLIST_DISPOSITION in shorewall.conf(5) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-30 13:54:03 -08:00
Tom Eastep	e17c4ac8af	Reorganize code around wait/Interface-variable fix Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-30 11:25:37 -08:00
Tom Eastep	a6000ee963	Reorganize code around wait/Interface-variable fix Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-30 11:25:04 -08:00
Tom Eastep	0ab1464f51	Merge branch '5.1.12'	2018-01-28 14:54:23 -08:00
Tom Eastep	789854adce	Revert "Correct order of optional interface and address variable handling" This reverts commit `fbee4a91fd`.	2018-01-28 14:54:06 -08:00
Tom Eastep	37101a2031	Merge branch '5.1.11' into 5.1.12	2018-01-28 13:15:42 -08:00
Tom Eastep	40bcfd15e5	Revert "Correct order of optional interface and address variable handling" This reverts commit `f4cae55c1e`.	2018-01-28 13:15:13 -08:00
Tom Eastep	230ab06e5d	Reverse order of required-interface and address variable processing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-28 13:10:44 -08:00
Tom Eastep	09cda21dd4	Revert "Correct order of optional interface and address variable handling" This reverts commit `9253f90ac5`.	2018-01-28 12:29:38 -08:00
Tom Eastep	9253f90ac5	Correct order of optional interface and address variable handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-28 11:39:06 -08:00
Tom Eastep	f4cae55c1e	Correct order of optional interface and address variable handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-28 10:54:03 -08:00
Tom Eastep	fbee4a91fd	Correct order of optional interface and address variable handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-28 10:53:20 -08:00
Tom Eastep	cb7071a213	Clarify BLACKLIST_DISPOSITION in shorewall.conf(5) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-28 10:52:35 -08:00
Tom Eastep	cdf5ad45d5	Eliminate the MAPOLDACTIONS option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-24 12:59:26 -08:00
Tom Eastep	070a67d665	Deimplement OPTIMIZE_USE_FIRST Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-24 11:56:20 -08:00
Tom Eastep	9796c58eb2	Add OPTIMIZE_MASK constant Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-23 13:15:44 -08:00
Tom Eastep	cabc20957f	Delete an unnecessary variable Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-23 09:45:50 -08:00
Tom Eastep	a9a379c5a5	Implement INPUT SNAT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-22 16:37:38 -08:00
Tom Eastep	3bf5066f82	Document multiple DEST interfaces in the snat file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-22 11:12:28 -08:00
Tom Eastep	b2c33a0f9a	Add snat to the list of manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-22 10:48:58 -08:00
Tom Eastep	64f704a964	Improve quoting in the route-balancing logic Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-21 14:46:51 -08:00
Tom Eastep	416224ee05	Correct typos and anachronisms in Chains.pm comments Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-21 11:53:58 -08:00
Tom Eastep	92ce1beddc	Move read_yesno_with_timeout() to lib.cli-std Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-20 14:26:13 -08:00
Tom Eastep	4d6bf8564e	Avoid unnecessary variable expansion Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-20 14:25:42 -08:00
Tom Eastep	fb4b362724	Eliminate unnecessary local array Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-20 13:26:10 -08:00
Tom Eastep	97de2be778	Change a fatal_error() call with an assertion in add_policy_rules() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-19 13:39:51 -08:00
Tom Eastep	85cae3c7f8	Add parens to improve readability Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-19 12:47:17 -08:00
Tom Eastep	acd425a3c2	Remove superfluous logic from validate_portpari1() - Add comments Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-01-19 12:46:52 -08:00