Don't run the 'up' command twice when an dual-stack interface comes up

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Allow IFUPDOWN=1 to work on Debian
2020-04-18 12:44:19 -07:00 · 2020-04-18 11:27:15 -07:00 · 2020-04-17 17:56:06 -07:00 · 2020-04-16 15:20:24 -07:00 · 2020-04-16 14:05:07 -07:00 · 2020-04-16 14:02:15 -07:00
486 changed files with 14006 additions and 25853 deletions
--- a/Shorewall-core/INSTALL
+++ b/Shorewall-core/INSTALL
@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5

 ---------------------------------------------------------------------------

-Please see http://www.shorewall.net/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.


--- a/Shorewall-core/Shorewall-core-targetname
+++ b/Shorewall-core/Shorewall-core-targetname
@@ -0,0 +1 @@
+5.2.4.1
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -1,10 +1,10 @@
 #!/bin/bash
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
-#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -109,6 +109,9 @@ if [ -z "$vendor" ]; then
 	    opensuse)
 		vendor=suse
 		;;
+	    alt|basealt|altlinux)
+		vendor=alt
+		;;
 	    *)
 		vendor="$ID"
 		;;
@@ -132,6 +135,8 @@ if [ -z "$vendor" ]; then
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
 		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
+	    elif [ -f /etc/altlinux-release ] ; then
+		params[HOST]=alt
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
@@ -190,7 +195,7 @@ for p in ${!params[@]}; do
 done

 echo '#'                                                                 > shorewallrc
-echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
+echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
 echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc

--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -74,6 +74,8 @@ unless ( defined $vendor ) {
 	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
 	    my $init = `ls -l /sbin/init`;
 	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
+	} elsif ( $id eq 'alt' || $id eq 'basealt' || $id eq 'altlinux' ) {
+	    $vendor = 'alt';
 	} else {
 	    $vendor = $id;
 	}
@@ -117,6 +119,9 @@ if ( defined $vendor ) {
 	} else {
 	    $rcfilename = 'shorewallrc.debian.sysvinit';
 	}
+    } elsif ( -f '/etc/altlinux-release' ){
+	$vendor = 'alt';
+	$rcfilename = 'shorewallrc.alt';
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
@@ -173,7 +178,12 @@ my $outfile;

 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";

-printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+if ( $ENV{SOURCE_DATE_EPOCH} ) {
+    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date  --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
+} else {
+    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+}
+
 print $outfile "# rc file: $rcfilename\n#\n";

 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,9 +2,9 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -22,64 +22,20 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

-VERSION=xxx #The Build script inserts the actual version
-
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-core
 Product="Shorewall Core"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ] "
-    echo "       $ME -v"
-    echo "       $ME -h"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -98,16 +54,16 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

+#
+# Source common functions
+#
+. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
 #
 # Parse the run line
 #
@@ -126,7 +82,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "Shorewall Firewall Installer Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
@@ -148,14 +104,14 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
 	file=./shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
 	file=/usr/share/shorewall/shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -169,7 +125,7 @@ elif [ $# -eq 1 ]; then
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -216,6 +172,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -224,6 +183,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
@@ -282,16 +243,15 @@ case "$HOST" in
    apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt|alt)
 	;;
    *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
-	exit 1;
+	fatal_error "Unknown HOST \"$HOST\""
 	;;
 esac

 if [ -z "$file" ]; then
-    if $HOST = linux; then
+    if [ $HOST = linux ]; then
 	file=shorewallrc.default
    else
 	file=shorewallrc.${HOST}
@@ -304,7 +264,8 @@ if [ -z "$file" ]; then
    echo "" >&2
    echo "Example:" >&2
    echo "" >&2
-    echo "   ./install.sh $file" &>2
+    echo "   ./install.sh $file" >&2
+    exit 1
 fi

 if [ -n "$DESTDIR" ]; then
@@ -315,45 +276,31 @@ if [ -n "$DESTDIR" ]; then
    fi
 fi

-echo "Installing Shorewall Core Version $VERSION"
+echo "Installing $Product Version $VERSION"

 #
 # Create directories
 #
-mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
-chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall
+make_parent_directory ${DESTDIR}${LIBEXECDIR}/shorewall 0755

-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
-chmod 755 ${DESTDIR}${SHAREDIR}/shorewall
+make_parent_directory ${DESTDIR}${SHAREDIR}/shorewall 0755

-mkdir -p ${DESTDIR}${CONFDIR}
-chmod 755 ${DESTDIR}${CONFDIR}
+make_parent_directory ${DESTDIR}${CONFDIR} 0755

-if [ -n "${SYSCONFDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSCONFDIR}
-    chmod 755 ${DESTDIR}${SYSCONFDIR}
-fi
+[ -n "${SYSCONFDIR}" ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755

 if [ -z "${SERVICEDIR}" ]; then
    SERVICEDIR="$SYSTEMD"
 fi

-if [ -n "${SERVICEDIR}" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
-    chmod 755 ${DESTDIR}${SERVICEDIR}
-fi
+[ -n "${SERVICEDIR}" ] && make_parent_directory ${DESTDIR}${SERVICEDIR} 0755

-mkdir -p ${DESTDIR}${SBINDIR}
-chmod 755 ${DESTDIR}${SBINDIR}
+make_parent_directory ${DESTDIR}${SBINDIR} 0755

-if [ -n "${MANDIR}" ]; then
-    mkdir -p ${DESTDIR}${MANDIR}
-    chmod 755 ${DESTDIR}${MANDIR}
-fi
+[ -n "${MANDIR}" ] && make_parent_directory ${DESTDIR}${MANDIR} 0755

 if [ -n "${INITFILE}" ]; then
-    mkdir -p ${DESTDIR}${INITDIR}
-    chmod 755 ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${INITDIR} 0755

    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
@@ -382,14 +329,19 @@ echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 # Install the libraries
 #
 for f in lib.* ; do
+    case $f in
+        *installer)
+            ;;
+        *)
            install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
            echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
+            ;;
+    esac
 done

 if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
 fi

 #
@@ -398,11 +350,11 @@ fi
 if [ -n "$MANDIR" ]; then
    cd manpages

-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
+    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755

    for f in *.8; do
 	gzip -9c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done

@@ -419,7 +371,7 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion

 if [ -z "${DESTDIR}" ]; then
    if [ $update -ne 0 ]; then
@@ -444,14 +396,20 @@ fi

 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
+        case $f in
+            *installer)
+                ;;
+            *)
                if [ $BUILD != apple ]; then
                    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
                else
                    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
                fi
+                ;;
+        esac
    done
 fi
 #
 # Report Success
 #
-echo "Shorewall Core Version $VERSION Installed"
+echo "$Product Version $VERSION Installed"
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.cli
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=50100
+SHOREWALL_CAPVERSION=50200

 if [ -z "$g_basedir" ]; then
    #
@@ -47,6 +47,10 @@ startup_error() {
    exit 1
 }

+only_root() {
+    [ "$(id -u)" != 0 ] && fatal_error "The '$COMMAND' command may only be run by root"
+}
+
 #
 # Display a chain if it exists
 #
@@ -83,6 +87,8 @@ showchain() # $1 = name of chain
 #
 validate_restorefile() # $* = label
 {
+    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
+
    case $RESTOREFILE in
 	*/*)
 	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
@@ -411,9 +417,9 @@ resolve_arptables() {
 savesets() {
    local supported

-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+    supported=$(run_it $g_firewall help | fgrep savesets )

-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
+    [ -n "$supported" ] && run_it $g_firewall savesets ${g_restorepath}-ipsets 
 }

 #
@@ -422,9 +428,9 @@ savesets() {
 savesets1() {
    local supported

-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+    supported=$(run_it $g_firewall help | fgrep savesets )

-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+    [ -n "$supported" ] && run_it $g_firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }

 #
@@ -435,9 +441,9 @@ do_save() {
    local arptables
    status=0

-    if [ -f ${VARDIR}/firewall ]; then
+    if [ -f $g_firewall ]; then
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    cp -f ${VARDIR}/firewall $g_restorepath
+	    cp -f $g_firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod 700 $g_restorepath
 	    chmod 600 ${g_restorepath}-iptables
@@ -449,7 +455,7 @@ do_save() {
 	    status=1
 	fi
    else
-	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+	echo "   ERROR: $g_firewall does not exist" >&2
 	status=1
    fi

@@ -634,7 +640,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
+		ip -6 -o route list table $table | grep -vF cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -647,7 +653,7 @@ show_routing() {
    else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | grep -vF cache | sort_routes
+	    ip -6 -o route list | grep -vF cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -1137,16 +1143,31 @@ show_a_macro() {
    cat ${directory}/macro.$1
 }
 #
-# Don't dump empty SPD entries
+# Don't dump empty SPD entries or entries from the other address family
 #
-spd_filter()
-{
-    awk \
-    'BEGIN            { skip=0; }; \
-    /^src/            { skip=0; }; \
-    /^src 0.0.0.0\/0/ { skip=1; }; \
-    /^src ::\/0/      { skip=1; }; \
-                      { if ( skip == 0 ) print; };'
+spd_filter() {
+    #
+    # af   = Address Family (4 or 6)
+    # afok = Address Family of entry matches af
+    # p    = print the contents of A (entry is not empty)
+    # i    = Number of lines stored in A
+    #
+    awk -v af=$g_family \
+	'function prnt(A,i,    j) { while ( j < i ) print A[j++]; };\
+\
+	 /^src / { if (p) prnt( A, i );\
+		   afok = 1;\
+		   p	= 0;\
+		   i	= 0;\
+		   if ( af == 4 )\
+		       { if ( /:/ )  afok = 0; }\
+		   else\
+		       { if ( /\./ ) afok = 0; }\
+		 };\
+		 { if ( afok ) A[i++] = $0; };\
+	 /tmpl/	 { p = afok; };\
+\
+	 END	 { if (p) prnt( A, i ); }'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1159,7 +1180,8 @@ heading() {

 show_ipsec() {
    heading "PFKEY SPD"
-    $IP -s xfrm policy | spd_filter
+    $IP -s -$g_family xfrm policy | spd_filter
+
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -1169,6 +1191,32 @@ show_ipsec_command() {
    show_ipsec
 }

+show_saves_command() {
+    local f
+    local fn
+    local mtime
+
+    echo "$g_product $SHOREWALL_VERSION Saves at $g_hostname - $(date)"
+    echo "Saved snapshots are:"
+    echo
+
+    for f in ${VARDIR}/*-iptables; do
+	case $f in
+	    *\**)
+	        ;;
+	    *)
+		fn=$(basename $f)
+		fn=${fn%-iptables}
+		mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
+		[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
+		echo "   $mtime ${fn%-iptables}"
+		;;
+	esac
+    done
+
+    echo
+}
+
 #
 # Show Command Executor
 #
@@ -1187,6 +1235,7 @@ show_command() {
    show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
 	if [ -n "$foo" ]; then
+	    macro=$(basename $macro)
 	    macro=${macro#*.}
 	    foo=${foo%.*}
 	    if [ ${#macro} -gt 5 ]; then
@@ -1281,37 +1330,47 @@ show_command() {

    [ -n "$g_debugging" ] && set -x

+    COMMAND="$COMMAND $1"
+
    case "$1" in
 	connections)
+	    only_root
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	tos|mangle)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && too_many_arguments $2

+	    only_root
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
+	    only_root
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
@@ -1335,6 +1394,7 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
@@ -1371,33 +1431,50 @@ show_command() {
 	    fi
 	    ;;
 	chain)
+	    only_root
 	    shift
 	    eval show_chain $@ $g_pager
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
+        rc)
+            shift
+	    [ $# -gt 1 ] && too_many_arguments $2
+            if [ -n "$1" -a -d "$1" ]; then
+                cat $1/shorewallrc
+            elif [ -n "$g_basedir" -a -d "$g_basedir" ]; then
+                cat $g_basedir/shorewallrc
+            else
+                fatal_error "Can not determine the location of the shorewallrc file."
+            fi
+            ;;
 	policies)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
+	    only_root
 	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1407,6 +1484,7 @@ show_command() {
 	    ;;
 	event)
 	    [ $# -gt 1 ] || too_many_arguments $2
+	    only_root
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
@@ -1414,14 +1492,18 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
+	    setup_dbl
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"

 	    if chain_exists dynamic; then
@@ -1432,8 +1514,13 @@ show_command() {
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
+	saves)
+	    [ $# -gt 1 ] && too_many_arguments $2
+	    show_saves_command
+	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -1480,6 +1567,8 @@ show_command() {
 		    ;;
 	    esac

+	    only_root
+
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
@@ -1797,7 +1886,7 @@ do_dump_command() {

    echo

-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }

    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -1911,41 +2000,6 @@ show_proc() # $1 = name of a file
    [ -f $1 ] && echo "   $1 = $(cat $1)"
 }

-read_yesno_with_timeout() {
-    local timeout
-    timeout=${1:-60}
-
-    case $timeout in
-	*s)
-	    ;;
-	*m)
-	    timeout=$((${timeout%m} * 60))
-	    ;;
-	*h)
-	    timeout=$((${timeout%h} * 3600))
-	    ;;
-    esac
-
-    read -t $timeout yn 2> /dev/null
-    if [ $? -eq 2 ]
-    then
-	# read doesn't support timeout
-	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
-	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
-	return $?
-    else
-	# read supports timeout
-	case "$yn" in
-	    y|Y)
-		return 0
-		;;
-	    *)
-		return 1
-		;;
-	esac
-    fi
-}
-
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2529,15 +2583,21 @@ hits_command() {
    fi
 }

+#
+# Issue an error message and terminate if the firewall isn't started
+#
+require_started() {
+    if ! product_is_started; then
+	error_message "ERROR: $g_product is not started"
+	exit 2
+    fi
+}
+
 #
 # 'allow' command executor
 #
 allow_command() {

-    [ -n "$g_debugging" ] && set -x
-    [ $# -eq 1 ] && missing_argument
-
-    if product_is_started ; then
    local allowed
    local which
    which='-s'
@@ -2545,8 +2605,10 @@ allow_command() {
    range='--src-range'
    local dynexists

-	if [ -n "$g_blacklistipset" ]; then
+    [ -n "$g_debugging" ] && set -x
+    [ $# -eq 1 ] && missing_argument

+    if [ -n "$g_blacklistipset" ]; then
 	case ${IPSET:=ipset} in
 	    */*)
 		if [ ! -x "$IPSET" ]; then
@@ -2563,6 +2625,7 @@ allow_command() {
    if chain_exists dynamic; then
 	dynexists=Yes
    elif [ -z "$g_blacklistipset" ]; then
+	require_started
 	fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
    fi

@@ -2628,10 +2691,6 @@ allow_command() {
    done

    [ -n "$g_nolock" ] || mutex_off
-    else
-	error_message "ERROR: $g_product is not started"
-	exit 2
-    fi
 }

 #
@@ -2707,7 +2766,7 @@ determine_capabilities() {
 	g_tool=$(mywhich $tool)

 	if [ -z "$g_tool" ]; then
-	    fatal-error "No executable $tool binary can be found on your PATH"
+	    fatal_error "No executable $tool binary can be found on your PATH"
 	fi
    fi

@@ -2751,7 +2810,6 @@ determine_capabilities() {
    LENGTH_MATCH=
    CLASSIFY_TARGET=
    ENHANCED_REJECT=
-    USEPKTTYPE=
    KLUDGEFREE=
    MARK=
    XMARK=
@@ -2770,7 +2828,7 @@ determine_capabilities() {
    GOTO_TARGET=
    LOGMARK_TARGET=
    IPMARK_TARGET=
-    LOG_TARGET=Yes
+    LOG_TARGET=
    ULOG_TARGET=
    NFLOG_TARGET=
    PERSISTENT_SNAT=
@@ -2803,6 +2861,8 @@ determine_capabilities() {
    WAIT_OPTION=
    CPU_FANOUT=
    NETMAP_TARGET=
+    NFLOG_SIZE=
+    RESTORE_WAIT_OPTION=

    AMANDA_HELPER=
    FTP_HELPER=
@@ -2826,9 +2886,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi

+    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
+
    if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	tool="$tool --wait"
+	g_tool="$g_tool --wait"
    fi

    chain=fooX$$
@@ -2843,6 +2905,7 @@ determine_capabilities() {
 		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
+	    qt $g_tool -t nat -L INPUT -n && NAT_INPUT_CHAIN=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
@@ -3093,7 +3156,6 @@ determine_capabilities() {
 	fi
    fi

-    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
    qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
@@ -3134,12 +3196,15 @@ determine_capabilities() {
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG || LOG_TARGET=
+    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
    qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
-    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
    qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
+    if qt $g_tool -A $chain -j NFLOG; then
+	NFLOG_TARGET=Yes
+	qt $g_tool -A $chain -j NFLOG --nflog-size 64 && NFLOG_SIZE=Yes
+    fi

    if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -3204,7 +3269,6 @@ report_capabilities_unsorted() {
 	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
 	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
    fi
-    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
    report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
    report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
    report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
@@ -3214,8 +3278,8 @@ report_capabilities_unsorted() {
    [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
    report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
    report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
-    if [ -n "$IPSET_MATCH" ]; then
    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
+    if [ -n "$IPSET_MATCH" ]; then
 	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
@@ -3295,9 +3359,11 @@ report_capabilities_unsorted() {
    if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    fi

    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3305,6 +3371,8 @@ report_capabilities_unsorted() {
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
+    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
+    report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN

    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3317,8 +3385,6 @@ report_capabilities() {
 	report_capabilities_unsorted | sort
    fi

-    [ -n "$PKTTYPE" ] || USEPKTTYPE=
-
 }

 report_capabilities_unsorted1() {
@@ -3335,7 +3401,6 @@ report_capabilities_unsorted1() {
    report_capability1 CONNTRACK_MATCH
    report_capability1 NEW_CONNTRACK_MATCH
    report_capability1 OLD_CONNTRACK_MATCH
-    report_capability1 USEPKTTYPE
    report_capability1 POLICY_MATCH
    report_capability1 PHYSDEV_MATCH
    report_capability1 PHYSDEV_BRIDGE
@@ -3411,6 +3476,9 @@ report_capabilities_unsorted1() {
    report_capability1 WAIT_OPTION
    report_capability1 CPU_FANOUT
    report_capability1 NETMAP_TARGET
+    report_capability1 NFLOG_SIZE
+    report_capability1 RESTORE_WAIT_OPTION
+    report_capability1 NAT_INPUT_CHAIN

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3707,7 +3775,7 @@ ipcalc_command() {
    elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
-    elif [ $# -eq 0 ]; then
+    elif [ $# -eq 1 ]; then
 	missing_argument
    else
 	too_many_arguments $4
@@ -3715,7 +3783,7 @@ ipcalc_command() {

    valid_address $address || fatal_error "Invalid IP address: $address"
    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"

    address=$address/$vlsm
@@ -3753,7 +3821,7 @@ iprange_command() {
 }

 ipdecimal_command() {
-    if [ $# eq 1 ]; then
+    if [ $# -eq 1 ]; then
 	missing_argument
    else
 	[ $# -eq 2 ] || too_many_arguments $3
@@ -3796,7 +3864,7 @@ noiptrace_command() {
 verify_firewall_script() {
    if [ ! -f $g_firewall ]; then
 	echo "   ERROR: $g_product is not properly installed" >&2
-	if [ -L $g_firewall ]; then
+	if [ -h $g_firewall ]; then
 	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
@@ -3896,7 +3964,7 @@ get_config() {

    ensure_config_path

-    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf

    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

@@ -4050,15 +4118,15 @@ start_command() {
 	rc=0
 	[ -n "$g_nolock" ] || mutex_on

-	if [ -x ${VARDIR}/firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
-		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
+	if [ -x $g_firewall ]; then
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+		run_it ${VARDIR}/${RESTOREFILE} restore
 	    else
-		run_it ${VARDIR}/firewall $g_debugging start
+		run_it $g_firewall start
 	    fi
 	    rc=$?
 	else
-	    error_message "${VARDIR}/firewall is missing or is not executable"
+	    error_message "$g_firewall is missing or is not executable"
 	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4187,11 +4255,11 @@ restart_command() {

    [ -n "$g_nolock" ] || mutex_on

-    if [ -x ${VARDIR}/firewall ]; then
-	run_it ${VARDIR}/firewall $g_debugging $COMMAND
+    if [ -x $g_firewall ]; then
+	run_it $g_firewall $COMMAND
 	rc=$?
    else
-	error_message "${VARDIR}/firewall is missing or is not executable"
+	error_message "$g_firewall is missing or is not executable"
 	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi
@@ -4201,10 +4269,10 @@ restart_command() {
 }

 run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
-	run_it ${VARDIR}/firewall $g_debugging $@
+    if [ -x $g_firewall ] ; then
+	run_it $g_firewall $@
    else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+	fatal_error "$g_firewall does not exist or is not executable"
    fi
 }

@@ -4219,7 +4287,13 @@ ecko() {
 #
 usage() # $1 = exit status
 {
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "Usage: $(basename $0) [ -T ] [ -D ] [ -N ] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "   -T : Direct the generated script to produce a shell trace to standard error"
+    echo "   -D : Debug iptables commands"
+    echo "   -N : Don't take the master shorewall lock"
+    echo "   -q : Standard Shorewall verbosity control"
+    echo "   -v : Standard Shorewall verbosity control"
+    echo "   -t : Timestamp all messages"
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
@@ -4249,7 +4323,6 @@ usage() # $1 = exit status
 	echo "   iptrace <ip6tables match expression>"
    fi

-    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
@@ -4262,14 +4335,20 @@ usage() # $1 = exit status

    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   reenable <interface>"
-    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
-    ecko "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
+
+    if [ -n "$g_lite" ]; then
+	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
+    else
+	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+    fi

    if [ -z "$g_lite" ]; then
-	echo "   remote-reload [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-restart [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-start [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-getrc [ -T ] [ -c ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
+	echo "   remote-getcaps [ -T ] [ -R ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
    fi

    echo "   reset [ <chain> ... ]"
@@ -4312,7 +4391,9 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] nfacct"
    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
+    echo "   [ show | list | ls ] rc"
    echo "   [ show | list | ls ] routing"
+    echo "   [ show | list | ls ] saves"
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
@@ -4339,20 +4420,16 @@ usage() # $1 = exit status
 # here if that lib is loaded below.
 #
 shorewall_cli() {
-    g_debugging=
-
-    if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
-	g_debugging=$1
-	shift
-    fi
-
    g_nolock=
-
+    #
+    # We'll keep this around for a while so we don't break people's started scripts
+    #
    if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
 	g_nolock=nolock
 	shift
    fi

+    g_debugging=
    g_noroutes=
    g_purge=
    g_ipt_options="-nv"
@@ -4361,7 +4438,6 @@ shorewall_cli() {
    g_use_verbosity=
    g_debug=
    g_export=
-    g_refreshchains=:none:
    g_confess=
    g_update=
    g_annotate=
@@ -4380,6 +4456,8 @@ shorewall_cli() {
    g_nopager=
    g_blacklistipset=
    g_disconnect=
+    g_havemutex=
+    g_trace=

    VERBOSE=
    VERBOSITY=1
@@ -4511,6 +4589,17 @@ shorewall_cli() {
 			    finished=1
 			    option=
 			    ;;
+			T*)
+			    g_debugging=trace
+			    option=${option#T}
+			    ;;
+			D*)
+			    g_debugging=debug
+			    option=${option#D}
+			    ;;
+			N*)
+			    g_nolock=nolock
+			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -4552,40 +4641,46 @@ shorewall_cli() {

    case "$COMMAND" in
 	start)
+	    only_root
 	    get_config Yes Yes
 	    shift
 	    start_command $@
 	    ;;
 	stop|clear)
 	    [ $# -ne 1 ] && too_many_arguments $2
+	    only_root
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
-	    run_it $g_firewall $g_debugging $COMMAND
+	    run_it $g_firewall $COMMAND
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
+	    only_root
 	    get_config
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
-	    run_it $g_firewall $g_debugging reset $@
+	    run_it $g_firewall reset $@
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
+	    only_root
 	    get_config Yes Yes
 	    shift
 	    restart_command $@
 	    ;;
 	disable|enable|reenable)
+	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it ${VARDIR}/firewall $g_debugging $@
+		run_it $g_firewall $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	blacklist)
+	    only_root
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4594,6 +4689,7 @@ shorewall_cli() {
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
+	    only_root
 	    get_config Yes
 	    run_command $@
 	    ;;
@@ -4603,18 +4699,20 @@ shorewall_cli() {
    	    show_command $@
 	    ;;
 	status)
-	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
+	    only_root
 	    get_config
 	    shift
 	    status_command $@
 	    ;;
 	dump)
+	    only_root
 	    get_config Yes No Yes
    	    shift
    	    dump_command $@
 	    ;;
 	hits)
 	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
+	    only_root
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4625,53 +4723,63 @@ shorewall_cli() {
 	    version_command $@
 	    ;;
 	logwatch)
+	    only_root
 	    get_config Yes Yes Yes
 	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
+	    only_root
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
+	    only_root
 	    get_config
 	    allow_command $@
 	    ;;
 	add)
+	    only_root
 	    get_config
 	    shift
 	    add_command $@
 	    ;;
 	delete)
+	    only_root
 	    get_config
 	    shift
 	    delete_command $@
 	    ;;
 	save)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    save_command $@
 	    ;;
 	forget)
+	    only_root
 	    get_config
 	    forget_command $@
 	    ;;
@@ -4688,11 +4796,13 @@ shorewall_cli() {
 	    ipdecimal_command $@
 	    ;;
 	restore)
+	    only_root
 	    get_config
 	    shift
 	    restore_command $@
            ;;
 	call)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
@@ -4719,7 +4829,7 @@ shorewall_cli() {
 		    # It isn't a function visible to this script -- try
 		    # the compiled firewall
 		    #
-		    run_it $g_firewall $g_debugging call $@
+		    run_it $g_firewall call $@
 		fi
 	    else
 		missing_argument
@@ -4730,17 +4840,20 @@ shorewall_cli() {
 	    usage
 	    ;;
 	iptrace)
+	    only_root
 	    get_config
 	    shift
 	    iptrace_command $@
 	    ;;
 	noiptrace)
+	    only_root
 	    get_config
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || too_many_arguments $2
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
-#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -92,18 +92,20 @@ startup_error() # $* = Error Message
 #
 run_it() {
    local script
-    local options
+    local options='-'

    export VARDIR

    script=$1
    shift

-    if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	options="$1 -"
-	shift;
+
+    if [ "$g_debugging" = debug ]; then
+	options='-D'
+    elif [ "$g_debugging" = trace ]; then
+	options='-T'
    else
-	options='-'
+	options='-';
    fi

    [ -n "$g_noroutes" ]   && options=${options}n
@@ -269,53 +271,48 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
    local modulename
    modulename=$1
+    shift
+    local moduleoptions
+    moduleoptions=$*
    local modulefile
    local suffix

    if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		shift
-
-		for suffix in $MODULE_SUFFIX ; do
-		    for directory in $moduledirectories; do
-			modulefile=$directory/${modulename}.${suffix}
-
-			if [ -f $modulefile ]; then
 		case $moduleloader in
 		    insmod)
-				    insmod $modulefile $*
-				    ;;
-				*)
-				    modprobe $modulename $*
-				    ;;
-			    esac
-			    break 2
+			for directory in $moduledirectories; do
+			    for modulefile in $directory/${modulename}.*; do
+				if [ -f $modulefile ]; then
+				    insmod $modulefile $moduleoptions
+				    return
 				fi
 			    done
 			done
+			;;
+		    *)
+			modprobe -q $modulename $moduleoptions
+			;;
+		esac
 	    fi
 	fi
    elif ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
 	case $moduleloader in
 	    insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
+		for directory in $moduledirectories; do
+		    for modulefile in $directory/${modulename}.*; do
+			if [ -f $modulefile ]; then
+			    insmod $modulefile $moduleoptions
+			    return
 			fi
 		    done
 		done
+		;;
+	    *)
+		modprobe -q $modulename $moduleoptions
+		;;
+	esac
    fi
 }

@@ -338,8 +335,6 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
-
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -394,8 +389,6 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
-
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -420,7 +413,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
    done

-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file helpers)

    if [ -f $modules -a -n "$moduledirectories" ]; then
 	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
@@ -428,7 +421,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
 	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir
 	    cp -f $modules ${VARDIR}/.modules
 	fi
    elif [ $savemoduleinfo = Yes ]; then
@@ -510,7 +503,7 @@ ip_network() {

 #
 # The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+# the popular light-weight Bourne shell derivatives do not support XOR ("^").
 #
 ip_broadcast() {
    local x
@@ -745,8 +738,8 @@ truncate() # $1 = length

 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
+# /sbin/shorewall program while holding mutual exclusion, you should pass -N as
+# the first argument. Example "shorewall -N refresh"
 #
 # This function uses the lockfile utility from procmail if it exists.
 # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
@@ -760,36 +753,44 @@ mutex_on()
    lockf=${LOCKFILE:=${VARDIR}/lock}
    local lockpid
    local lockd
+    local lockbin
+    local openwrt

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

-    if [ $MUTEX_TIMEOUT -gt 0 ]; then
+    if [ -z "$g_havemutex" -a $MUTEX_TIMEOUT -gt 0 ]; then

 	lockd=$(dirname $LOCKFILE)

 	[ -d "$lockd" ] || mkdir -p "$lockd"

+	lockbin=$(mywhich lock)
+	[ -n "$lockbin" -a -h "$lockbin" ] && openwrt=Yes
+
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ $lockpid -eq $$ ]; then
-                return 0
-	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
+	    elif [ -z "$openwrt" ]; then
+		if [ $lockpid -eq $$ ]; then
+                    fatal_error "Mutex_on confusion"
+		elif ! qt ps --pid ${lockpid}; then
 		    rm -f ${lockf}
 		    error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 		fi
 	    fi
+	fi

-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	if [ -n "$openwrt" ]; then
+	    lock ${lockf} || fatal_error "Can't lock ${lockf}"
+	    g_havemutex="lock -u ${lockf}"
+	elif qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} || fatal_error "Can't lock ${lockf}"
+	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
-	elif qt mywhich lock; then
-            lock ${lockf}
-            chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -799,10 +800,15 @@ mutex_on()
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
+		g_havemutex="rm -f ${lockf}"
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
+
+	if [ -n "$g_havemutex" ]; then
+	    trap mutex_off EXIT
+	fi
    fi
 }

@@ -811,7 +817,10 @@ mutex_on()
 #
 mutex_off()
 {
-    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
-    rm -f ${LOCKFILE:=${VARDIR}/lock}
+    if [ -n "$g_havemutex" ]; then
+	eval $g_havemutex
+	g_havemutex=
+	trap '' exit
+    fi
 }

--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
+# Shorewall 5.2 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #

-SHOREWALL_LIBVERSION=50100
+SHOREWALL_LIBVERSION=50108

 #
 # Fatal Error
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -0,0 +1,88 @@
+#
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
+#
+#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
+#
+#	Complete documentation is available at https://shorewall.org
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# The purpose of this library is to hold those functions used by the products installer.
+#
+#########################################################################################
+
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir $1
+    chmod $2 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+}
+
+make_parent_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod $2 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNER:$GROUP $1
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
+}
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -0,0 +1,105 @@
+#
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
+#
+#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
+#
+#	Complete documentation is available at https://shorewall.org
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# The purpose of this library is to hold those functions used by the products uninstaller.
+#
+#########################################################################################
+
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to remove
+{
+    if [ -n "$1" ] ; then
+        if [ -f $1 -o -h $1 ] ; then
+            rm -f $1
+            echo "$1 Removed"
+        fi
+    fi
+}
+
+remove_directory() # $1 = directory to remove
+{
+    if [ -n "$1" ] ; then
+        if [ -d $1 ] ; then
+            rm -rf $1
+            echo "$1 Removed"
+        fi
+    fi
+}
+
+remove_file_with_wildcard() # $1 = file with wildcard to remove
+{
+    if [ -n "$1" ] ; then
+        for f in $1; do
+            if [ -d $f ] ; then
+                rm -rf $f
+                echo "$f Removed"
+            elif [ -f $f -o -h $f ] ; then
+                rm -f $f
+                echo "$f Removed"
+            fi
+        done
+    fi
+}
+
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
+}
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -1,11 +1,11 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.0
+#     Shorewall Packet Filtering Firewall Control Program - V5.2
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -25,6 +25,10 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
+#
+# Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
+# options
+#
 PRODUCT=shorewall

 #
--- a/Shorewall-core/shorewallrc.alt
+++ b/Shorewall-core/shorewallrc.alt
@@ -0,0 +1,25 @@
+#
+# ALT/BaseALT/ALTLinux Shorewall 5.2 rc file
+#
+BUILD=                                  #Default is to detect the build system
+HOST=alt
+PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
+PERLLIBDIR=${SHAREDIR}/perl5            #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                            #Directory where subsystem configurations are installed
+SBINDIR=/sbin                           #Directory where system administration programs are installed
+MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
+INITDIR=${CONFDIR}/rc.d/init.d          #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
+INITSOURCE=init.alt.sh                  #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                              #If non-zero, annotated configuration files are installed
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
+SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less             #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.0 rc file
+# Apple OS X Shorewall 5.2 rc file
 #
 BUILD=apple
 HOST=apple
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.0 rc file
+# Arch Linux Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.0 rc file
+# Cygwin Shorewall 5.2 rc file
 #
 BUILD=cygwin
 HOST=cygwin
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 4.5 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -13,8 +13,8 @@ MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
+ANNOTATED=				#If non-empty, annotated configuration files are installed
+SYSCONFFILE=default.debian.systemd	#Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 4.5 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian.sysvinit              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,8 +1,8 @@
 #
-# Default Shorewall 5.0 rc file
+# Default Shorewall 5.2 rc file
 #
-HOST=linux                              #Generic Linux
 BUILD=                                  #Default is to detect the build system
+HOST=linux                              #Generic Linux
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,8 +1,8 @@
 #
-# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
-#
-# Input: host=openwrt
+# OpenWRT/LEDE Shorewall 5.2 rc file
 #
+BUILD=                                 #Default is to detect the build system
+HOST=openwrt
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.0 rc file
+# RedHat/FedoraShorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat
--- a/Shorewall-core/shorewallrc.sandbox
+++ b/Shorewall-core/shorewallrc.sandbox
@@ -0,0 +1,28 @@
+#
+# Shorewall 5.2 rc file for installing into a Sandbox
+#
+BUILD=                                       # Default is to detect the build system
+HOST=linux
+INSTALLDIR=				     # Set this to the directory where you want Shorewall installed
+PREFIX=${INSTALLDIR}/usr		     # Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share		     # Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share		     # Directory for executable scripts.	
+PERLLIBDIR=${PREFIX}/share/shorewall	     # Directory to install Shorewall Perl module directory	
+CONFDIR=${INSTALLDIR}/etc		     # Directory where subsystem configurations are installed				
+SBINDIR=${INSTALLDIR}/sbin		     # Directory where system administration programs are installed			
+MANDIR=		     			     # Leave empty
+INITDIR=				     # Leave empty				     				
+INITSOURCE=				     # Leave empty
+INITFILE=				     # Leave empty
+AUXINITSOURCE=				     # Leave empty
+AUXINITFILE=				     # Leave empty
+SERVICEDIR=				     # Leave empty
+SERVICEFILE=    			     # Leave empty
+SYSCONFFILE=				     # Leave empty
+SYSCONFDIR=				     # Leave empty			
+SPARSE=					     # Leave empty			
+ANNOTATED=				     # If non-empty, annotated configuration files are installed				
+VARLIB=${INSTALLDIR}/var/lib		     # Directory where product variable data is stored.				
+VARDIR=${VARLIB}/$PRODUCT		     # Directory where product variable data is stored.		
+DEFAULT_PAGER=/usr/bin/less		     # Pager to use if none specified in shorewall[6].conf
+SANDBOX=Yes				     # Indicates SANDBOX installation
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.0 rc file
+# Slackware Shorewall 5.2 rc file
 #
 BUILD=slackware
 HOST=slackware
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.0 rc file
+# SuSE Shorewall 5.2 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Core Modules
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://www.shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -26,63 +26,75 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx #The Build script inserts the actual version
-PRODUCT="shorewall-core"
+VERSION=xxx # The Build script inserts the actual version
+PRODUCT=shorewall-core
 Product="Shorewall Core"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

+#
+# Source common functions
+#
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
+#
+# Parse the run line
+#
+finished=0
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Uninstaller Version $VERSION"
+			exit 0
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -92,11 +104,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -104,20 +116,26 @@ fi
 if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Core Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling Shorewall Core $VERSION"
+echo "Uninstalling $Product $VERSION"

-rm -rf ${SHAREDIR}/shorewall
-rm -f ~/.shorewallrc
-
-echo "Shorewall Core Uninstalled"
+if [ -n "${MANDIR}" ]; then
+    remove_file_with_wildcard ${MANDIR}/man5/shorewall\*
+    remove_file_with_wildcard ${MANDIR}/man8/shorewall\*
+fi

+remove_directory ${SHAREDIR}/shorewall
+remove_file ~/.shorewallrc

+#
+# Report Success
+#
+echo "$Product $VERSION Uninstalled"
--- a/Shorewall-core/wait4ifup
+++ b/Shorewall-core/wait4ifup
@@ -1,12 +1,12 @@
 #!/bin/sh
 #
-#     Shorewall interface helper utility - V4.2
+#     Shorewall interface helper utility - V5.2
 #
 #     (c) 2007,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file is installed in /usr/share/shorewall/wait4ifup
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-init/default.debian.systemd
+++ b/Shorewall-init/default.debian.systemd
@@ -0,0 +1,21 @@
+# List the Shorewall products that Shorewall-init is to
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6"
+#
+PRODUCTS=""
+
+#
+# Set this to 1 if you want Shorewall-init to react to
+# ifup/ifdown and NetworkManager events
+#
+IFUPDOWN=0
+#
+# Where Up/Down events get logged
+#
+LOGFILE=/var/log/shorewall-ifupdown.log
+
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+
+# IOF
--- a/Shorewall-init/default.debian.sysvinit
+++ b/Shorewall-init/default.debian.sysvinit
@@ -0,0 +1,27 @@
+# List the Shorewall products that Shorewall-init is to
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6"
+#
+PRODUCTS=""
+
+#
+# Set this to 1 if you want Shorewall-init to react to
+# ifup/ifdown and NetworkManager events
+#
+IFUPDOWN=0
+#
+# Set this to the name of the file that is to hold
+# ipset contents. Shorewall-init will load those ipsets
+# during 'start' and will save them there during 'stop'.
+#
+SAVE_IPSETS=""
+#
+# Where Up/Down events get logged
+#
+LOGFILE=/var/log/shorewall-ifupdown.log
+
+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+
+# IOF
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -110,7 +110,7 @@ case $0 in
 	;;
    *)
        #
-        # Debian ifupdown system
+        # Debian ifupdown system - MODE and INTERFACE inherited from the environment
        #
 	INTERFACE="$IFACE"

@@ -127,6 +127,17 @@ esac
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null

 for PRODUCT in $PRODUCTS; do
+    if [ -n "$ADDRFAM" -a ${COMMAND} = up ]; then
+	case $PRODUCT in
+	    *6*)
+		[ ${ADDRFAM} = inet6 ] || continue
+		;;
+	    *)
+		[ ${ADDRFAM} = inet ] || continue
+		;;
+	esac
+    fi
+
    setstatedir

    if [ -x $VARLIB/$PRODUCT/firewall ]; then
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -90,6 +90,8 @@ case $0 in
 		COMMAND=down
 		;;
 	    *dispatcher.d*)
+		case "$2" in
+		    up|down)
 			COMMAND="$2"
 			;;
 		    *)
@@ -97,6 +99,11 @@ case $0 in
 			;;
 		esac
 		;;
+	    *)
+		exit 0
+		;;
+	esac
+	;;
 esac

 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -120,8 +120,15 @@ case $0 in
 	case $0 in
 	    *dispatcher.d*)
 		INTERFACE="$1"
+		case "$2" in
+		    up|down)
 			COMMAND="$2"
 			;;
+		    *)
+			exit 0
+			;;
+		esac
+		;;
 	    *if-up.d*)
 		COMMAND=up
 		;;
--- a/Shorewall-init/init.alt.sh
+++ b/Shorewall-init/init.alt.sh
@@ -0,0 +1,150 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 09 91
+# description: Initialize the shorewall firewall at boot time
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop: $local_fs
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Initialize the shorewall firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+NAME="Shorewall-init firewall"
+PROG="shorewall-init"
+SHOREWALL="$SBINDIR/$PROG"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+LOCKFILE=/var/lock/subsys/shorewall-init
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+	. /etc/sysconfig/shorewall-init
+	if [ -z "$PRODUCTS" ]; then
+		echo "No PRODUCTS configured"
+		exit 6
+	fi
+else
+	echo "/etc/sysconfig/shorewall-init not found"
+	exit 6
+fi
+
+RETVAL=0
+
+# set the STATEDIR variable
+setstatedir() {
+	local statedir
+	if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+		statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+	fi
+
+	[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+
+	if [ -x ${STATEDIR}/firewall ]; then
+		return 0
+	elif [ $PRODUCT = shorewall ]; then
+		${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/shorewall -6 compile
+	else
+		return 1
+	fi
+}
+
+start() {
+	local PRODUCT
+	local STATEDIR
+
+	printf "Initializing \"Shorewall-based firewalls\": "
+
+	for PRODUCT in $PRODUCTS; do
+		if setstatedir; then
+			$STATEDIR/$PRODUCT/firewall ${OPTIONS} stop 2>&1 | "$LOGGER"
+			RETVAL=$?
+		else
+			RETVAL=6
+			break
+		fi
+	done
+
+	if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+		ipset -R < "$SAVE_IPSETS"
+	fi
+
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	local PRODUCT
+	local STATEDIR
+
+	printf "Clearing \"Shorewall-based firewalls\": "
+	for PRODUCT in $PRODUCTS; do
+		if setstatedir; then
+			${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | "$LOGGER"
+			RETVAL=$?
+		else
+			RETVAL=6
+			break
+		fi
+	done
+
+	if [ -n "$SAVE_IPSETS" ]; then
+		mkdir -p $(dirname "$SAVE_IPSETS")
+		if ipset -S > "${SAVE_IPSETS}.tmp"; then
+			grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+		else
+			rm -f "${SAVE_IPSETS}.tmp"
+		fi
+	fi
+
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart|reload|condrestart|condreload)
+	    # "Not implemented"
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    status "$PROG"
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -8,7 +8,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -73,12 +73,16 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

+    if [ -x ${STATEDIR}/firewall ]; then
+        return 0
+    else
        if [ $PRODUCT = shorewall ]; then
            ${SBINDIR}/shorewall compile
        elif [ $PRODUCT = shorewall6 ]; then
            ${SBINDIR}/shorewall -6 compile
        else
-	return 0
+            return 1
+        fi
    fi
 }

@@ -108,7 +112,6 @@ shorewall_start () {

  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
@@ -118,7 +121,6 @@ shorewall_start () {
 	      fi
 	  )
      fi
-      fi
  done

  echo "done."
@@ -145,10 +147,8 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
 	  ${STATEDIR}/firewall ${OPTIONS} clear
      fi
-      fi
  done

  echo "done."
@@ -159,8 +159,9 @@ shorewall_stop () {

      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
      else
+	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
      fi

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,12 +44,14 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 0
+	return 1
    fi
 }

@@ -66,12 +68,15 @@ start () {

    printf "Initializing \"Shorewall-based firewalls\": "

+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
    for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?

 	if [ $retval -eq 0 ]; then
-	    if [ -x "${STATEDIR}/firewall" ]; then
 	    ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ $retval -ne 0 ] && break
@@ -79,9 +84,6 @@ start () {
 	    retval=6 #Product not configured
 	    break
 	fi
-	else
-	    break
-	fi
    done

    if [ $retval -eq 0 ]; then
@@ -106,7 +108,6 @@ stop () {
 	retval=$?

 	if [ $retval -eq 0 ]; then
-	    if [ -x "${STATEDIR}/firewall" ]; then
 	    ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ $retval -ne 0 ] && break
@@ -114,12 +115,18 @@ stop () {
 	    retval=6 #Product not configured
 	    break
 	fi
-	else
-	    break
-	fi
    done

    if [ $retval -eq 0 ]; then
+	if [ -n "$SAVE_IPSETS" ]; then
+	    mkdir -p $(dirname "$SAVE_IPSETS")
+	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
+		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	    else
+		rm -f "${SAVE_IPSETS}.tmp"
+	    fi
+	fi
+
 	rm -f $lockfile
 	success
    else
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -1,5 +1,5 @@
 #!/bin/sh /etc/rc.common
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)
@@ -75,12 +75,14 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 0
+	return 1
    fi
 }

@@ -92,17 +94,17 @@ start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 	      ${STATEDIR}/firewall ${OPTIONS} stop
 	  fi
      fi
-      fi
  done

  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
+
+  return 0
 }

 boot () {
@@ -117,17 +119,19 @@ stop () {
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
 	    ${STATEDIR}/firewall ${OPTIONS} clear
 	fi
-	fi
    done

    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi
+
+    return 0
 }

--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -69,10 +69,12 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
-	return 0
+	return 1
    fi
 }

@@ -84,12 +86,10 @@ shorewall_start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 	      ${STATEDIR}/firewall ${OPTIONS} stop
 	  fi
      fi
-      fi
  done

  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
@@ -107,16 +107,16 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
 	  ${STATEDIR}/firewall ${OPTIONS} clear
      fi
-      fi
  done

  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi

--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -7,7 +7,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -79,12 +79,14 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 0
+	return 6
    fi
 }

@@ -96,12 +98,10 @@ shorewall_start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x $STATEDIR/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
 	  fi
      fi
-      fi
  done

  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
@@ -117,16 +117,16 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
 	  ${STATEDIR}/firewall ${OPTIONS} clear
      fi
-      fi
  done

  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi
 }
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -5,7 +5,7 @@
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -27,58 +27,21 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=xxx #The Build script inserts the actual version.
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    echo "       $ME -n"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

-fatal_error() 
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
-}
-
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -97,23 +60,16 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

-make_directory() # $1 = directory , $2 = mode
-{
-    mkdir -p $1
-    chmod 0755 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
-}
-
-require() 
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

+#
+# Source common functions
+#
+. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
 #
 # Parse the run line
 #
@@ -134,7 +90,7 @@ while [ $finished -eq 0 ] ; do
 			usage 0
 			;;
 		    v)
-			echo "Shorewall-init Firewall Installer Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -159,17 +115,17 @@ done
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
-    #
-    # Load packager's settings if any
-    #
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc || exit 1
 	file=./shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	file=/usr/share/shorewall/shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    else
-	fatal_error "No configuration file specified and ~/.shorewallrc not found"
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
@@ -177,11 +133,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -225,6 +181,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -235,6 +194,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/SuSE-release ]; then
@@ -297,13 +258,14 @@ case "$HOST" in
    openwrt)
 	echo "Installing Openwrt-specific configuration..."
 	;;
+    alt)
+	echo "Installing ALT-specific configuration...";
+	;;
    linux)
-	echo "ERROR: Shorewall-init is not supported on this system" >&2
-	exit 1
+	fatal_error "Shorewall-init is not supported on this system"
 	;;
    *)
-	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
-	exit 1;
+	fatal_error "Unsupported HOST distribution: \"$HOST\""
 	;;
 esac

@@ -315,30 +277,27 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
    
-    make_directory ${DESTDIR}${INITDIR} 0755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
 fi

-echo "Installing Shorewall Init Version $VERSION"
+echo "Installing $Product Version $VERSION"

 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi

-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
-fi
+[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755

 #
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    mkdir -p ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
    
@@ -357,25 +316,21 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
-	mkdir -p ${DESTDIR}${SBINDIR}
-        chmod 0755 ${DESTDIR}${SBINDIR}
-    fi
-    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
-    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
+    [ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
+    install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
+    echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
 fi

 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init
+make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755

 #
 # Install logrotate file
@@ -388,55 +343,53 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version

 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/shorewall-init/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
+    rm -f ${SHAREDIR}/$PRODUCT/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi

 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
-	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
-	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
+	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
+	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
+	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
    elif [ $configure -eq 0 ]; then
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
-	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
    fi

-    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
-	if [ -n "${DESTDIR}" ]; then
-	    mkdir -p ${DESTDIR}${ETC}/default
-	fi
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
+	[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755

-	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
-	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
-	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
+	install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
+	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi

    IFUPDOWN=ifupdown.debian.sh
 else
    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755

 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
+		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
+		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    elif [ $HOST = openwrt ]; then
-		# Not implemented on openwrt
+		# Not implemented on OpenWRT
 		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
+		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
    fi
@@ -458,13 +411,13 @@ if [ $HOST != openwrt ]; then

    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

-    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
+    make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755

-    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
 fi

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

@@ -483,8 +436,8 @@ case $HOST in
    suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
+		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
+		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
 	    fi

 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
@@ -518,17 +471,17 @@ if [ -z "$DESTDIR" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
-                    echo "Shorewall Init will start automatically at boot"
+                    echo "$Product will start automatically at boot"
 		fi
 	    elif mywhich insserv; then
-		if insserv ${INITDIR}/shorewall-init; then
-		    echo "Shorewall Init will start automatically at boot"
+		if insserv ${INITDIR}/$PRODUCT; then
+                    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif mywhich update-rc.d ; then
 		if update-rc.d $PRODUCT enable; then
-		    echo "$PRODUCT will start automatically at boot"
+                    echo "$Product will start automatically at boot"
 		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 		else
 		    cant_autostart
@@ -549,31 +502,31 @@ if [ -z "$DESTDIR" ]; then
 	    /bin/true
 	else
 	    if [ -n "$SERVICEDIR" ]; then
-		if systemctl enable shorewall-init.service; then
-		    echo "Shorewall Init will start automatically at boot"
+		if systemctl enable ${PRODUCT}.service; then
+		    echo "$Product will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
-		if insserv ${INITDIR}/shorewall-init ; then
-		    echo "Shorewall Init will start automatically at boot"
+		if insserv ${INITDIR}/$PRODUCT ; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
-		if chkconfig --add shorewall-init ; then
-		    echo "Shorewall Init will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-init
+		if chkconfig --add $PRODUCT ; then
+		    echo "$Product will start automatically at boot"
+		    chkconfig --list $PRODUCT
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/rc-update ]; then
-		if rc-update add shorewall-init default; then
-		    echo "Shorewall Init will start automatically at boot"
+		if rc-update add $PRODUCT default; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
 		/etc/init.d/$PRODUCT enable
-		if /etc/init.d/shorewall-init enabled; then
+		if /etc/init.d/$PRODUCT enabled; then
 		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
@@ -587,11 +540,11 @@ else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
-		mkdir -p ${DESTDIR}/etc/rcS.d
+		make_parent_directory ${DESTDIR}/etc/rcS.d 0755
 	    fi

-	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
-	    echo "Shorewall Init will start automatically at boot"
+	    ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
+	    echo "$Product will start automatically at boot"
 	fi
    fi
 fi
@@ -602,8 +555,8 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
+		make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
+		cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
 	    done
 	    ;;
 	redhat)
@@ -614,13 +567,13 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
 		    if grep -qF Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+			cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
 			break
 		    fi
 		else
-		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
 		fi
 	    done
 	    ;;
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -1,12 +1,12 @@
 #!/bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called
 #	/etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is part of Shorewall.
 #
@@ -33,12 +33,12 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+        return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
-    else
-	return 0
    fi
 }

@@ -67,7 +67,6 @@ shorewall_start () {
    printf "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
 	    #
 	    # Run in a sub-shell to avoid name collisions
 	    #
@@ -77,7 +76,6 @@ shorewall_start () {
 		fi
 	    )
 	fi
-	fi
    done

    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
@@ -95,16 +93,23 @@ shorewall_stop () {
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
+	    #
+	    # Run in sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
 		    ${STATEDIR}/firewall ${OPTIONS} clear
 		fi
+	    )
 	fi
    done

    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi

--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Init
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,62 +26,34 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx  #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

+#
+# Source common functions
+#
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
+#
+# Parse the run line
+#
 finished=0
 configure=1

@@ -118,16 +90,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
+
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -137,72 +110,72 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file || exit 1
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi

-if [ -f ${SHAREDIR}/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
+if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Init Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
    VERSION=""
 fi

-[ -n "${LIBEXEC:=${SHAREDIR}}" ]
-
-echo "Uninstalling Shorewall Init $VERSION"
+echo "Uninstalling $Product $VERSION"

 [ -n "$SANDBOX" ] && configure=0

-INITSCRIPT=${CONFDIR}/init.d/shorewall-init
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]

-if [ -f "$INITSCRIPT" ]; then
+remove_file  ${SBINDIR}/$PRODUCT
+
+FIREWALL=${CONFDIR}/init.d/$PRODUCT
+
+if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if [ $HOST = openwrt ]; then
-	    if /etc/init.d/shorewall-init enabled; then
-		/etc/init.d/shorewall-init disable
+	if [ $HOST = openwrt ] ; then
+	    if /etc/init.d/$PRODUCT enabled; then
+		/etc/init.d/$PRODUCT disable
 	    fi
-	elif mywhich updaterc.d ; then
-	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
-            insserv -r $INITSCRIPT
+            insserv -r $FIREWALL
+	elif mywhich update-rc.d ; then
+	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $INITSCRIPT)
+	    chkconfig --del $(basename $FIREWALL)
 	fi
    fi

-    remove_file $INITSCRIPT
+    remove_file $FIREWALL
 fi

-if [ -z "${SERVICEDIR}" ]; then
-    SERVICEDIR="$SYSTEMD"
-fi
+[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"

 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
-    rm -f $SERVICEDIR/shorewall-init.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
+    remove_file $SERVICEDIR/${PRODUCT}.service
 fi

 if [ $HOST = openwrt ]; then
-    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
 else
-    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
 fi

-remove_file ${CONFDIR}/default/shorewall-init
-remove_file ${CONFDIR}/sysconfig/shorewall-init
+remove_file ${CONFDIR}/default/$PRODUCT
+remove_file ${CONFDIR}/sysconfig/$PRODUCT

 remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall

@@ -227,10 +200,11 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi

-rm -f  ${SBINDIR}/shorewall-init
-rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXECDIR}/shorewall-init
-
-echo "Shorewall Init Uninstalled"
-
+remove_directory ${SHAREDIR}/$PRODUCT
+remove_directory ${LIBEXECDIR}/$PRODUCT
+remove_file  ${CONFDIR}/logrotate.d/$PRODUCT

+#
+# Report Success
+#
+echo "$Product $VERSION Uninstalled"
--- a/Shorewall-lite/Shorewall-lite-targetname
+++ b/Shorewall-lite/Shorewall-lite-targetname
@@ -0,0 +1 @@
+5.2.4.1
--- a/Shorewall-lite/default.debian.systemd
+++ b/Shorewall-lite/default.debian.systemd
@@ -0,0 +1,26 @@
+#
+# Global start/restart/reload/stop options
+#
+OPTIONS=""
+
+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
+# EOF
--- a/Shorewall-lite/default.debian.sysvinit
+++ b/Shorewall-lite/default.debian.sysvinit
@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following varible to 1 in order to allow Shorewall-lite to start
+# set the following variable to 1 in order to allow Shorewall-lite to start

 startup=0

@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=

 #
-# Startup options
+# Global start/restart/reload/stop options
 #
 OPTIONS=""

@@ -30,6 +30,16 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""

+#
+# Reload options
+#
+RELOADOPTIONS=""
+
+#
+# Stop options
+#
+STOPOPTIONS=""
+
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
--- a/Shorewall-lite/init.alt.sh
+++ b/Shorewall-lite/init.alt.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+#
+# Shorewall-Lite init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+#
+### BEGIN INIT INFO
+# Provides: shorewall-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: $time $named
+# Required-Stop:
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+NAME="Shorewall-Lite firewall"
+PROG="shorewall"
+SHOREWALL="$SBINDIR/$PROG -l"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+SourceIfNotEmpty $SYSCONFDIR/${PROG}-lite
+
+LOCKFILE="/var/lock/subsys/${PROG}-lite"
+RETVAL=0
+
+start() {
+	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+restart() {
+	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+reload() {
+	action $"Reloadinging $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+clear() {
+	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart)
+	    restart
+	    ;;
+	reload)
+	    reload
+	    ;;
+	clear)
+	    clear
+	    ;;
+	condrestart)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condreload)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    "$SHOREWALL" status
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -1,13 +1,13 @@
 #!/bin/sh /etc/rc.common
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -1,13 +1,13 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-lite/init.suse.sh
+++ b/Shorewall-lite/init.suse.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -8,7 +8,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -22,62 +22,19 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

-VERSION=xxx #The Build script inserts the actual version
+VERSION=xxx # The Build script inserts the actual version

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    echo "       $ME -n"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -96,19 +53,6 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

-make_directory() # $1 = directory , $2 = mode
-{
-    mkdir -p $1
-    chmod 755 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
-
-}
-
-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
@@ -122,6 +66,11 @@ else
    Product="Shorewall6 Lite"
 fi

+#
+# Source common functions
+#
+. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+
 #
 # Parse the run line
 #
@@ -168,12 +117,14 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc || exit 1
 	file=./shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc
+	file=~/.shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+	file=/usr/share/shorewall/shorewallrc
+        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -183,11 +134,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi
@@ -239,6 +190,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -247,6 +201,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f ${CONFDIR}/SuSE-release ]; then
@@ -315,11 +271,13 @@ case "$HOST" in
    openwrt)
 	echo "Installing OpenWRT-specific configuration..."
 	;;
+    alt)
+	echo "Installing ALT-specific configuration...";
+	;;
    linux)
 	;;
    *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
-	exit 1;
+	fatal_error "ERROR: Unknown HOST \"$HOST\""
 	;;
 esac

@@ -331,7 +289,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi

-    make_directory ${DESTDIR}${INITDIR} 755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755

 else
    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
@@ -371,25 +329,20 @@ fi

 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

-[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
+[ -n "${INITFILE}" ] && make_parent_directory ${DESTDIR}${INITDIR} 0755

 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${SBINDIR}
-mkdir -p ${DESTDIR}${VARDIR}
-
-chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
+make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
+make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
+make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
+make_parent_directory ${DESTDIR}${SBINDIR} 0755
+make_parent_directory ${DESTDIR}${VARDIR} 0755

 if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
-    mkdir -p ${DESTDIR}${INITDIR}
-    chmod 755 ${DESTDIR}${INITDIR}
+    make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
+    make_parent_directory ${DESTDIR}${INITDIR} 0755
 fi

 if [ -n "$INITFILE" ]; then
@@ -410,9 +363,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    mkdir -p ${DESTDIR}${SERVICEDIR}
+    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -441,8 +394,14 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 #
 for f in lib.* ; do
    if [ -f $f ]; then
+        case $f in
+            *installer)
+                ;;
+            *)
                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+                ;;
+        esac
    fi
 done

@@ -467,18 +426,18 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 if [ -f modules ]; then
    install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
    echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
+
+    for f in modules.*; do
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    done
 fi

 if [ -f helpers ]; then
-    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 0600
    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi

-for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
-    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-done
-
 #
 # Install the Man Pages
 #
@@ -486,19 +445,19 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages

-    mkdir -p ${DESTDIR}${MANDIR}/man5/
+    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755

    for f in *.5; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

-    mkdir -p ${DESTDIR}${MANDIR}/man8/
+    make_parent_directory ${DESTDIR}${MANDIR}/man8 0755

    for f in *.8; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done

@@ -508,7 +467,7 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 fi

 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi

@@ -516,7 +475,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -539,10 +498,7 @@ ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-    if [ ${DESTDIR} ]; then
-	mkdir -p ${DESTDIR}${SYSCONFDIR}
-	chmod 755 ${DESTDIR}${SYSCONFDIR}
-    fi
+    [ ${DESTDIR} ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755

    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-lite/manpages/shorewall-lite.conf.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.conf.xml
@@ -183,7 +183,7 @@
    <title>See ALSO</title>

    <para><ulink
-    url="http://www.shorewall.net/Documentation_Index.html">http://www.shorewall.net/Documentation_Index.html</ulink></para>
+    url="https://shorewall.org/Documentation_Index.html">https://shorewall.org/Documentation_Index.html</ulink></para>

    <para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,7 +38,6 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall-lite/shorewall-lite.conf
+++ b/Shorewall-lite/shorewall-lite.conf
@@ -8,7 +8,7 @@
 #  "man shorewall-lite.conf"
 #
 #  Manpage also online at
-#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
+#  https://shorewall.org/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall
+# Script to back uninstall Shoreline Firewall Lite
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,9 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx  #The Build script inserts the actual version
-PRODUCT=shorewall-lite
-Product="Shorewall Lite"
+VERSION=xxx # The Build script inserts the actual version

 usage() # $1 = exit status
 {
@@ -41,46 +39,27 @@ usage() # $1 = exit status
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"

-qt()
-{
-    "$@" >/dev/null 2>&1
-}
+if [ -f shorewall-lite.service ]; then
+    PRODUCT=shorewall-lite
+    Product="Shorewall Lite"
+else
+    PRODUCT=shorewall6-lite
+    Product="Shorewall6 Lite"
+fi

-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
+#
+# Source common functions
+#
+. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }

+#
+# Parse the run line
+#
 finished=0
 configure=1

@@ -97,7 +76,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "$Product Firewall Uninstaller Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -117,16 +96,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
+
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
+        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
+        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
+        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -136,46 +116,50 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file
+	    file=./$file || exit 1
 	    ;;
    esac

-    . $file
+    . $file || fatal_error "Can not load the RC file: $file"
 else
    usage 1
 fi

-if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
+if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
+	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
+    echo "WARNING: $Product Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling Shorewall Lite $VERSION"
+echo "Uninstalling $Product $VERSION"

 [ -n "$SANDBOX" ] && configure=0

 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-	shorewall-lite clear
+	${SBINDIR}/$PRODUCT clear
+    elif qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
+	${SBINDIR}/$PRODUCT clear
    fi
 fi

-if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
+remove_file ${SBINDIR}/$PRODUCT
+
+if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
    if [ $HOST = openwrt ]; then
-	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
-	    /etc/init.d/shorewall-lite disable
+	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
+	    /etc/init.d/$PRODUCT disable
 	fi
 	
-	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
+	FIREWALL=$(readlink ${SHAREDIR}/$PRODUCT/init)
    else
-	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
    fi
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
@@ -183,10 +167,10 @@ fi

 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if mywhich updaterc.d ; then
-	    updaterc.d shorewall-lite remove
-	elif mywhich insserv ; then
+	if mywhich insserv ; then
            insserv -r $FIREWALL
+	elif mywhich update-rc.d ; then
+	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
@@ -195,26 +179,29 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi

-[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
+[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"

 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    rm -f $SERVICEDIR/shorewall-lite.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
+    remove_file $SERVICEDIR/${PRODUCT}.service
 fi

-rm -f ${SBINDIR}/shorewall-lite
+remove_directory ${CONFDIR}/$PRODUCT
+remove_directory ${VARDIR}
+remove_directory ${SHAREDIR}/$PRODUCT
+remove_directory ${LIBEXECDIR}/$PRODUCT
+remove_file  ${CONFDIR}/logrotate.d/$PRODUCT

-rm -rf ${CONFDIR}/shorewall-lite
-rm -rf ${VARDIR}
-rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXECDIR}/shorewall-lite
-rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-rm -f  ${SYSCONFDIR}/shorewall-lite
+if [ -n "$SYSCONFDIR" ]; then
+    [ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
+fi

 if [ -n "${MANDIR}" ]; then
-    rm -f ${MANDIR}/man5/shorewall-lite*
-    rm -f ${MANDIR}/man8/shorewall-lite*
+    remove_file_with_wildcard ${MANDIR}/man5/${PRODUCT}\*
+    remove_file_with_wildcard ${MANDIR}/man8/${PRODUCT}\*
 fi

-echo "Shorewall Lite Uninstalled"
-
+#
+# Report Success
+#
+echo "$Product $VERSION Uninstalled"
--- a/Shorewall/Actions/action.A_Drop
+++ b/Shorewall/Actions/action.A_Drop
@@ -1,55 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.A_Drop
-#
-# The audited default DROP common rules
-#
-# This action is invoked before a DROP policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-?require AUDIT_TARGET
-###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special Handling for Auth
-#
-Auth(A_DROP)
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before broadcast Drop.
-#
-A_AllowICMPs	-	-	icmp
-#
-# Don't log broadcasts
-#
-dropBcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-dropInvalid(audit)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_DROP)
-A_DropUPnP
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -1,13 +1,13 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
+# Shorewall -- /usr/share/shorewall/action.A_REJECT
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -5,9 +5,9 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
@@ -1,51 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.A_Reject
-#
-# The audited default REJECT action common rules
-#
-# This action is invoked before a REJECT policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-#ACTION		SOURCE	DEST	PROTO
-#
-# Count packets that come through here
-#
-COUNT
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before broadcast Drop.
-#
-A_AllowICMPs	-	-	icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid(audit)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_REJECT)
-A_DropUPnP
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -7,5 +7,38 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

 DEFAULTS ACCEPT
-@1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
-@1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
+
+?if __IPV4
+    @1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
+    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
+?else
+?COMMENT Needed ICMP types (RFC4890)
+    @1	-		-	ipv6-icmp	destination-unreachable
+    @1	-		-	ipv6-icmp	packet-too-big
+    @1	-		-	ipv6-icmp	time-exceeded
+    @1	-		-	ipv6-icmp	parameter-problem
+
+# The following should have a ttl of 255 and must be allowed to transit a bridge
+    @1	-		-	ipv6-icmp	router-solicitation
+    @1	-		-	ipv6-icmp	router-advertisement
+    @1	-		-	ipv6-icmp	neighbour-solicitation
+    @1	-		-	ipv6-icmp	neighbour-advertisement
+    @1	-		-	ipv6-icmp	137	# Redirect
+    @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
+    @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
+
+# The following should have a link local source address and must be allowed to transit a bridge
+    @1	fe80::/10	-	ipv6-icmp	130	# Listener query
+    @1	fe80::/10	-	ipv6-icmp	131	# Listener report
+    @1	fe80::/10	-	ipv6-icmp	132	# Listener done
+    @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
+
+# The following should be received with a ttl of 255 and must be allowed to transit a bridge
+    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
+    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
+
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
+    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
+    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
+    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
+?endif
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -3,9 +3,9 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
@@ -20,7 +20,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Broadcast[([<action>|-[,{audit|-}])]
+# Broadcast[([<action>|[,{audit|-}])]
 #
 # Default action is DROP
 #
@@ -29,27 +29,37 @@
 DEFAULTS DROP,-

 ?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type BROADCAST
-@1	-	-	-	;; -m addrtype --dst-type ANYCAST
+    @1	-	-	-	;; -m addrtype --dst-type BROADCAST
+    @1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
-?begin perl;
+    ?begin perl;

-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
+    use strict;
+    use Shorewall::IPAddrs;
+    use Shorewall::Config;
+    use Shorewall::Chains;

-my ( $action )         = get_action_params( 1 );
-my $chainref           = get_action_chain;
-my ( $level, $tag )    = get_action_logging;
+    my ( $action, $audit ) = get_action_params( 2 );
+    my $chainref           = get_action_chain;
+    my ( $level, $tag )    = get_action_logging;

-add_commands $chainref, 'for address in $ALL_BCASTS; do';
-incr_cmd_level $chainref;
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-add_jump $chainref, $action, 0, "-d \$address ";
-decr_cmd_level $chainref;
-add_commands $chainref, 'done';
+    fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit';

-1;
+    my $target             = require_audit ( $action , $audit );

-?end perl;
+    if ( $family == F_IPV4 ) {
+        add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    } elsif ($family == F_IPV6 ) {
+        add_commands $chainref, 'for address in $ALL_ACASTS; do';
+    }
+
+    incr_cmd_level $chainref;
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+    add_jump $chainref, $target, 0, "-d \$address ";
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+
+    1;
+
+    ?end perl;
 ?endif
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
@@ -5,9 +5,9 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -1,84 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Drop
-#
-# The former default DROP common rules. Use of this action is now deprecated
-#
-# This action is invoked before a DROP policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# The action accepts six optional parameters:
-#
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     actions.
-# 2 - Action to take with Auth requests. Default is to do nothing special
-#     with them.
-# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#     depending on the setting of the first parameter.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
-#     is DROP or A_DROP depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
-#     depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-###############################################################################
-?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
-    ?else
-        ?error The first parameter to Drop must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
-?endif
-
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special Handling for Auth
-#
-?if passed(@2)
-Auth(@2)
-?endif
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before silent broadcast Drop.
-#
-AllowICMPs(@4)	-	-	icmp
-#
-# Don't log broadcasts or multicasts
-#
-Broadcast(DROP,@1)
-Multicast(DROP,@1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-Invalid(DROP,@1)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(@3)
-DropUPnP(@6)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,@1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep(@5)
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
@@ -5,9 +5,9 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.FIN
+++ b/Shorewall/Actions/action.FIN
@@ -0,0 +1,33 @@
+#
+# Shorewall -- /usr/share/shorewall/action.FIN
+#
+# FIN Action
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at https://shorewall.org
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# FIN[([<action>])]
+#
+# Default action is ACCEPT
+#
+###############################################################################
+
+DEFAULTS ACCEPT,-
+
+@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN
--- a/Shorewall/Actions/action.GlusterFS
+++ b/Shorewall/Actions/action.GlusterFS
@@ -13,9 +13,9 @@
 DEFAULTS 2,0

 ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-    ?error Invalid value for Bricks (@1)
+    ?error Invalid value (@1) for the GlusterFS Bricks argument
 ?elsif @2 !~ /^[01]$/
-    ?error Invalid value for IB (@2)
+    ?error Invalid value (@2) for the GlusterFS IB argument
 ?endif

 #ACTION		SOURCE		DEST		PROTO	DPORT
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -27,7 +27,7 @@
 #                the IP address that are older than <duration> seconds.
 # Disposition  - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
@@ -107,11 +107,14 @@ if ( $command & $REAP_OPT ) {

 $duration .= '--rttl ' if $command & $TTL_OPT;

+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
+    $action = 'ACCEPT';
+}
+
 if ( $command & $RESET_CMD ) {
    require_capability 'MARK_ANYWHERE', '"reset"', 's';
    
-    print "Resetting....\n";
-    
    my $mark = $globals{EVENT_MARK};
    #
    # The event mark bit must be within 32 bits
@@ -130,7 +133,7 @@ if ( $command & $RESET_CMD ) {
    #
    # if the event is armed, remove it and perform the action
    #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
 } elsif ( $command & $UPDATE_CMD ) {
    perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
@@ -4,9 +4,9 @@
 # Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Limit
+++ b/Shorewall/Actions/action.Limit
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
@@ -22,6 +22,49 @@
 #
 # Limit(<recent-set>,<num-connections>,<timeout>)
 #
-# This is a built-in action.
-#
 ###############################################################################
+
+DEFAULTS -,-,-
+
+?begin perl
+
+use strict;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my $chainref        = get_action_chain;
+my @param           = get_action_params(3);
+my ( $level, $tag ) = get_action_logging;
+
+@param = split( ',', $tag ), $tag = $param[0] unless supplied( join '', @param );
+
+fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
+
+my $set   = $param[0];
+
+for ( @param[1,2] ) {
+    fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
+}
+
+my $count = $param[1] + 1;
+
+require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
+
+warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
+
+add_irule $chainref, recent => "--name $set --set";
+
+if ( $level ne '' ) {
+    my $xchainref = new_chain 'filter' , "$chainref->{name}%";
+    log_irule_limit( $level, $xchainref, '', 'DROP', [], $tag, 'add' , '' );
+    add_ijump $xchainref, j => 'DROP';
+    add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
+} else {
+    add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
+}
+
+add_ijump $chainref, j => 'ACCEPT';
+
+1;
+
+?end perl
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -3,9 +3,9 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
@@ -29,22 +29,28 @@
 DEFAULTS DROP,-

 ?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type MULTICAST
+    @1	-	-	-	;; -m addrtype --dst-type MULTICAST
 ?else
-?begin perl;
+    ?begin perl;

-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
+    use strict;
+    use Shorewall::IPAddrs;
+    use Shorewall::Config;
+    use Shorewall::Chains;

-my ( $action )         = get_action_params( 1 );
-my $chainref           = get_action_chain;
-my ( $level, $tag )    = get_action_logging;
+    my ( $action, $audit ) = get_action_params( 2 );
+    my $chainref           = get_action_chain;
+    my ( $level, $tag )    = get_action_logging;

-log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
+    fatal_error "Invalid parameter to action Multicast" if supplied $audit && $audit ne 'audit';

-1;
+    my $target = require_audit ( $action , $audit );
+    my $dest   = ( $family == F_IPV4 ) ? join( ' ', '-d', IPv4_MULTICAST . ' ' ) : join( ' ', '-d', IPv6_MULTICAST . ' ' );

-?end perl;
+    log_rule_limit( $level, $chainref, 'Multicast' , $action, '', $tag, 'add', $dest ) if $level ne '';
+    add_jump $chainref, $target, 0, $dest;
+
+    1;
+
+    ?end perl;
 ?endif
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
@@ -5,9 +5,9 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
@@ -5,9 +5,9 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
@@ -5,9 +5,9 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -1,85 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Reject
-#
-# The former default REJECT action common rules. Use of this action is deprecated.
-#
-# This action is invoked before a REJECT policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# The action accepts six optional parameters:
-#
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     actions.
-# 2 - Action to take with Auth requests. Default is to do nothing
-#     special with them.
-# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#     depending on the setting of the first parameter.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
-#     is DROP or A_DROP depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
-#     depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
-    ?else
-	?error The first parameter to Reject must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
-?endif
-
-#ACTION		SOURCE	DEST	PROTO
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special handling for Auth
-#
-?if passed(@2)
-Auth(@2)
-?endif
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before silent broadcast Drop.
-#
-AllowICMPs(@4)	-	-	icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-Broadcast(DROP,@1)
-Multicast(DROP,@1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-Invalid(DROP,@1)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(@3)
-DropUPnP(@6)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,@1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep(@5)
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
@@ -5,9 +5,9 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any rule generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                        DO NOT REMOVE THE FOLLOWING LINE
@@ -41,6 +41,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;

+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "" );
+    $action = 'ACCEPT';
+}
+
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #

 DEFAULTS -,ACCEPT,src
@@ -37,6 +37,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;

+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "" );
+    $action = 'ACCEPT';
+}
+
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
@@ -26,4 +26,4 @@ $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
+$tcpflags_action	-	-	;;+ -p 6 --syn --sport 0
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
@@ -5,9 +5,9 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.allowBcast
+++ b/Shorewall/Actions/action.allowBcast
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
@@ -22,6 +22,17 @@
 #
 # allowBcast[([audit])]
 #
-# This is a built-in action.
-#
 ###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Broadcast(A_ACCEPT)
+    ?else
+	?error "Invalid argument (@1) to allowBcast"
+    ?endif
+?else
+    Broadcast(ACCEPT)
+?endif
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
@@ -3,9 +3,9 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.allowMcast
+++ b/Shorewall/Actions/action.allowMcast
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
@@ -22,6 +22,17 @@
 #
 # allowMcast[([audit])]
 #
-# This is a built-in action.
-#
 ###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Multicast(A_ACCEPT)
+    ?else
+	?error "Invalid argument (@1) to allowMcast"
+    ?endif
+?else
+    Multicast(ACCEPT)
+?endif
--- a/Shorewall/Actions/action.allowinUPnP
+++ b/Shorewall/Actions/action.allowinUPnP
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
@@ -22,6 +22,19 @@
 #
 # allowinUPnP[([audit])]
 #
-# This is a built-in action.
-#
 ###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	A_ACCEPT - - 17 1900
+	A_ACCEPT - -  6 49152
+    ?else
+	?error "Invalid argument (@1) to allowinUPnP"
+    ?endif
+?else
+    ACCEPT - - 17 1900
+    ACCEPT - -	6 49152
+?endif
--- a/Shorewall/Actions/action.dropBcast
+++ b/Shorewall/Actions/action.dropBcast
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
@@ -22,6 +22,18 @@
 #
 # dropBcast[([audit])]
 #
-# This is a built-in action.
-#
 ###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Broadcast(A_DROP)
+    ?else
+	?error "Invalid argument (@1) to dropBcast"
+    ?endif
+?else
+    Broadcast(DROP)
+?endif
+
--- a/Shorewall/Actions/action.dropBcasts
+++ b/Shorewall/Actions/action.dropBcasts
@@ -0,0 +1,39 @@
+#
+# Shorewall -- /usr/share/shorewall/action.dropBcasts
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at https://shorewall.org
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# dropBcasts[([audit])]
+#
+###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Broadcast(A_DROP)
+    ?else
+	?error "Invalid argument (@1) to dropBcasts"
+    ?endif
+?else
+    Broadcast(DROP)
+?endif
+
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
@@ -5,9 +5,9 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.dropMcast
+++ b/Shorewall/Actions/action.dropMcast
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
@@ -22,6 +22,17 @@
 #
 # dropMcast[([audit])]
 #
-# This is a built-in action.
-#
 ###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	Multicast(A_DROP)
+    ?else
+	?error "Invalid argument (@1) to dropMcast"
+    ?endif
+?else
+    Multicast(DROP)
+?endif
--- a/Shorewall/Actions/action.dropNotSyn
+++ b/Shorewall/Actions/action.dropNotSyn
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
@@ -22,6 +22,17 @@
 #
 # dropNotSyn[([audit])]
 #
-# This is a built-in action.
-#
 ###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	A_DROP {proto=6:!syn}
+    ?else
+	?error "Invalid argument (@1) to dropNotSyn"
+    ?endif
+?else
+    DROP {proto=6:!syn}
+?endif
--- a/Shorewall/Actions/action.forwardUPnP
+++ b/Shorewall/Actions/action.forwardUPnP
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
@@ -22,6 +22,22 @@
 #
 # forwardUPnP
 #
-# This is a built-in action.
-#
 ###############################################################################
+
+DEFAULTS -
+
+?begin perl
+
+use strict;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my $chainref = get_action_chain;
+
+set_optflags( $chainref, DONT_OPTIMIZE );
+
+add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
+
+1;
+
+?end perl
--- a/Shorewall/Actions/action.mangletemplate
+++ b/Shorewall/Actions/action.mangletemplate
@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/mangle.
--- a/Shorewall/Actions/action.rejNotSyn
+++ b/Shorewall/Actions/action.rejNotSyn
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
@@ -22,6 +22,18 @@
 #
 # rejNotSyn[([audit])]
 #
-# This is a built-in action.
-#
 ###############################################################################
+
+DEFAULTS -
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+	?require AUDIT_TARGET
+	A_REJECT {proto=6:!syn}
+    ?else
+	?error "Invalid argument (@1) to rejNotSyn"
+    ?endif
+?else
+    REJECT(tcp-reset) {proto=6:!syn}
+?endif
+
--- a/Shorewall/Actions/action.template
+++ b/Shorewall/Actions/action.template
@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/rules.
--- a/Shorewall/Contrib/swping
+++ b/Shorewall/Contrib/swping
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #
@@ -21,7 +21,7 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#  For information about this script, see  http://www.shorewall.net/MultiISP.html#swping.
+#  For information about this script, see  https://shorewall.org/MultiISP.html#swping.
 #
 ###########################################################################################
 #
--- a/Shorewall/Contrib/swping.init
+++ b/Shorewall/Contrib/swping.init
@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/INSTALL
+++ b/Shorewall/INSTALL
@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5

 ---------------------------------------------------------------------------

-Please see http://www.shorewall.net/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.


--- a/Shorewall/Macros/IPFS-swarm
+++ b/Shorewall/Macros/IPFS-swarm
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
+#
+# This macro handles IPFS data traffic (the connection to IPFS swarm).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     4001
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
@@ -1,9 +1,9 @@
 #
-# Shorewall - /usr/share/shorewall/macro.SNMPtrap
+# Shorewall -- /usr/share/shorewall/macro.Apcupsd
 #
-# This macro deprecated by SNMPtrap.
+# This macro handles apcupsd traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

-SNMPtrap
+PARAM	-	-	tcp	3551
--- a/Shorewall/Macros/macro.Bitcoin
+++ b/Shorewall/Macros/macro.Bitcoin
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Bitcoin
+#
+# Macro for handling Bitcoin P2P traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8333
--- a/Shorewall/Macros/macro.BitcoinRPC
+++ b/Shorewall/Macros/macro.BitcoinRPC
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRPC
+#
+# Macro for handling Bitcoin RPC traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8332
--- a/Shorewall/Macros/macro.BitcoinRegtest
+++ b/Shorewall/Macros/macro.BitcoinRegtest
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRegtest
+#
+# Macro for handling Bitcoin P2P traffic (Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18444
--- a/Shorewall/Macros/macro.BitcoinTestnet
+++ b/Shorewall/Macros/macro.BitcoinTestnet
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnet
+#
+# Macro for handling Bitcoin P2P traffic (Testnet mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18333
--- a/Show More
+++ b/Show More