Clear inline matches between calls to process_rule()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Add a jump to DOCKER from OUTPUT
2016-03-16 14:03:47 -07:00 · 2016-03-16 10:04:22 -07:00 · 2016-03-16 09:12:45 -07:00 · 2016-03-10 13:42:42 -08:00
283 changed files with 14571 additions and 16844 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -235,8 +235,7 @@ for on in \
    SPARSE \
    ANNOTATED \
    VARLIB \
-    VARDIR \
-    DEFAULT_PAGER
+    VARDIR
 do
    echo "$on=${options[${on}]}"
    echo "$on=${options[${on}]}" >> shorewallrc
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -209,8 +209,7 @@ for ( qw/ HOST
 	  SPARSE
 	  ANNOTATED
 	  VARLIB
-	  VARDIR
-          DEFAULT_PAGER / ) {
+	  VARDIR / ) {

    my $val = $options{$_} || '';

--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -22,20 +22,64 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version
+
 PRODUCT=shorewall-core
 Product="Shorewall Core"
-
+ 
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
+    echo "usage: $ME [ <configuration-file> ] "
+    echo "       $ME -v"
+    echo "       $ME -h"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -54,16 +98,16 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -82,7 +126,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
@@ -104,14 +148,14 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc
 	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
 	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -125,7 +169,7 @@ elif [ $# -eq 1 ]; then
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -241,12 +285,13 @@ case "$HOST" in
    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
    *)
-	fatal_error "Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
 	;;
 esac

 if [ -z "$file" ]; then
-    if [ $HOST = linux ]; then
+    if $HOST = linux; then
 	file=shorewallrc.default
    else
 	file=shorewallrc.${HOST}
@@ -259,8 +304,7 @@ if [ -z "$file" ]; then
    echo "" >&2
    echo "Example:" >&2
    echo "" >&2
-    echo "   ./install.sh $file" >&2
-    exit 1
+    echo "   ./install.sh $file" &>2
 fi

 if [ -n "$DESTDIR" ]; then
@@ -271,31 +315,45 @@ if [ -n "$DESTDIR" ]; then
    fi
 fi

-echo "Installing $Product Version $VERSION"
+echo "Installing Shorewall Core Version $VERSION"

 #
 # Create directories
 #
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/shorewall 0755
+mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
+chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall

-make_parent_directory ${DESTDIR}${SHAREDIR}/shorewall 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall

-make_parent_directory ${DESTDIR}${CONFDIR} 0755
+mkdir -p ${DESTDIR}${CONFDIR}
+chmod 755 ${DESTDIR}${CONFDIR}

-[ -n "${SYSCONFDIR}" ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+if [ -n "${SYSCONFDIR}" ]; then
+    mkdir -p ${DESTDIR}${SYSCONFDIR}
+    chmod 755 ${DESTDIR}${SYSCONFDIR}
+fi

 if [ -z "${SERVICEDIR}" ]; then
    SERVICEDIR="$SYSTEMD"
 fi

-[ -n "${SERVICEDIR}" ] && make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+if [ -n "${SERVICEDIR}" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
+    chmod 755 ${DESTDIR}${SERVICEDIR}
+fi

-make_parent_directory ${DESTDIR}${SBINDIR} 0755
+mkdir -p ${DESTDIR}${SBINDIR}
+chmod 755 ${DESTDIR}${SBINDIR}

-[ -n "${MANDIR}" ] && make_parent_directory ${DESTDIR}${MANDIR} 0755
+if [ -n "${MANDIR}" ]; then
+    mkdir -p ${DESTDIR}${MANDIR}
+    chmod 755 ${DESTDIR}${MANDIR}
+fi

 if [ -n "${INITFILE}" ]; then
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}

    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
@@ -307,12 +365,6 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
-# Install the CLI
-#
-install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
-#
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -324,41 +376,10 @@ echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 # Install the libraries
 #
 for f in lib.* ; do
-    case $f in
-        *installer)
-            ;;
-        *)
-            install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
-            echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
-            ;;
-    esac
+    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
+    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done

-if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
-fi
-
-#
-# Install the Man Pages
-#
-if [ -n "$MANDIR" ]; then
-    cd manpages
-
-    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
-
-    for f in *.8; do
-	gzip -9c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
-    done
-
-    cd ..
-
-    echo "Man Pages Installed"
-fi
-
 #
 # Symbolically link 'functions' to lib.base
 #
@@ -367,7 +388,7 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion

 if [ -z "${DESTDIR}" ]; then
    if [ $update -ne 0 ]; then
@@ -392,20 +413,14 @@ fi

 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
-        case $f in
-            *installer)
-                ;;
-            *)
-                if [ $BUILD != apple ]; then
-                    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
-                else
-                    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
-                fi
-                ;;
-        esac
+	if [ $BUILD != apple ]; then
+	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+	else
+	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+	fi
    done
 fi
 #
-# Report Success
+#  Report Success
 #
-echo "$Product Version $VERSION Installed"
+echo "Shorewall Core Version $VERSION Installed"
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,22 +20,412 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library is a compatibility wrapper around lib.core.
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
 #

-if [ -z "$PRODUCT" ]; then
+SHOREWALL_LIBVERSION=40509
+
+[ -n "${g_program:=shorewall}" ]
+
+if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc

-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
+    g_confdir="$CONFDIR"/$g_program
+    g_readrc=1
+fi

-    if [ -z "$SHOREWALL_LIBVERSION" ]; then
-	. ${g_basedir}/lib.core
+g_basedir=${SHAREDIR}/shorewall
+
+case $g_program in
+    shorewall)
+	g_product="Shorewall"
+	g_family=4
+	g_tool=iptables
+	g_lite=
+	;;
+    shorewall6)
+	g_product="Shorewall6"
+	g_family=6
+	g_tool=ip6tables
+	g_lite=
+	;;
+    shorewall-lite)
+	g_product="Shorewall Lite"
+	g_family=4
+	g_tool=iptables
+	g_lite=Yes
+	;;
+    shorewall6-lite)
+	g_product="Shorewall6 Lite"
+	g_family=6
+	g_tool=ip6tables
+	g_lite=Yes
+	;;
+esac
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi
+
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+#
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+#
+# Undo the effect of 'separate_list()'
+#
+combine_list()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o,}$f"
+    done
+
+    echo $o
+}
+
+#
+# Validate an IP address
+#
+valid_address() {
+    local x
+    local y
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	case $x in
+	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
+		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
+                ;;
+	    *)
+	        IFS=$ifs
+		return 2
+		;;
+	esac
+    done
+
+    IFS=$ifs
+
+    return 0
+}
+
+#
+# Miserable Hack to work around broken BusyBox ash in OpenWRT
+#
+addr_comp() {
+    test $(bc <<EOF
+$1 > $2
+EOF
+) -eq 1
+
+}
+
+#
+# Enumerate the members of an IP range -- When using a shell supporting only
+# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
+#
+# Comes in two flavors:
+#
+# ip_range() - produces a mimimal list of network/host addresses that spans
+#              the range.
+#
+# ip_range_explicit() - explicitly enumerates the range.
+#
+ip_range() {
+    local first
+    local last
+    local l
+    local x
+    local y
+    local z
+    local vlsm
+
+    case $1 in
+	!*)
+	    #
+	    # Let iptables complain if it's a range
+	    #
+	    echo $1
+	    return
+	    ;;
+	[0-9]*.*.*.*-*.*.*.*)
+            ;;
+	*)
+	    echo $1
+	    return
+	    ;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
    fi

-    set_default_product
+    l=$(( $last + 1 ))

-    setup_product_environment
-fi
+    while addr_comp $l $first; do
+	vlsm=
+	x=31
+	y=2
+	z=1
+
+	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
+	    vlsm=/$x
+	    x=$(( $x - 1 ))
+	    z=$y
+	    y=$(( $y * 2 ))
+	done
+
+	echo $(encodeaddr $first)$vlsm
+	first=$(($first + $z))
+    done
+}
+
+ip_range_explicit() {
+    local first
+    local last
+
+    case $1 in
+    [0-9]*.*.*.*-*.*.*.*)
+	;;
+    *)
+	echo $1
+	return
+	;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
+    fi
+
+    while ! addr_comp $first $last; do
+	echo $(encodeaddr $first)
+	first=$(($first + 1))
+    done
+}
+
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
+#
+# Netmask to VLSM
+#
+ip_vlsm() {
+    local mask
+    mask=$(decodeaddr $1)
+    local vlsm
+    vlsm=0
+    local x
+    x=$(( 128 << 24 )) # 0x80000000
+
+    while [ $(( $x & $mask )) -ne 0 ]; do
+	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
+	vlsm=$(($vlsm + 1))
+    done
+
+    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
+	echo "Invalid net mask: $1" >&2
+    else
+	echo $vlsm
+    fi
+}
+
+#
+# Set default config path
+#
+ensure_config_path() {
+    local F
+    F=${g_sharedir}/configpath
+    if [ -z "$CONFIG_PATH" ]; then
+	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
+	. $F
+    fi
+
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+    fi
+}
+
+#
+# Get fully-qualified name of file
+#
+resolve_file() # $1 = file name
+{
+    local pwd
+    pwd=$PWD
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	.)
+	    echo $pwd
+	    ;;
+	./*)
+	    echo ${pwd}${1#.}
+	    ;;
+	..)
+	    cd ..
+	    echo $PWD
+	    cd $pwd
+	    ;;
+	../*)
+	    cd ..
+	    resolve_file ${1#../}
+	    cd $pwd
+	    ;;
+	*)
+	    echo $pwd/$1
+	    ;;
+    esac
+}
+
+#
+# Determine how to do "echo -e"
+#
+
+find_echo() {
+    local result
+
+    result=$(echo "a\tb")
+    [ ${#result} -eq 3 ] && { echo echo; return; }
+
+    result=$(echo -e "a\tb")
+    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
+
+    result=$(which echo)
+    [ -n "$result" ] && { echo "$result -e"; return; }
+
+    echo echo
+}
+
+# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
+#
+#     None - No mktemp
+#     BSD  - BSD mktemp (Mandrake)
+#     STD  - mktemp.org mktemp
+#
+find_mktemp() {
+    local mktemp
+    mktemp=`mywhich mktemp 2> /dev/null`
+
+    if [ -n "$mktemp" ]; then
+	if qt mktemp -V ; then
+	    MKTEMP=STD
+	else
+	    MKTEMP=BSD
+	fi
+    else
+	MKTEMP=None
+    fi
+}
+
+#
+# create a temporary file. If a directory name is passed, the file will be created in
+# that directory. Otherwise, it will be created in a temporary directory.
+#
+mktempfile() {
+
+    [ -z "$MKTEMP" ] && find_mktemp
+
+    if [ $# -gt 0 ]; then
+	case "$MKTEMP" in
+	    BSD)
+		mktemp $1/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -p $1 shorewall.XXXXXX
+		;;
+	    None)
+		> $1/shorewall-$$ && echo $1/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    else
+	case "$MKTEMP" in
+	    BSD)
+		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -t shorewall.XXXXXX
+		;;
+	    None)
+		rm -f ${TMPDIR:-/tmp}/shorewall-$$
+		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    fi
+}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -25,22 +25,6 @@
 # scripts rather than loaded at run-time.
 #
 #########################################################################################
-#
-# Wrapper around logger that sets the tag according to $SW_LOGGERTAG
-#
-mylogger() {
-    local level
-
-    level=$1
-    shift
-
-    if [ -n "$SW_LOGGERTAG" ]; then
-	logger -p $level -t "$SW_LOGGERTAG" $*
-    else
-	logger -p $level $*
-    fi
-}
-
 #
 # Issue a message and stop
 #
@@ -49,24 +33,24 @@ startup_error() # $* = Error Message
    echo "   ERROR: $@: Firewall state not changed" >&2

    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %e %T') "
+        timestamp="$(date +'%b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi

    case $COMMAND in
        start)
-	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac

    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %e %T') "
+        timestamp="$(date +'%b %d %T') "

 	case $COMMAND in
 	    start)
@@ -712,9 +696,9 @@ find_file()
 set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
-	echo "$1 $(date) from $2" > ${VARDIR}/state
+	echo "$1 ($(date)) from $2" > ${VARDIR}/state
    else
-	echo "$1 $(date)" > ${VARDIR}/state
+	echo "$1 ($(date))" > ${VARDIR}/state
    fi
 }

@@ -776,7 +760,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                return 0
-	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
+	    elif ! qt ps p ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -788,8 +772,10 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock ${lockf}
-            chmod u=r ${lockf}
+            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
+            chmod u+w ${lockf}
+            echo $$ > ${lockf}
+            chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -811,7 +797,6 @@ mutex_on()
 #
 mutex_off()
 {
-    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }

--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,440 +0,0 @@
-#
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
-#
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# This library contains the code common to all Shorewall components except the
-# generated scripts.
-#
-
-SHOREWALL_LIBVERSION=50100
-
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product
-    g_basedir=${SHAREDIR}/shorewall
-
-    g_sharedir="$SHAREDIR"/$PRODUCT
-    g_confdir="$CONFDIR"/$PRODUCT
-
-    case $PRODUCT in
-	shorewall)
-	    g_product="Shorewall"
-	    g_family=4
-	    g_tool=iptables
-	    g_lite=
-	    ;;
-	shorewall6)
-	    g_product="Shorewall6"
-	    g_family=6
-	    g_tool=ip6tables
-	    g_lite=
-	    ;;
-	shorewall-lite)
-	    g_product="Shorewall Lite"
-	    g_family=4
-	    g_tool=iptables
-	    g_lite=Yes
-	    ;;
-	shorewall6-lite)
-	    g_product="Shorewall6 Lite"
-	    g_family=6
-	    g_tool=ip6tables
-	    g_lite=Yes
-	    ;;
-	*)
-	    fatal_error "Unknown PRODUCT ($PRODUCT)"
-	    ;;
-    esac
-
-    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
-    #
-    # We need to do this again, now that we have the correct product
-    #
-    [ -n "$1" ] && . ${g_basedir}/shorewallrc
-
-    if [ -z "${VARLIB}" ]; then
-	VARLIB=${VARDIR}
-	VARDIR=${VARLIB}/${PRODUCT}
-    elif [ -z "${VARDIR}" ]; then
-	VARDIR="${VARLIB}/${PRODUCT}"
-    fi
-}
-
-set_default_product() {
-    case $(basename $0) in
-	shorewall6)
-	    PRODUCT=shorewall6
-	    ;;
-	shorewall4)
-	    PRODUCT=shorewall
-	    ;;
-	shorewall-lite)
-	    PRODUCT=shorewall-lite
-	    ;;
-	shorewall6-lite)
-	    PRODUCT=shorewall6-lite
-	    ;;
-	*)
-	    if [ -f ${g_basedir}/version ]; then
-		PRODUCT=shorewall
-	    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
-		PRODUCT=shorewall-lite
-	    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
-		PRODUCT=shorewall6-lite
-	    else
-		fatal_error "No Shorewall firewall product is installed"
-	    fi
-	    ;;
-    esac
-}
-
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-#
-# Undo the effect of 'separate_list()'
-#
-combine_list()
-{
-    local f
-    local o
-    o=
-
-    for f in $* ; do
-        o="${o:+$o,}$f"
-    done
-
-    echo $o
-}
-
-#
-# Validate an IP address
-#
-valid_address() {
-    local x
-    local y
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	case $x in
-	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
-		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
-                ;;
-	    *)
-	        IFS=$ifs
-		return 2
-		;;
-	esac
-    done
-
-    IFS=$ifs
-
-    return 0
-}
-
-#
-# Miserable Hack to work around broken BusyBox ash in OpenWRT
-#
-addr_comp() {
-    test $(bc <<EOF
-$1 > $2
-EOF
-) -eq 1
-
-}
-
-#
-# Enumerate the members of an IP range -- When using a shell supporting only
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
-#
-# Comes in two flavors:
-#
-# ip_range() - produces a mimimal list of network/host addresses that spans
-#              the range.
-#
-# ip_range_explicit() - explicitly enumerates the range.
-#
-ip_range() {
-    local first
-    local last
-    local l
-    local x
-    local y
-    local z
-    local vlsm
-
-    case $1 in
-	!*)
-	    #
-	    # Let iptables complain if it's a range
-	    #
-	    echo $1
-	    return
-	    ;;
-	[0-9]*.*.*.*-*.*.*.*)
-            ;;
-	*)
-	    echo $1
-	    return
-	    ;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    l=$(( $last + 1 ))
-
-    while addr_comp $l $first; do
-	vlsm=
-	x=31
-	y=2
-	z=1
-
-	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
-	    vlsm=/$x
-	    x=$(( $x - 1 ))
-	    z=$y
-	    y=$(( $y * 2 ))
-	done
-
-	echo $(encodeaddr $first)$vlsm
-	first=$(($first + $z))
-    done
-}
-
-ip_range_explicit() {
-    local first
-    local last
-
-    case $1 in
-    [0-9]*.*.*.*-*.*.*.*)
-	;;
-    *)
-	echo $1
-	return
-	;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    while ! addr_comp $first $last; do
-	echo $(encodeaddr $first)
-	first=$(($first + 1))
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
-#
-# Netmask to VLSM
-#
-ip_vlsm() {
-    local mask
-    mask=$(decodeaddr $1)
-    local vlsm
-    vlsm=0
-    local x
-    x=$(( 128 << 24 )) # 0x80000000
-
-    while [ $(( $x & $mask )) -ne 0 ]; do
-	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
-	vlsm=$(($vlsm + 1))
-    done
-
-    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
-	echo "Invalid net mask: $1" >&2
-    else
-	echo $vlsm
-    fi
-}
-
-#
-# Set default config path
-#
-ensure_config_path() {
-    local F
-    F=${g_sharedir}/configpath
-    if [ -z "$CONFIG_PATH" ]; then
-	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
-	. $F
-    fi
-
-    if [ -n "$g_shorewalldir" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
-    fi
-}
-
-#
-# Get fully-qualified name of file
-#
-resolve_file() # $1 = file name
-{
-    local pwd
-    pwd=$PWD
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	.)
-	    echo $pwd
-	    ;;
-	./*)
-	    echo ${pwd}${1#.}
-	    ;;
-	..)
-	    cd ..
-	    echo $PWD
-	    cd $pwd
-	    ;;
-	../*)
-	    cd ..
-	    resolve_file ${1#../}
-	    cd $pwd
-	    ;;
-	*)
-	    echo $pwd/$1
-	    ;;
-    esac
-}
-
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
-#
-#     None - No mktemp
-#     BSD  - BSD mktemp (Mandrake)
-#     STD  - mktemp.org mktemp
-#
-find_mktemp() {
-    local mktemp
-    mktemp=`mywhich mktemp 2> /dev/null`
-
-    if [ -n "$mktemp" ]; then
-	if qt mktemp -V ; then
-	    MKTEMP=STD
-	else
-	    MKTEMP=BSD
-	fi
-    else
-	MKTEMP=None
-    fi
-}
-
-#
-# create a temporary file. If a directory name is passed, the file will be created in
-# that directory. Otherwise, it will be created in a temporary directory.
-#
-mktempfile() {
-
-    [ -z "$MKTEMP" ] && find_mktemp
-
-    if [ $# -gt 0 ]; then
-	case "$MKTEMP" in
-	    BSD)
-		mktemp $1/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -p $1 shorewall.XXXXXX
-		;;
-	    None)
-		> $1/shorewall-$$ && echo $1/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    else
-	case "$MKTEMP" in
-	    BSD)
-		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -t shorewall.XXXXXX
-		;;
-	    None)
-		rm -f ${TMPDIR:-/tmp}/shorewall-$$
-		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    fi
-}
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -1,89 +0,0 @@
-#
-#
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
-#
-#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# The purpose of this library is to hold those functions used by the products installer.
-#
-#########################################################################################
-
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
-make_directory() # $1 = directory , $2 = mode
-{
-    mkdir $1
-    chmod $2 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
-}
-
-make_parent_directory() # $1 = directory , $2 = mode
-{
-    mkdir -p $1
-    chmod $2 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNER:$GROUP $1
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
-}
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -1,106 +0,0 @@
-#
-#
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
-#
-#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# The purpose of this library is to hold those functions used by the products uninstaller.
-#
-#########################################################################################
-
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-remove_file() # $1 = file to remove
-{
-    if [ -n "$1" ] ; then
-        if [ -f $1 -o -L $1 ] ; then
-            rm -f $1
-            echo "$1 Removed"
-        fi
-    fi
-}
-
-remove_directory() # $1 = directory to remove
-{
-    if [ -n "$1" ] ; then
-        if [ -d $1 ] ; then
-            rm -rf $1
-            echo "$1 Removed"
-        fi
-    fi
-}
-
-remove_file_with_wildcard() # $1 = file with wildcard to remove
-{
-    if [ -n "$1" ] ; then
-        for f in $1; do
-            if [ -d $f ] ; then
-                rm -rf $f
-                echo "$f Removed"
-            elif [ -f $f -o -L $f ] ; then
-                rm -f $f
-                echo "$f Removed"
-            fi
-        done
-    fi
-}
-
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
-}
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -19,4 +19,3 @@ SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X
-DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -20,4 +20,3 @@ SERVICEFILE=                           #Name of the file to install in $SYSTEMD.
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
-DEFAULT_PAGER=			       #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -19,4 +19,3 @@ SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin
-DEFAULT_PAGER=			      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 4.5 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -14,11 +14,10 @@ INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
 ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
-DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 4.5 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
@@ -14,11 +14,10 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.sysvinit              #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
-DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,8 +1,8 @@
 #
 # Default Shorewall 5.0 rc file
 #
-BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux
+BUILD=                                  #Default is to detect the build system
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
@@ -21,4 +21,3 @@ SYSCONFDIR=                             #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
-DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,8 +1,8 @@
 #
-# OpenWRT Shorewall 5.0 rc file
+# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
+#
+# Input: host=openwrt
 #
-BUILD=                                 #Default is to detect the build system
-HOST=openwrt
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
@@ -21,4 +21,3 @@ SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.se
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/lib                             #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
-DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -21,4 +21,3 @@ SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter fil
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
-DEFAULT_PAGER=				#Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -22,4 +22,3 @@ SYSCONFDIR=                                #Name of the directory where SysV ini
 ANNOTATED=                                 #If non-empty, install annotated configuration files
 VARLIB=/var/lib                            #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
-DEFAULT_PAGER=				   #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -7,18 +7,17 @@ PREFIX=/usr                                           #Top-level directory for s
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/lib/perl5/site-perl              #Directory to install Shorewall Perl module directory
+PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
 SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
-INITFILE=                                             #Name of the product's SysV init script
+INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SERVICEDIR=/usr/lib/systemd/system                    #Directory where .service files are installed (systems running systemd only)
-SERVICEFILE=$PRODUCT.service          		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                                       #Directory where persistent product data is stored.
 VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
-DEFAULT_PAGER=				   	      #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Core Modules
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,75 +26,64 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx # The Build script inserts the actual version
-PRODUCT=shorewall-core
+VERSION=xxx #The Build script inserts the actual version
+PRODUCT="shorewall-core"
 Product="Shorewall Core"
-
+ 
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
-#
-# Parse the run line
-#
-finished=0
-
-while [ $finished -eq 0 ]; do
-    option=$1
-
-    case "$option" in
-	-*)
-	    option=${option#-}
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "$Product Firewall Uninstaller Version $VERSION"
-			exit 0
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
-	    ;;
-	*)
-	    finished=1
-	    ;;
-    esac
-done
-
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -104,11 +93,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -116,26 +105,19 @@ fi
 if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Core Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling $Product $VERSION"
+echo "Uninstalling Shorewall Core $VERSION"

-if [ -n "${MANDIR}" ]; then
-    remove_file_with_wildcard ${MANDIR}/man5/shorewall\*
-    remove_file_with_wildcard ${MANDIR}/man8/shorewall\*
-fi
+rm -rf ${SHAREDIR}/shorewall
+
+echo "Shorewall Core Uninstalled"

-remove_directory ${SHAREDIR}/shorewall
-remove_file ~/.shorewallrc

-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"
--- a/Shorewall-init/README.txt
+++ b/Shorewall-init/README.txt
@@ -0,0 +1 @@
+This is the Shorewall-init stable 4.4 branch of Git.
--- a/Shorewall-init/default.debian.systemd
+++ b/Shorewall-init/default.debian.systemd
@@ -1,21 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0
-#
-# Where Up/Down events get logged
-#
-LOGFILE=/var/log/shorewall-ifupdown.log
-
-# Startup options - set verbosity to 0 (minimal reporting)
-OPTIONS="-V0"
-
-# IOF
--- a/Shorewall-init/default.debian.sysvinit
+++ b/Shorewall-init/default.debian.sysvinit
@@ -1,27 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0
-#
-# Set this to the name of the file that is to hold
-# ipset contents. Shorewall-init will load those ipsets
-# during 'start' and will save them there during 'stop'.
-#
-SAVE_IPSETS=""
-#
-# Where Up/Down events get logged
-#
-LOGFILE=/var/log/shorewall-ifupdown.log
-
-# Startup options - set verbosity to 0 (minimal reporting)
-OPTIONS="-V0"
-
-# IOF
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
 	fi
    fi
 }
@@ -130,7 +128,7 @@ for PRODUCT in $PRODUCTS; do
    setstatedir

    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
    fi
 done

--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -33,11 +33,9 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+    if [ ! -x "$STATEDIR/firewall" ]; then
+	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT $OPTIONS compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
 	fi
    fi
 }
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -30,7 +30,7 @@
 # Required-Stop:     $local_fs
 # X-Stop-After:      $network
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time prior to
 #                    bringing up the network
@@ -73,10 +73,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
 	return 0
    fi
@@ -104,7 +102,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "

  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
@@ -125,7 +123,7 @@ shorewall_start () {

  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then

-      printf "Restoring ipsets: "
+      echo -n "Restoring ipsets: "

      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -142,7 +140,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,10 +44,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	${SBINDIR}/$PRODUCT $OPTIONS compile -c
    else
 	return 0
    fi
@@ -64,7 +62,7 @@ start () {
 	return 6 #Not configured
    fi

-    printf "Initializing \"Shorewall-based firewalls\": "
+    echo -n "Initializing \"Shorewall-based firewalls\": "

    for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -99,7 +97,7 @@ stop () {
    local PRODUCT
    local STATEDIR

-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "

    for PRODUCT in $PRODUCTS; do
 	setstatedir
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,10 +75,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
 	return 0
    fi
@@ -89,7 +87,7 @@ start () {
    local PRODUCT
  local STATEDIR

-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -114,7 +112,7 @@ stop () {
    local PRODUCT
    local STATEDIR

-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -81,7 +81,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,10 +79,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
 	return 0
    fi
@@ -93,7 +91,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -114,7 +112,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -27,21 +27,58 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version.
 PRODUCT=shorewall-init
 Product="Shorewall Init"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <configuration-file> ]"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

+fatal_error() 
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -60,16 +97,23 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 0755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+}
+
+require() 
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -90,7 +134,7 @@ while [ $finished -eq 0 ] ; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -115,17 +159,17 @@ done
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
+    #
+    # Load packager's settings if any
+    #
    if [ -f ./shorewallrc ]; then
-	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
-    elif [ -f ~/.shorewallrc ]; then
+	. ./shorewallrc || exit 1
 	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
-    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
-    else
-	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
+     else
+	fatal_error "No configuration file specified and ~/.shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
@@ -133,11 +177,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -254,10 +298,12 @@ case "$HOST" in
 	echo "Installing Openwrt-specific configuration..."
 	;;
    linux)
-	fatal_error "Shorewall-init is not supported on this system"
+	echo "ERROR: Shorewall-init is not supported on this system" >&2
+	exit 1
 	;;
    *)
-	fatal_error "Unsupported HOST distribution: \"$HOST\""
+	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
+	exit 1;
 	;;
 esac

@@ -269,27 +315,30 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
    
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    make_directory ${DESTDIR}${INITDIR} 0755
 fi

-echo "Installing $Product Version $VERSION"
+echo "Installing Shorewall Init Version $VERSION"

 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi

-[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
+if [ -n "$DESTDIR" ]; then
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
+fi

 #
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${INITDIR}
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
    
@@ -308,21 +357,25 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    [ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
-    install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
-    echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
+	mkdir -p ${DESTDIR}${SBINDIR}
+        chmod 0755 ${DESTDIR}${SBINDIR}
+    fi
+    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
+    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi

 #
 # Create /usr/share/shorewall-init if needed
 #
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init

 #
 # Install logrotate file
@@ -335,53 +388,55 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version

 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/$PRODUCT/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
+    rm -f ${SHAREDIR}/shorewall-init/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi

 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
+	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
    elif [ $configure -eq 0 ]; then
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
    fi

-    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
-	[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
+	if [ -n "${DESTDIR}" ]; then
+	    mkdir ${DESTDIR}${ETC}/default
+	fi

-	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
-	install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
-	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
+	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
+	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi

    IFUPDOWN=ifupdown.debian.sh
 else
    if [ -n "$DESTDIR" ]; then
-	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+	mkdir -p ${DESTDIR}${SYSCONFDIR}

 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
-		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    elif [ $HOST = openwrt ]; then
-		# Not implemented on OpenWRT
+		# Not implemented on openwrt
 		/bin/true
 	    else
-		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
+		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi
@@ -403,13 +458,13 @@ if [ $HOST != openwrt ]; then

    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

-    make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
+    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init

-    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 fi

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
+    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

@@ -428,8 +483,8 @@ case $HOST in
    suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
-		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
-		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
 	    fi

 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
@@ -463,17 +518,17 @@ if [ -z "$DESTDIR" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
-                    echo "$Product will start automatically at boot"
+                    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif mywhich insserv; then
-		if insserv ${INITDIR}/$PRODUCT; then
-                    echo "$Product will start automatically at boot"
+		if insserv ${INITDIR}/shorewall-init; then
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif mywhich update-rc.d ; then
 		if update-rc.d $PRODUCT enable; then
-                    echo "$Product will start automatically at boot"
+		    echo "$PRODUCT will start automatically at boot"
 		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 		else
 		    cant_autostart
@@ -494,32 +549,32 @@ if [ -z "$DESTDIR" ]; then
 	    /bin/true
 	else
 	    if [ -n "$SERVICEDIR" ]; then
-		if systemctl enable ${PRODUCT}.service; then
-		    echo "$Product will start automatically at boot"
+		if systemctl enable shorewall-init.service; then
+		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
-		if insserv ${INITDIR}/$PRODUCT ; then
-		    echo "$Product will start automatically at boot"
+		if insserv ${INITDIR}/shorewall-init ; then
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
-		if chkconfig --add $PRODUCT ; then
-		    echo "$Product will start automatically at boot"
-		    chkconfig --list $PRODUCT
+		if chkconfig --add shorewall-init ; then
+		    echo "Shorewall Init will start automatically in run levels as follows:"
+		    chkconfig --list shorewall-init
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/rc-update ]; then
-		if rc-update add $PRODUCT default; then
-		    echo "$Product will start automatically at boot"
+		if rc-update add shorewall-init default; then
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
-		/etc/init.d/$PRODUCT enable
-		if /etc/init.d/$PRODUCT enabled; then
-		    echo "$Product will start automatically at boot"
+		/etc/init.d/shorewall-inir enable
+		if /etc/init.d/shorewall-init enabled; then
+		    echo "Shorrewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
@@ -530,13 +585,13 @@ if [ -z "$DESTDIR" ]; then
    fi
 else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
+	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
-		make_parent_directory ${DESTDIR}/etc/rcS.d 0755
+		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi

-	    ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
-	    echo "$Product will start automatically at boot"
+	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
+	    echo "Shorewall Init will start automatically at boot"
 	fi
    fi
 fi
@@ -547,8 +602,8 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-		make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
+		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
+		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
 	    done
 	    ;;
 	redhat)
@@ -559,19 +614,19 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
 		    if grep -qF Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
+			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
 			break
 		    fi
 		else
-		    cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		fi
 	    done
 	    ;;
    esac
 fi
 #
-# Report Success
+#  Report Success
 #
 echo "shorewall Init Version $VERSION Installed"
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,10 +33,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
 	return 0
    fi
@@ -64,7 +62,7 @@ shorewall_start () {
    local PRODUCT
    local STATEDIR

-    printf "Initializing \"Shorewall-based firewalls\": "
+    echo -n "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -92,7 +90,7 @@ shorewall_stop () {
    local PRODUCT
    local STATEDIR

-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Init
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,34 +26,62 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
-#
-# Parse the run line
-#
 finished=0
 configure=1

@@ -90,17 +118,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
-
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -110,72 +138,72 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file || exit 1
 else
    usage 1
 fi

-if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
+if [ -f ${SHAREDIR}/shorewall-init/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Init Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling $Product $VERSION"
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+
+echo "Uninstalling Shorewall Init $VERSION"

 [ -n "$SANDBOX" ] && configure=0

-[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+INITSCRIPT=${CONFDIR}/init.d/shorewall-init

-remove_file  ${SBINDIR}/$PRODUCT
-
-FIREWALL=${CONFDIR}/init.d/$PRODUCT
-
-if [ -f "$FIREWALL" ]; then
+if [ -f "$INITSCRIPT" ]; then
    if [ $configure -eq 1 ]; then
-	if [ $HOST = openwrt ] ; then
-	    if /etc/init.d/$PRODUCT enabled; then
-		/etc/init.d/$PRODUCT disable
+	if [ $HOST = openwrt ]; then
+	    if /etc/init.d/shorewall-init enabled; then
+		/etc/init.d/shorewall-init disable
 	    fi
+	elif mywhich updaterc.d ; then
+	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
-            insserv -r $FIREWALL
-	elif mywhich update-rc.d ; then
-	    update-rc.d ${PRODUCT} remove
+            insserv -r $INITSCRIPT
 	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $FIREWALL)
+	    chkconfig --del $(basename $INITSCRIPT)
 	fi
    fi

-    remove_file $FIREWALL
+    remove_file $INITSCRIPT
 fi

-[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi

 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    remove_file $SERVICEDIR/${PRODUCT}.service
+    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    rm -f $SERVICEDIR/shorewall-init.service
 fi

 if [ $HOST = openwrt ]; then
-    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 else
-    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 fi

-remove_file ${CONFDIR}/default/$PRODUCT
-remove_file ${CONFDIR}/sysconfig/$PRODUCT
+remove_file ${CONFDIR}/default/shorewall-init
+remove_file ${CONFDIR}/sysconfig/shorewall-init

 remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall

@@ -200,11 +228,10 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi

-remove_directory ${SHAREDIR}/$PRODUCT
-remove_directory ${LIBEXECDIR}/$PRODUCT
-remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
+rm -f  ${SBINDIR}/shorewall-init
+rm -rf ${SHAREDIR}/shorewall-init
+rm -rf ${LIBEXECDIR}/shorewall-init
+
+echo "Shorewall Init Uninstalled"
+

-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -0,0 +1,18 @@
+# Shorewall Lite Makefile to restart if firewall script is newer than last restart
+VARDIR=$(shell /sbin/shorewall-lite show vardir)
+SHAREDIR=/usr/share/shorewall-lite
+RESTOREFILE?=.restore
+
+all: $(VARDIR)/$(RESTOREFILE)
+
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
+	@/sbin/shorewall-lite -q save >/dev/null; \
+	if \
+	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
+	then \
+	    /sbin/shorewall-lite -q save >/dev/null; \
+	else \
+	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
+	fi
+
+# EOF
--- a/Shorewall-lite/README.txt
+++ b/Shorewall-lite/README.txt
@@ -0,0 +1 @@
+This is the Shorewall-lite stable 4.4 branch of Git.
--- a/Shorewall-lite/default.debian.sysvinit
+++ b/Shorewall-lite/default.debian.sysvinit
@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following variable to 1 in order to allow Shorewall-lite to start
+# set the following varible to 1 in order to allow Shorewall-lite to start

 startup=0

@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=

 #
-# Global start/restart/reload/stop options
+# Startup options
 #
 OPTIONS=""

@@ -30,16 +30,6 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""

-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
--- a/Shorewall-lite/default.debian.systemd
+++ b/Shorewall-lite/default.debian.systemd
@@ -1,26 +0,0 @@
-#
-# Global start/restart/reload/stop options
-#
-OPTIONS=""
-
-#
-# Start options
-#
-STARTOPTIONS=""
-
-#
-# Restart options
-#
-RESTARTOPTIONS=""
-
-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
-# EOF
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -5,7 +5,7 @@
 # Required-Start:    $network $remote_fs
 # Required-Stop:     $network $remote_fs
 # Default-Start:     S
-# Default-Stop:      0 1 6
+# Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
 # Description:       Configure the firewall according to the rules specified in
 #                    /etc/shorewall-lite
@@ -13,7 +13,7 @@

 . /lib/lsb/init-functions

-SRWL='/sbin/shorewall -l'
+SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}

@@ -85,18 +85,17 @@ fi

 # start the firewall
 shorewall_start () {
-  printf "Starting \"Shorewall firewall\": "
+  echo -n "Starting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

 # stop the firewall
 shorewall_stop () {
+  echo -n "Stopping \"Shorewall firewall\": "
  if [ "$SAFESTOP" = 1 ]; then
-      printf "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
-      printf "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -104,14 +103,14 @@ shorewall_stop () {

 # restart the firewall
 shorewall_restart () {
-  printf "Restarting \"Shorewall firewall\": "
+  echo -n "Restarting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

 # refresh the firewall
 shorewall_refresh () {
-  printf "Refreshing \"Shorewall firewall\": "
+  echo -n "Refreshing \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc

-prog="shorewall -l"
+prog="shorewall-lite"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi

 start() {
-    printf $"Starting Shorewall: "
+    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }

 stop() {
-    printf $"Stopping Shorewall: "
+    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    printf $"Restarting Shorewall: "
+    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"

 start() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
 }

 boot() {
@@ -78,17 +78,17 @@ boot() {
 }

 restart() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
 }

 reload() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
 }

 stop() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
 }

 status() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,19 +22,62 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <configuration-file> ]"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -53,12 +96,25 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+
+}
+
+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-if [ -f shorewall-lite.service ]; then
+if [ -f shorewall-lite ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
 else
@@ -66,11 +122,6 @@ else
    Product="Shorewall6 Lite"
 fi

-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -117,14 +168,12 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc || exit 1
 	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. ~/.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -134,11 +183,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -269,7 +318,8 @@ case "$HOST" in
    linux)
 	;;
    *)
-	fatal_error "ERROR: Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
 	;;
 esac

@@ -281,7 +331,8 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi

-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    make_directory ${DESTDIR}${SBINDIR} 755
+    make_directory ${DESTDIR}${INITDIR} 755

 else
    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
@@ -311,9 +362,9 @@ else
 fi

 #
-# Check for ${SHAREDIR}/$PRODUCT/version
+# Check for ${SBINDIR}/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -321,20 +372,27 @@ fi

 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

-[ -n "${INITFILE}" ] && make_parent_directory ${DESTDIR}${INITDIR} 0755
+install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
+[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
+
+echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"

 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${SBINDIR} 0755
-make_parent_directory ${DESTDIR}${VARDIR} 0755
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}
+
+chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT

 if [ -n "$DESTDIR" ]; then
-    make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
 fi

 if [ -n "$INITFILE" ]; then
@@ -355,9 +413,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -375,6 +433,15 @@ elif [ $HOST = gentoo ]; then
    # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
    perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
+
+#
+# Install the  Makefile
+#
+install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
+[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
+echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
+
 #
 # Install the default config path file
 #
@@ -386,14 +453,8 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-        case $f in
-            *installer)
-                ;;
-            *)
-                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-                ;;
-        esac
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
    fi
 done

@@ -421,12 +482,12 @@ if [ -f modules ]; then
 fi

 if [ -f helpers ]; then
-    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 0600
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi

 for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done

@@ -434,22 +495,20 @@ done
 # Install the Man Pages
 #

-if [ -d manpages -a -n "$MANDIR" ]; then
+if [ -d manpages ]; then
    cd manpages

-    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
+    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

    for f in *.5; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

-    make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
-
    for f in *.8; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done

@@ -459,7 +518,7 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 fi

 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi

@@ -467,7 +526,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -481,23 +540,22 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup

-#
-#  Creatae the symbolic link for the CLI
-#
-ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
-
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-    [ ${DESTDIR} ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+    if [ ${DESTDIR} ]; then
+	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	chmod 755 ${DESTDIR}${SYSCONFDIR}
+    fi

    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

 if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi

 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
@@ -558,6 +616,6 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 fi

 #
-# Report Success
+#  Report Success
 #
 echo "$Product Version $VERSION Installed"
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,20 +45,19 @@
 #    require Shorewall to be installed.


-PRODUCT=shorewall-lite
+g_program=shorewall-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1

 . ${SHAREDIR}/shorewall/lib.cli
-
-setup_product_environment
-
-. ${SHAREDIR}/shorewall-lite/configpath
+. /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
+#         Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
+#
+################################################################################################
+PRODUCT=shorewall-lite
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
+
+shorewall_cli $@
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Lite
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,7 +26,9 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall-lite
+Product="Shorewall Lite"

 usage() # $1 = exit status
 {
@@ -39,27 +41,46 @@ usage() # $1 = exit status
    exit $1
 }

-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}

-if [ -f shorewall-lite.service ]; then
-    PRODUCT=shorewall-lite
-    Product="Shorewall Lite"
-else
-    PRODUCT=shorewall6-lite
-    Product="Shorewall6 Lite"
-fi
+qt()
+{
+    "$@" >/dev/null 2>&1
+}

-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}

-#
-# Parse the run line
-#
 finished=0
 configure=1

@@ -76,7 +97,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Uninstaller Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -96,17 +117,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
-
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -116,50 +137,46 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi

-if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
+if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling $Product $VERSION"
+echo "Uninstalling Shorewall Lite $VERSION"

 [ -n "$SANDBOX" ] && configure=0

 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-	${SBINDIR}/$PRODUCT clear
-    elif qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
-	${SBINDIR}/$PRODUCT clear
+	shorewall-lite clear
    fi
 fi

-remove_file ${SBINDIR}/$PRODUCT
-
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
    if [ $HOST = openwrt ]; then
-	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
-	    /etc/init.d/$PRODUCT disable
+	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
+	    /etc/init.d/shorewall-lite disable
 	fi
 	
-	FIREWALL=$(readlink ${SHAREDIR}/$PRODUCT/init)
+	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
    else
-	FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
    fi
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
@@ -167,10 +184,10 @@ fi

 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if mywhich insserv ; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall-lite remove
+	elif mywhich insserv ; then
            insserv -r $FIREWALL
-	elif mywhich update-rc.d ; then
-	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
@@ -179,29 +196,26 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi

-[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
+[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"

 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    remove_file $SERVICEDIR/${PRODUCT}.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SERVICEDIR/shorewall-lite.service
 fi

-remove_directory ${CONFDIR}/$PRODUCT
-remove_directory ${VARDIR}
-remove_directory ${SHAREDIR}/$PRODUCT
-remove_directory ${LIBEXECDIR}/$PRODUCT
-remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
+rm -f ${SBINDIR}/shorewall-lite

-if [ -n "$SYSCONFDIR" ]; then
-    [ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
-fi
+rm -rf ${CONFDIR}/shorewall-lite
+rm -rf ${VARDIR}
+rm -rf ${SHAREDIR}/shorewall-lite
+rm -rf ${LIBEXECDIR}/shorewall-lite
+rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
+rm -f  ${SYSCONFDIR}/shorewall-lite

 if [ -n "${MANDIR}" ]; then
-    remove_file_with_wildcard ${MANDIR}/man5/${PRODUCT}\*
-    remove_file_with_wildcard ${MANDIR}/man8/${PRODUCT}\*
+    rm -f ${MANDIR}/man5/shorewall-lite*
+    rm -f ${MANDIR}/man8/shorewall-lite*
 fi

-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"
+echo "Shorewall Lite Uninstalled"
+
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -1,42 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
-#
-# A_REJECT Action.
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
-###############################################################################
-?require AUDIT_TARGET
-
-DEFAULTS -
-
-AUDIT(reject)
-
-?if passed @1
-    ?if @1 =~ /tcp-reset$/
-        ?set reject_proto 6
-    ?else
-        ?set reject_proto ''
-    ?endif
-REJECT(@1)	-	-	$reject_proto
-?else
-REJECT
-?endif
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -1,31 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.A_REJECT!
-#
-# A_REJECT! Action.
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
-###############################################################################
-?require AUDIT_TARGET
-
-DEFAULTS -
-
-A_REJECT(@1)
--- a/Shorewall/Actions/action.AutoBLL
+++ b/Shorewall/Actions/action.AutoBLL
@@ -1,23 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.AutoBLL
-#
-# Auto Blacklisting Logger Action
-#
-# Arguments are
-#
-# Event       - Name of the blacklisted event
-# Disposition - What to do with packets
-# Level       - Log level and optional tag for logging
-#
-###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Log the Reject
-#
-?if "$3" ne 'none'
-LOG:$3
-?endif
-#
-# And set the AutoBL Event for the SOURCE IP address
-#
-SetEvent(${1}_BL,$2,src)
--- a/Shorewall/Actions/action.BLACKLIST
+++ b/Shorewall/Actions/action.BLACKLIST
@@ -1,50 +0,0 @@
-#
-# Shorewall - /usr/share/shorewall/action.BLACKLIST
-#
-# This action:
-#
-#   - Adds the sender to the dynamic blacklist ipset
-#   - Optionally acts on the packet (default is DROP)
-#
-# Parameters:
-#
-# 1 - Action to take after adding the packet. Default is DROP.
-#     Pass -- if you don't want to take any action.
-# 2 - Timeout for ipset entry. Default is the timeout specified in
-#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
-#
-###############################################################################
-# Note -- This action is defined with the 'section' option, so the first
-#         parameter is always the section name. That means that in the
-#         following text, the first parameter passed in the rule is actually
-#         @2.
-###############################################################################
-?if $1 eq 'BLACKLIST'
-   ?if $BLACKLIST_LOG_LEVEL
-       blacklog
-   ?else
-       $BLACKLIST_DISPOSITION
-   ?endif
-?else
-   ?if ! "$SW_DBL_IPSET"
-   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
-   ?endif
-
-   DEFAULTS -,DROP,-
-   #
-   # Add to the blacklist
-   #
-   ?if passed(@3)
-       ADD($SW_DBL_IPSET:src:@3)
-   ?elsif $SW_DBL_TIMEOUT
-       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
-   ?else
-       ADD($SW_DBL_IPSET:src)
-   ?endif
-   #
-   # Dispose of the packet if asked
-   #
-   ?if passed(@2)
-      @2
-   ?endif
-?endif
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -1,55 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Broadcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Broadcast[([<action>|-[,{audit|-}])]
-#
-# Default action is DROP
-#
-###############################################################################
-
-DEFAULTS DROP,-
-
-?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type BROADCAST
-@1	-	-	-	;; -m addrtype --dst-type ANYCAST
-?else
-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my ( $action )         = get_action_params( 1 );
-my $chainref           = get_action_chain;
-my ( $level, $tag )    = get_action_logging;
-
-add_commands $chainref, 'for address in $ALL_BCASTS; do';
-incr_cmd_level $chainref;
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-add_jump $chainref, $action, 0, "-d \$address ";
-decr_cmd_level $chainref;
-add_commands $chainref, 'done';
-
-1;
-
-?end perl;
-?endif
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
@@ -1,34 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.DNSAmp
-#
-#  DNS Amplification Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# DNSAmp[([<action>])]
-#
-# Default action is DROP
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT
-
-DEFAULTS DROP
-
-@1	-	-	udp	53	;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -1,84 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Drop
-#
-# The former default DROP common rules. Use of this action is now deprecated
-#
-# This action is invoked before a DROP policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# The action accepts six optional parameters:
-#
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     actions.
-# 2 - Action to take with Auth requests. Default is to do nothing special
-#     with them.
-# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#     depending on the setting of the first parameter.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
-#     is DROP or A_DROP depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
-#     depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-###############################################################################
-?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
-    ?else
-        ?error The first parameter to Drop must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
-?endif
-
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special Handling for Auth
-#
-?if passed(@2)
-Auth(@2)
-?endif
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before silent broadcast Drop.
-#
-AllowICMPs(@4)	-	-	icmp
-#
-# Don't log broadcasts or multicasts
-#
-Broadcast(DROP,@1)
-Multicast(DROP,@1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-Invalid(DROP,@1)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(@3)
-DropUPnP(@6)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,@1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep(@5)
--- a/Shorewall/Actions/action.DropDNSrep
+++ b/Shorewall/Actions/action.DropDNSrep
@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.DropDNSrep
-#
-# This macro silently drops DNS UDP replies that are in the New state
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-DEFAULTS DROP
-@1	-	-	udp	-	53 { comment="Late DNS Replies" }
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
@@ -1,35 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Established
-#
-# Established Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Established[([<action>])]
-#
-# Default action is ACCEPT
-#
-###############################################################################
-
-DEFAULTS ACCEPT
-
-#
-# All logic for this action is supplied by the 'state' option in actions.std
-#
--- a/Shorewall/Actions/action.GlusterFS
+++ b/Shorewall/Actions/action.GlusterFS
@@ -1,34 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.GlusterFS
-#
-# GlusterFS Handler for GlusterFS 3.4 and Later
-#
-# Parameters:
-#
-# Bricks - Number of bricks
-# IB     - 0 or 1, indicating whether Infiniband is used or not
-#
-###############################################################################
-
-DEFAULTS 2,0
-
-?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-    ?error Invalid value for Bricks (@1)
-?elsif @2 !~ /^[01]$/
-    ?error Invalid value for IB (@2)
-?endif
-
-#ACTION		SOURCE		DEST		PROTO	DPORT
-
-ACCEPT		-		-		udp	111,2049
-ACCEPT		-		-		tcp	38465:38467
-
-?if @{2}
-ACCEPT		-		-		tcp	24007:24008
-?else
-ACCEPT		-		-		tcp	24007
-?endif
-
-?set last_port 49150 + @{1}
-
-ACCEPT		-		-		tcp	49151:$last_port
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
@@ -1,35 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Invalid
-#
-# Invalid Action
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Invalid[([<action>])]
-#
-# Default action is DROP
-#
-###############################################################################
-
-DEFAULTS DROP,-
-
-#
-# All logic for this action is triggered by the 'audit' and 'state' options
-# in actions.std
-#
--- a/Shorewall/Actions/action.Limit
+++ b/Shorewall/Actions/action.Limit
@@ -1,70 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Limit
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Limit(<recent-set>,<num-connections>,<timeout>)
-#
-###############################################################################
-
-DEFAULTS -,-,-
-
-?begin perl
-
-use strict;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my $chainref        = get_action_chain;
-my @param           = get_action_params(3);
-my ( $level, $tag ) = get_action_logging;
-
-@param = split( ',', $tag ), $tag = $param[0] unless supplied( join '', @param );
-
-fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
-
-my $set   = $param[0];
-
-for ( @param[1,2] ) {
-    fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
-}
-
-my $count = $param[1] + 1;
-
-require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
-
-warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
-
-add_irule $chainref, recent => "--name $set --set";
-
-if ( $level ne '' ) {
-    my $xchainref = new_chain 'filter' , "$chainref->{name}%";
-    log_irule_limit( $level, $xchainref, '', 'DROP', [], $tag, 'add' , '' );
-    add_ijump $xchainref, j => 'DROP';
-    add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
-} else {
-    add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
-}
-
-add_ijump $chainref, j => 'ACCEPT';
-
-1;
-
-?end perl
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -1,50 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Multicast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Multicast[([<action>|-[,{audit|-}])]
-#
-# Default action is DROP
-#
-###############################################################################
-
-DEFAULTS DROP,-
-
-?if __ADDRTYPE
-@1	-	-	-	;; -m addrtype --dst-type MULTICAST
-?else
-?begin perl;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my ( $action )         = get_action_params( 1 );
-my $chainref           = get_action_chain;
-my ( $level, $tag )    = get_action_logging;
-
-log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
-
-1;
-
-?end perl;
-?endif
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
@@ -1,35 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.New
-#
-# New Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# New[([<action>])]
-#
-# Default action is ACCEPT
-#
-###############################################################################
-
-DEFAULTS ACCEPT
-
-#
-# All logic for this action is supplied by the 'state' option in actions.std
-#
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
@@ -1,33 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.NotSyn
-#
-# NotSyn Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# NotSyn[([<action>])]
-#
-# Default action is DROP
-#
-###############################################################################
-
-DEFAULTS DROP,-
-
-@1	 -	-	;;+  -p 6 ! --syn
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
@@ -1,33 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.RST
-#
-# RST Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# RST[([<action>])]
-#
-# Default action is DROP
-#
-###############################################################################
-
-DEFAULTS DROP,-
-
-@1	 -	-	;;+ -p 6 --tcp-flags RST RST
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -1,85 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Reject
-#
-# The former default REJECT action common rules. Use of this action is deprecated.
-#
-# This action is invoked before a REJECT policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# The action accepts six optional parameters:
-#
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     actions.
-# 2 - Action to take with Auth requests. Default is to do nothing
-#     special with them.
-# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#     depending on the setting of the first parameter.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
-#     is DROP or A_DROP depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
-#     depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
-    ?else
-	?error The first parameter to Reject must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
-?endif
-
-#ACTION		SOURCE	DEST	PROTO
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special handling for Auth
-#
-?if passed(@2)
-Auth(@2)
-?endif
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before silent broadcast Drop.
-#
-AllowICMPs(@4)	-	-	icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-Broadcast(DROP,@1)
-Multicast(DROP,@1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-Invalid(DROP,@1)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(@3)
-DropUPnP(@6)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,@1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep(@5)
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
@@ -1,35 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Related
-#
-# Related Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Related[([<action>])]
-#
-# Default action is DROP
-#
-###############################################################################
-
-DEFAULTS DROP
-
-#
-# All logic for this action is supplied by the 'state' option in actions.std
-#
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
@@ -1,48 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.SetEvent
-#
-# Set an Event
-#
-# Parameters:
-#
-# Event       - Must start with a letter and be composed of letters, digits,
-#               '-', and '_'.
-# Action      - Action to perform after setting the event. Default is ACCEPT
-# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
-#               associated with the source address (src) or destination
-#               address (dst)
-# Disposition - Disposition for any event generated.
-#
-# For additional information, see http://www.shorewall.net/Events.html
-#
-
-DEFAULTS -,ACCEPT,src
-
-?begin perl
-
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-use strict;
-
-my ( $event, $action, $destination, $disposition ) = get_action_params( 4 );
-
-require_capability 'RECENT_MATCH', 'Use of events', 's';
-require_capability 'MARK_ANYWHERE', 'Use of events', 's';
-
-fatal_error "An event name is required"          unless supplied $event;
-fatal_error "Invalid event name ($event)"        unless $event =~ /^[a-zA-z][-\w]*$/;
-fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src|dst)$/;
-
-set_action_disposition( $disposition) if supplied $disposition;
-set_action_name_to_caller;
-
-if ( $destination eq 'dst' ) {
-    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
-} else {
-    perl_action_helper( $action, '', '', "-m recent --name $event --set --rsource" );
-}
-
-1;
-
-?end perl
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
@@ -1,29 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.TCPFlags
-#
-# Drop TCPFlags Action
-#
-# Accepts a single optional parameter:
-#
-# -     = Do not Audit
-# audit = Audit dropped packets.
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-        ?set tcpflags_action 'A_DROP'
-    ?else
-	?error The parameter to TCPFlags must be 'audit' or '-'
-    ?endif
-?else
-    ?set tcpflags_action 'DROP'
-?endif
-
-$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
-$tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
-$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
-$tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
@@ -1,35 +0,0 @@
-#
-# Shorewall --/usr/share/shorewall/action.Untracked
-#
-# Untracked Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Untracked[([<action>])]
-#
-# Default action is DROP
-#
-###############################################################################
-
-DEFAULTS DROP
-
-#
-# All logic for this action is supplied by the 'state' option in actions.std
-#
--- a/Shorewall/Actions/action.allowBcast
+++ b/Shorewall/Actions/action.allowBcast
@@ -1,38 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.allowBcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# allowBcast[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
-	Broadcast(A_ACCEPT)
-    ?else
-        ?error "Invalid argument (@1) to allowBcast"
-    ?endif
-?else
-    Broadcast(ACCEPT)
-?endif
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
@@ -1,37 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.allowInvalid
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#  allowInvalid[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-Invalid(A_ACCEPT)
-    ?else
-        ?error The first parameter to allowInvalid must be 'audit' or '-'
-    ?endif
-?else
-Invalid(ACCEPT)
-?endif
--- a/Shorewall/Actions/action.allowMcast
+++ b/Shorewall/Actions/action.allowMcast
@@ -1,38 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.allowMcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# allowMcast[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
-	Multicast(A_ACCEPT)
-    ?else
-        ?error "Invalid argument (@1) to allowMcast"
-    ?endif
-?else
-    Multicast(ACCEPT)
-?endif
--- a/Shorewall/Actions/action.allowinUPnP
+++ b/Shorewall/Actions/action.allowinUPnP
@@ -1,40 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.allowinUPnP
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# allowinUPnP[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
-	A_ACCEPT - - 17 1900
-	A_ACCEPT - -  6 49152
-    ?else
-        ?error "Invalid argument (@1) to allowinUPnP"
-    ?endif
-?else
-    ACCEPT - - 17 1900
-    ACCEPT - -  6 49152
-?endif
--- a/Shorewall/Actions/action.dropBcast
+++ b/Shorewall/Actions/action.dropBcast
@@ -1,39 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropBcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropBcast[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
-	Broadcast(A_DROP)
-    ?else
-        ?error "Invalid argument (@1) to dropBcast"
-    ?endif
-?else
-    Broadcast(DROP)
-?endif
-
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
@@ -1,39 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropInvalid
-#
-# dropInvalid Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropInvalid[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-Invalid(A_DROP)
-    ?else
-        ?error The first parameter to dropInvalid must be 'audit' or '-'
-    ?endif
-?else
-Invalid(DROP)
-?endif
--- a/Shorewall/Actions/action.dropMcast
+++ b/Shorewall/Actions/action.dropMcast
@@ -1,38 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropMcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropMcast[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
-	Multicast(A_DROP)
-    ?else
-        ?error "Invalid argument (@1) to dropMcast"
-    ?endif
-?else
-    Multicast(DROP)
-?endif
--- a/Shorewall/Actions/action.dropNotSyn
+++ b/Shorewall/Actions/action.dropNotSyn
@@ -1,38 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropNotSyn
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropNotSyn[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
-	A_DROP ;; -p 6 ! --syn
-    ?else
-        ?error "Invalid argument (@1) to dropNotSyn"
-    ?endif
-?else
-    DROP ;; -p 6 ! --syn
-?endif
--- a/Shorewall/Actions/action.forwardUPnP
+++ b/Shorewall/Actions/action.forwardUPnP
@@ -1,43 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.forwardUPnP
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# forwardUPnP
-#
-###############################################################################
-
-DEFAULTS -
-
-?begin perl
-
-use strict;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my $chainref = get_action_chain;
-
-set_optflags( $chainref, DONT_OPTIMIZE );
-
-add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
-
-1;
-
-?end perl
--- a/Shorewall/Actions/action.mangletemplate
+++ b/Shorewall/Actions/action.mangletemplate
@@ -1,22 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/action.mangletemplate
-#
-# Mangle Action Template
-#
-# This file is a template for files with names of the form
-# /etc/shorewall/action.<action-name> where <action> is an
-# ACTION defined with the mangle option in /etc/shorewall/actions.
-#
-# To define a new action:
-#
-# 1. Add the <action name> to /etc/shorewall/actions with the mangle option
-# 2. Copy this file to /etc/shorewall/action.<action name>
-# 3. Add the desired rules to that file.
-#
-# Please see http://shorewall.net/Actions.html for additional
-# information.
-#
-# Columns are the same as in /etc/shorewall/mangle.
-#
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/Actions/action.rejNotSyn
+++ b/Shorewall/Actions/action.rejNotSyn
@@ -1,39 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.rejNotSyn
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# rejNotSyn[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-        ?require AUDIT_TARGET
-	A_REJECT ;; -p 6 ! --syn
-    ?else
-        ?error "Invalid argument (@1) to rejNotSyn"
-    ?endif
-?else
-    REJECT(--reject-with tcp-reset) ;; -p 6 ! --syn
-?endif
-
--- a/Shorewall/Actions/action.template
+++ b/Shorewall/Actions/action.template
@@ -1,22 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.template
-#
-# Action Template
-#
-# This file is a template for files with names of the form
-# /etc/shorewall/action.<action-name> where <action> is an
-# ACTION defined in /etc/shorewall/actions.
-#
-# To define a new action:
-#
-# 1. Add the <action name> to /etc/shorewall/actions
-# 2. Copy this file to /etc/shorewall/action.<action name>
-# 3. Add the desired rules to that file.
-#
-# Please see http://shorewall.net/Actions.html for additional
-# information.
-#
-# Columns are the same as in /etc/shorewall/rules.
-#
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT		ORIGDEST	RATE		USER	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -0,0 +1,13 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.blacklist
+#
+# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+?if $BLACKLIST_LOGLEVEL
+blacklog
+?else
+$BLACKLIST_DISPOSITION
+?endif
--- a/Shorewall/Macros/macro.Drop
+++ b/Shorewall/Macros/macro.Drop
@@ -0,0 +1,49 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Drop
+#
+# This macro generates the same rules as the Drop default action
+# It is used in place of action.Drop when USE_ACTIONS=No.
+#
+# Example:
+#
+#	Drop	net	all
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+#
+# Don't log 'auth' DROP
+#
+DROP	-	-	tcp	113
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast
+#
+# ACCEPT critical ICMP types
+#
+ACCEPT	-	-	icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+DROP	-	-	udp	135,445
+DROP	-	-	udp	137:139
+DROP	-	-	udp	1024:	137
+DROP	-	-	tcp	135,139,445
+DROP	-	-	udp	1900
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.DropDNSrep
+#
+# This macro silently drops DNS UDP replies
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+?COMMENT Late DNS Replies
+
+DEFAULT DROP
+PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.RedisCluster
+++ b/Shorewall/Macros/macro.RedisCluster
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.RedisCluster
-#
-# This macro handles Redis Cluster traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	16379
--- a/Shorewall/Macros/macro.RedisSentinel
+++ b/Shorewall/Macros/macro.RedisSentinel
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.RedisSentinel
-#
-# This macro handles Redis Sentinel traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	26379
--- a/Shorewall/Macros/macro.Reject
+++ b/Shorewall/Macros/macro.Reject
@@ -0,0 +1,49 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Reject
+#
+# This macro generates the same rules as the Reject default action
+# It is used in place of action.Reject when USE_ACTIONS=No.
+#
+# Example:
+#
+#	Reject	loc	fw
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+#
+# Don't log 'auth' REJECT
+#
+REJECT	-	-	tcp	113
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast
+#
+# ACCEPT critical ICMP types
+#
+ACCEPT	-	-	icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+REJECT	-	-	udp	135,445
+REJECT	-	-	udp	137:139
+REJECT	-	-	udp	1024:	137
+REJECT	-	-	tcp	135,139,445
+DROP	-	-	udp	1900
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -0,0 +1,23 @@
+#
+# Shorewall -- /etc/shorewall/Makefile
+#
+# Reload Shorewall if config files are updated.
+
+SWBIN	?= /sbin/shorewall -q
+CONFDIR	?= /etc/shorewall
+SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
+
+.PHONY: clean
+
+$(SWSTATE): $(CONFDIR)/*
+	@$(SWBIN) save >/dev/null; \
+	RESULT=$$($(SWBIN) reload 2>&1); \
+	if [ $$? -eq 0 ]; then \
+	    $(SWBIN) save >/dev/null; \
+	else \
+	    echo "$${RESULT}" >&2; \
+	    false; \
+	fi
+
+clean:
+	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {

    emit "exec 3>\${VARDIR}/.arptables-input";

-    my $date = compiletime;
+    my $date = localtime;

    unless ( $test ) {
 	emit_unindented '#';
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
 #
 sub preview_arptables_load() {

-    my $date = compiletime;
+    my $date = localtime;

    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";

--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -59,21 +59,21 @@ our $acctable;
 #

 use constant {
-	      LEGACY_SECTION      => 0,
-	      PREROUTING_SECTION  => 1,
-	      INPUT_SECTION       => 2,
-	      OUTPUT_SECTION      => 3,
-	      FORWARD_SECTION     => 4,
-	      POSTROUTING_SECTION => 5
+	      LEGACY      => 0,
+	      PREROUTING  => 1,
+	      INPUT       => 2,
+	      OUTPUT      => 3,
+	      FORWARD     => 4,
+	      POSTROUTING => 5
 	  };
 #
 # Map names to values
 #
-our %asections = ( PREROUTING  => PREROUTING_SECTION,
-		   INPUT       => INPUT_SECTION,
-		   FORWARD     => FORWARD_SECTION,
-		   OUTPUT      => OUTPUT_SECTION,
-		   POSTROUTING => POSTROUTING_SECTION
+our %asections = ( PREROUTING  => PREROUTING,
+		   INPUT       => INPUT,
+		   FORWARD     => FORWARD,
+		   OUTPUT      => OUTPUT,
+		   POSTROUTING => POSTROUTING
 		 );

 #
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {

    $jumpchainref = 0;

-    $asection = LEGACY_SECTION if $asection < 0;
+    $asection = LEGACY if $asection < 0;

    our $disposition = '';

@@ -519,9 +519,9 @@ sub setup_accounting() {

 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 ( keys %accountingjumps ) {
+		    for my $chain1 ( sort  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -76,7 +76,7 @@ sub initialize_package_globals( $$$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.runtime and lib.common to the generated script.
+#    Copy lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -90,13 +90,14 @@ sub generate_script_1( $ ) {
 	if ( $test ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    my $date = compiletime;
+	    my $date = localtime;

 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+
+	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}

-	copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
-	copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
    }

    my $lib = find_file 'lib.private';
@@ -367,7 +368,6 @@ sub generate_script_3($) {
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
-    create_load_ipsets;

    emit "#\n# Start/Reload the Firewall\n#";

@@ -406,9 +406,7 @@ sub generate_script_3($) {
 	   'fi',
 	   '' );

-    emit( 'load_ipsets' ,
-	  '' );
-
+    load_ipsets;
    create_nfobjects;
    verify_address_variables;
    save_dynamic_chains;
@@ -575,16 +573,16 @@ date > ${VARDIR}/restarted

 case $COMMAND in
    start)
-        mylogger kern.info "$g_product started"
+        logger -p kern.info "$g_product started"
        ;;
-    reload)
-        mylogger kern.info "$g_product reloaded"
+    reloaded)
+        logger -p kern.info "$g_product reloaded"
        ;;
    refresh)
-        mylogger kern.info "$g_product refreshed"
+        logger -p kern.info "$g_product refreshed"
        ;;
    restore)
-        mylogger kern.info "$g_product restored"
+        logger -p kern.info "$g_product restored"
        ;;
 esac
 EOF
@@ -595,21 +593,6 @@ EOF

 }

-#
-# Generate info_command()
-#
-sub compile_info_command() {
-    my $date = compiletime;
-
-    emit( "\n",
-	  "#",
-	  "# Echo the date and time when this script was compiled along with the Shorewall version",
-	  "#",
-	  "info_command() {" ,
-	  qq(    echo "compiled $date by Shorewall version $globals{VERSION}") ,
-	  "}\n" );
-}   
-
 #
 #  The Compiler.
 #
@@ -700,7 +683,7 @@ sub compiler {
    #
    # Allow user to load Perl modules
    #
-    run_user_exit 'compile';
+    run_user_exit1 'compile';
    #
    # Create a temp file to hold the script
    #
@@ -803,8 +786,33 @@ sub compiler {
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
-
+    #
+    # Generate a function to bring up each provider
+    #
    process_providers( $tcinterfaces );
+    #
+    # [Re-]establish Routing
+    #
+    if ( $scriptfilename || $debug ) {
+	emit(  "\n#",
+	       '# Setup routing and traffic shaping',
+	       '#',
+	       'setup_routing_and_traffic_shaping() {'
+	    );
+
+	push_indent;
+    }
+
+    setup_providers;
+    #
+    # TCRules and Traffic Shaping
+    #
+    setup_tc( $update );
+
+    if ( $scriptfilename || $debug ) {
+	pop_indent;
+	emit "}\n"; # End of setup_routing_and_traffic_shaping()
+    }

    $have_arptables = process_arprules if $family == F_IPV4;

@@ -815,9 +823,13 @@ sub compiler {
    #
    process_tos;
    #
-    # Setup Masquerade/SNAT
+    # ECN
    #
-    setup_snat( $update );
+    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    #
+    # Setup Masquerading/SNAT
+    #
+    setup_masq;
    #
    # Setup Nat
    #
@@ -855,41 +867,14 @@ sub compiler {
    #
    complete_policy_chains;
    #
+    # Reject Action
+    #
+    process_reject_action if $config{REJECT_ACTION};
+    #
    # Accounting.
    #
    setup_accounting if $config{ACCOUNTING};

-    enable_script;
-    #
-    # Generate a function to bring up each provider
-    #
-    if ( $scriptfilename || $debug ) {
-	emit(  "\n#",
-	       '# Setup routing and traffic shaping',
-	       '#',
-	       'setup_routing_and_traffic_shaping() {'
-	    );
-
-	push_indent;
-    }
-
-    setup_providers;
-    #
-    # TCRules and Traffic Shaping
-    #
-    setup_tc( $update );
-
-    if ( $scriptfilename || $debug ) {
-	pop_indent;
-	emit "}\n"; # End of setup_routing_and_traffic_shaping()
-    }
-    #
-    # ECN
-    #
-    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-
-    disable_script;
-
    if ( $scriptfilename ) {
 	#
 	# Compiling a script - generate the zone by zone matrix
@@ -938,13 +923,9 @@ sub compiler {
 	#
 	compile_updown;
 	#
-	# Echo the compilation time and date
-	#
-	compile_info_command unless $test;
-	#
 	# Copy the footer to the script
 	#
-	copy $globals{SHAREDIRPL} . 'prog.footer';
+	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;

 	disable_script;
 	#
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -432,18 +432,13 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
-    my $pair = $portpair;
-    #
-    # Accept '-' as a port-range separator
-    #
-    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;

-    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;

-    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';

-    my @ports = split /:/, $pair, 2;
+    my @ports = split /:/, $portpair, 2;

    my $protonum = resolve_proto( $proto ) || 0;

@@ -472,7 +467,7 @@ sub validate_portpair1( $$ ) {

    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;

-    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';

    my @ports = split /-/, $portpair, 2;
@@ -483,10 +478,9 @@ sub validate_portpair1( $$ ) {

    if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
    } else {
 	$what = 'port';
-	fatal_error 'Invalid port number (0)' unless $portpair;
    }

    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
@@ -503,7 +497,7 @@ sub validate_port_list( $$ ) {
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );

-    if ( @list > 1 && $list =~ /[:-]/ ) {
+    if ( @list > 1 && $list =~ /:/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -89,7 +89,6 @@ sub setup_ecn()
 {
    my %interfaces;
    my @hosts;
-    my $interfaceref;

    if ( my $fn = open_file 'ecn' ) {

@@ -106,13 +105,7 @@ sub setup_ecn()
 						    2 );

 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface( $interface );
-
-	    if ( $interfaceref->{root} ) {
-		$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-	    } else {
-		$interface = $interfaceref->{name};
-	    }
+	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;

 	    my $lineinfo = shortlineinfo( '' );

@@ -127,7 +120,7 @@ sub setup_ecn()
 	}

 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );

 	    progress_message "$doing ECN control on @interfaces...";

@@ -200,7 +193,6 @@ sub remove_blacklist( $ ) {
    if ( $changed ) {
 	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
 	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
-	transfer_permissions( "$fn.bak", $fn );
 	progress_message2 "\u$file file $fn saved in $fn.bak"
    }
 }
@@ -216,7 +208,6 @@ sub convert_blacklist() {
    my $audit       = $disposition =~ /^A_/;
    my $target      = $disposition;
    my $orig_target = $target;
-    my $warnings    = 0;
    my @rules;

    if ( @$zones || @$zones1 ) {
@@ -238,22 +229,12 @@ sub convert_blacklist() {
 	    return 0;
 	}

-	directive_callback(
-	    sub ()
-	    {
-		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
-	    }
-	    );
-
 	first_entry "Converting $fn...";

 	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) =
-		split_rawline2( 'blacklist file',
-				{ networks => 0, proto => 1, port => 2, options => 3 },
-				{},
-				4,
-		);
+		split_line( 'blacklist file',
+			    { networks => 0, proto => 1, port => 2, options => 3 } );

 	    if ( $options eq '-' ) {
 		$options = 'src';
@@ -311,21 +292,18 @@ sub convert_blacklist() {
 	    }
 	}

-	directive_callback(0);
-
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
-	    my $date = compiletime;
+	    my $date = localtime;

 	    if ( -f $fn1 ) {
 		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	    } else {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
-		transfer_permissions( $fn, $fn1 );
 		print $blrules <<'EOF';
 #
-# Shorewall - Blacklist Rules File
+# Shorewall version 5.0 - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -407,9 +385,8 @@ sub convert_routestopped() {
    if ( my $fn = open_file 'routestopped' ) {
 	my ( @allhosts, %source, %dest , %notrack, @rule );

-	my $seq      = 0;
-	my $warnings = 0;
-	my $date = compiletime;
+	my $seq  = 0;
+	my $date = localtime;

 	my ( $stoppedrules, $fn1 );

@@ -417,10 +394,9 @@ sub convert_routestopped() {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
-	    transfer_permissions( $fn, $fn1 );
 	    print $stoppedrules <<'EOF';
 #
-# Shorewall - Stopped Rules File
+# Shorewall version 5 - Stopped Rules File
 #
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
@@ -436,16 +412,9 @@ sub convert_routestopped() {
 EOF
 	}

-	directive_callback(
-	    sub ()
-	    {
-		warning_message "Omitted rules and compiler directives were not translated" unless $warnings++;
-	    }
-	    );
-
 	first_entry(
 		    sub {
-			my $date = compiletime;
+			my $date = localtime;
 			progress_message2 "$doing $fn...";
 			print( $stoppedrules
 			       "#\n" ,
@@ -457,16 +426,13 @@ EOF
 	while ( read_a_line ( NORMAL_READ ) ) {

 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
-		split_rawline2( 'routestopped file',
-				{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 },
-				{},
-				6,
-				0,
-		);
+		split_line( 'routestopped file',
+			    { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );

 	    my $interfaceref;

 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';

 	    my $routeback = 0;
@@ -480,6 +446,8 @@ EOF
 	    $hosts = ALLIP if $hosts eq '-';

 	    for my $host ( split /,/, $hosts ) {
+		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
+		validate_host $host, 1;
 		push @hosts, "$interface|$host|$seq";
 		push @rule, $rule;
 	    }
@@ -523,8 +491,6 @@ EOF
 	    push @allhosts, @hosts;
 	}

-	directive_callback(0);
-
 	for my $host ( @allhosts ) {
 	    my ( $interface, $h, $seq ) = split /\|/, $host;
 	    my $rule = shift @rule;
@@ -673,18 +639,11 @@ sub create_docker_rules() {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
 	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
-	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
+	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
-
-	my $outputref;
-	add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
-	incr_cmd_level( $outputref );
-	add_ijump( $outputref, j => 'DOCKER' );
-	decr_cmd_level( $outputref );
-	add_commands( $outputref, 'fi' );
    }

    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
@@ -708,123 +667,16 @@ sub add_common_rules ( $ ) {
    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $tag       = $globals{BLACKLIST_LOG_TAG};
    my $rejectref = $filter_table->{reject};
-    my $dbl_type;
-    my $dbl_ipset;
-    my $dbl_level;
-    my $dbl_tag;
-    my $dbl_src_target;
-    my $dbl_dst_target;
-
-    if ( $config{REJECT_ACTION} ) {
-	process_reject_action;
-	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
-    } else {
-	if ( have_capability( 'ADDRTYPE' ) ) {
-	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
-	} else {
-	    if ( $family == F_IPV4 ) {
-		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
-	    } else {
-		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
-	    }
-
-	    incr_cmd_level $rejectref;
-	    add_ijump $rejectref, j => 'DROP', d => '$address';
-	    decr_cmd_level $rejectref;
-	    add_commands $rejectref, 'done';
-	}
-
-	if ( $family == F_IPV4 ) {
-	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
-	} else {
-	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
-	}
-
-	add_ijump $rejectref , j => 'DROP', p => 2;
-	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
-
-	if ( have_capability( 'ENHANCED_REJECT' ) ) {
-	    add_ijump $rejectref , j => 'REJECT', p => 17;
-
-	    if ( $family == F_IPV4 ) {
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
-	    } else {
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
-		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
-	    }
-	} else {
-	    add_ijump $rejectref , j => 'REJECT';
-	}
-    }
-
    #
    # Insure that Docker jumps are early in the builtin chains
    #
    create_docker_rules if $config{DOCKER};

-    if ( my $val = $config{DYNAMIC_BLACKLIST} ) {
-	( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
-
-	unless ( $dbl_type =~ /^ipset-only/ ) {
-	    add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
-	    add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
-	    $dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
-	    add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
-	}
-
-	if ( $dbl_ipset ) {
-	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
-
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
-
-		log_rule_limit( $dbl_level,
-				$chainref,
-				'dbl_log',
-				'DROP',
-				$globals{LOGLIMIT},
-				$dbl_tag,
-				'add',
-				'',
-				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
-		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
-
-		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
-
-		    log_rule_limit( $dbl_level,
-				    $chainref,
-				    'dbl_log',
-				    'DROP',
-				    $globals{LOGLIMIT},
-				    $dbl_tag,
-				    'add',
-				    '',
-				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
-		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
-		} else {
-		    $dbl_dst_target = $dbl_src_target;
-		}		    
-	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
-
-		log_rule_limit( $dbl_level,
-				$chainref,
-				'dbl_log',
-				'DROP',
-				$globals{LOGLIMIT},
-				$dbl_tag,
-				'add',
-				'',
-				$origin{DYNAMIC_BLACKLIST} );
-		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
-	    } else {
-		$dbl_src_target = $dbl_dst_target = 'DROP'; 
-	    }
-	}
+    if ( $config{DYNAMIC_BLACKLIST} ) {
+	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
+	add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
+	$dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
+	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
    }

    setup_mss;
@@ -928,30 +780,8 @@ sub add_common_rules ( $ ) {
 		}
 	    }

-	    if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
-
-		my ( $in, $out ) = split /:/, $setting;
-
-		if ( $in  == 1 ) {
-		    #
-		    # src
-		    #
-		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		} elsif ( $in == 2 ) {
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
-		}
-
-		if ( $out == 2 ) {
-		    #
-		    # dst
-		    #
-		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
-		}
-	    }
-	    
 	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
+		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
 		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
@@ -1028,7 +858,7 @@ sub add_common_rules ( $ ) {
 	    );
    }
 	    
-    run_user_exit 'initdone';
+    run_user_exit1 'initdone';

    if ( $upgrade ) {
 	convert_blacklist;
@@ -1110,6 +940,46 @@ sub add_common_rules ( $ ) {
 	}
    }

+    unless ( $config{REJECT_ACTION} ) {
+	if ( have_capability( 'ADDRTYPE' ) ) {
+	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
+	} else {
+	    if ( $family == F_IPV4 ) {
+		add_commands $rejectref, 'for address in $ALL_BCASTS; do';
+	    } else {
+		add_commands $rejectref, 'for address in $ALL_ACASTS; do';
+	    }
+
+	    incr_cmd_level $rejectref;
+	    add_ijump $rejectref, j => 'DROP', d => '$address';
+	    decr_cmd_level $rejectref;
+	    add_commands $rejectref, 'done';
+	}
+
+	if ( $family == F_IPV4 ) {
+	    add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
+	} else {
+	    add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
+	}
+
+	add_ijump $rejectref , j => 'DROP', p => 2;
+	add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
+
+	if ( have_capability( 'ENHANCED_REJECT' ) ) {
+	    add_ijump $rejectref , j => 'REJECT', p => 17;
+
+	    if ( $family == F_IPV4 ) {
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
+	    } else {
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
+		add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
+	    }
+	} else {
+	    add_ijump $rejectref , j => 'REJECT';
+	}
+    }
+
    $list = find_interfaces_by_option 'dhcp';

    if ( @$list ) {
@@ -1225,18 +1095,10 @@ sub add_common_rules ( $ ) {

 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );

-	    my $chainref1;
-
-	    if ( $config{MINIUPNPD} ) {
-		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
-		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
-	    }
-
 	    $announced = 1;

 	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
-		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
+		add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
 	    }
 	}

@@ -1297,7 +1159,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
    }

-    my @maclist_interfaces = ( keys %maclist_interfaces );
+    my @maclist_interfaces = ( sort keys %maclist_interfaces );

    if ( $phase == 1 ) {

@@ -1454,6 +1316,8 @@ sub setup_mac_lists( $ ) {
 		}
 	    }

+	    run_user_exit2( 'maclog', $chainref );
+
 	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
@@ -1618,7 +1482,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;

@@ -1639,8 +1503,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};

-	    for my $typeref ( values %{$source_hosts_ref} ) {
-		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
+	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);

 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1662,7 +1526,7 @@ sub add_interface_jumps {
    our %input_jump_added;
    our %output_jump_added;
    our %forward_jump_added;
-    my @interfaces = grep $_ ne '%vserver%', @_;
+    my @interfaces = sort grep $_ ne '%vserver%', @_;
    my $dummy;
    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
    #
@@ -1679,6 +1543,12 @@ sub add_interface_jumps {
 	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );

+	if ( have_capability 'RAWPOST_TABLE' ) {
+	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
+	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
+	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
+	}
+
 	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
    }
    #
@@ -1776,7 +1646,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};

-	for my $interface ( keys %$source_ref ) {
+	for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -1916,14 +1786,12 @@ sub add_output_jumps( $$$$$$$$ ) {
    my $use_output        = 0;
    my @dest              = imatch_dest_net $net;
    my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
-    my @zone_interfaces   = keys %{zone_interfaces( $zone )};

-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
+    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
 	# - There are rules in the interface chain and none in the rules chain
-	# - The zone has multiple interfaces
 	#
 	#   In any of these cases use the inteface output chain
 	#
@@ -1940,7 +1808,7 @@ sub add_output_jumps( $$$$$$$$ ) {
 		unless $output_jump_added{$interface}++;
 	} else {
 	    #
-	    # Not a bridge -- match the output interface
+	    # Not a bridge -- match the input interface
 	    #
 	    add_ijump_extended $filter_table->{OUTPUT}, j => $outputref, $origin, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 	}
@@ -2288,9 +2156,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( keys %$source_hosts_ref ) {
+	for my $type ( sort keys %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( keys %$typeref ) {
+	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2375,9 +2243,9 @@ sub generate_matrix() {

 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT

-		for my $type ( keys %{$zone1ref->{hosts}} ) {
+		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( keys %$typeref ) {
+		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
@@ -2550,16 +2418,16 @@ EOF
    emit <<'EOF';
            case $COMMAND in
 	        start)
-	            mylogger kern.err "ERROR:$g_product start failed"
+	            logger -p kern.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            mylogger kern.err "ERROR:$g_product reload failed"
+	            logger -p kern.err "ERROR:$g_product reload failed"
 	            ;;
 	        refresh)
-	            mylogger kern.err "ERROR:$g_product refresh failed"
+	            logger -p kern.err "ERROR:$g_product refresh failed"
 	            ;;
                enable)
-                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    logger -p kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
            esac

@@ -2756,9 +2624,6 @@ EOF
    pop_indent;

    emit '
-    rm -f ${VARDIR}/*.address
-    rm -f ${VARDIR}/*.gateway
-
    run_stopped_exit';

    my @ipsets = all_ipsets;
@@ -2771,7 +2636,7 @@ EOF
    emit '

    set_state "Stopped"
-    mylogger kern.info "$g_product Stopped"
+    logger -p kern.info "$g_product Stopped"

    case $COMMAND in
    stop|clear)
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,8 +36,8 @@ use Shorewall::Providers qw( provider_realm );
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
+our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();

 Exporter::export_ok_tags('rules');
@@ -62,20 +62,17 @@ sub initialize($) {
 #
 sub process_one_masq1( $$$$$$$$$$$ )
 {
-    my ( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;

    my $pre_nat;
    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
    my $destnets = '';
    my $baserule = '';
    my $inlinematches = '';
-    my $prerule       = '';
-    my $savelist;
    #
    # Leading '+'
    #
    $pre_nat = 1 if $interfacelist =~ s/^\+//;
-
    #
    # Check for INLINE
    #
@@ -84,16 +81,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	$inlinematches = get_inline_matches(0);
    } else {
 	$inlinematches = get_inline_matches(0);
-    }
-
-    $savelist = $interfacelist;
-    #
-    # Handle early matches
-    #
-    if ( $inlinematches =~ s/s*\+// ) {
-	$prerule = $inlinematches;
-	$inlinematches = '';
-    }
+    }	
    #
    # Parse the remaining part of the INTERFACE column
    #
@@ -153,12 +141,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
    $baserule .= do_user( $user )                    if $user ne '-';
    $baserule .= do_probability( $probability )      if $probability ne '-';

-    my $target;
-
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-
-	$target = 'MASQUERADE ';
+	my $target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -180,9 +165,7 @@ sub process_one_masq1( $$$$$$$$$$$ )

 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-	if ( $interfaceref->{root} ) {
-	    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-	} else {
+	unless ( $interfaceref->{root} ) {
 	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
@@ -200,7 +183,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	# Parse the ADDRESSES column
 	#
 	if ( $addresses ne '-' ) {
-	    my $saveaddresses = $addresses;
 	    if ( $addresses eq 'random' ) {
 		require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
 		$randomize = '--random ';
@@ -232,7 +214,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		    my $addrlist = '';
 		    my @addrs = split_list $addresses, 'address';

-		    fatal_error "Only one ADDRESS may be specified" if @addrs > 1;
+		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;

 		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
@@ -248,7 +230,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			    # Address Variable
 			    #
 			    $target = 'SNAT ';
-
 			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 				#
 				# User-defined address variable
@@ -278,20 +259,14 @@ sub process_one_masq1( $$$$$$$$$$$ )
 			} elsif ( $family == F_IPV4 ) {
 			    if ( $addr =~ /^.*\..*\..*\./ ) {
 				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr, 2;
+				my ($ipaddr, $rest) = split ':', $addr;
 				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $ipaddr, 0;
 				}
-
-				if ( supplied $rest ) {
-				    validate_portpair1( $proto, $rest );
-				    $addrlist .= "--to-source $addr ";
-				} else {
-				    $addrlist .= "--to-source $ipaddr";
-				}
-
+				validate_portpair1( $proto, $rest ) if supplied $rest;
+				$addrlist .= "--to-source $addr ";
 				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
 				my $ports = $addr;
@@ -352,7 +327,6 @@ sub process_one_masq1( $$$$$$$$$$$ )

 	    $target .= $randomize;
 	    $target .= $persistent;
-	    $addresses = $saveaddresses;
 	} else {
 	    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )  if $family == F_IPV6;
 	    $add_snat_aliases = 0;
@@ -362,7 +336,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
-		     $prerule ,
+		     '' ,
 		     $baserule . $inlinematches . $rule ,
 		     $networks ,
 		     $destnets ,
@@ -402,250 +376,32 @@ sub process_one_masq1( $$$$$$$$$$$ )

 }

-sub convert_one_masq1( $$$$$$$$$$$$ )
+sub process_one_masq( )
 {
-    my ( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	split_line2( 'masq file',
+		     { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+		     {},    #Nopad
+		     undef, #Columns
+		     1 );   #Allow inline matches

-    my $pre_nat;
-    my $destnets = '';
-    my $savelist;
-    #
-    # Leading '+'
-    #
-    $pre_nat = ( $interfacelist =~ s/^\+// );
-    #
-    # Check for INLINE
-    #
-    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
-	$interfacelist = $1;
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
    }
-
-    $savelist = $interfacelist;
-    #
-    # Parse the remaining part of the INTERFACE column
-    #
-    if ( $family == F_IPV4 ) {
-	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
-	    $destnets = $2;
-	    $interfacelist = $1;
-	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
-	    $destnets = $2;
-	    $interfacelist = $1;
-	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
-	    $interfacelist = $1;
-	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
-	    my ( $one, $two ) = ( $1, $2 );
-	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
-		$interfacelist = $one;
-		$destnets = $two;
-	    }
-	}
-    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
-	$interfacelist = $1;
-	$destnets      = $2;
-    }
-    #
-    # If there is no source or destination then allow all addresses
-    #
-    $networks = ALLIP if $networks eq '-';
-    $destnets = ALLIP if $destnets eq '-';
-
-    my $target;
-    #
-    # Parse the ADDRESSES column
-    #
-    if ( $addresses ne '-' ) {
-	my $saveaddresses = $addresses;
-	if ( $addresses ne 'random' ) {
-	    $addresses =~ s/:persistent$//;
-	    $addresses =~ s/:random$//;
-
-	    if ( $addresses eq 'detect' ) {
-		$target = 'SNAT';
-	    } elsif ( $addresses eq 'NONAT' ) {
-		$target = 'CONTINUE';
-	    } elsif ( $addresses ) {
-		if ( $addresses =~ /^:/ ) {
-		    $target = 'MASQUERADE';
-		} else {
-		    $target = 'SNAT';
-		}
-	    }
-	}
-
-	$addresses = $saveaddresses;
-    } else {
-	$target = 'MASQUERADE';
-    }
-
-    if ( $snat ) {
-	$target .= '+' if $pre_nat;
-
-	if ( $addresses ne '-' && $addresses ne 'NONAT' ) {
-	    $addresses =~ s/^://;
-	    $target .= '(' . $addresses . ')';
-	}
-
-	my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability";
-	#
-	# Supress superfluous trailing dashes
-	#
-	$line =~ s/(?:\t-)+$//;
-
-	my $raw_matches = fetch_inline_matches;
-
-	$line .= join( '', ' ;;', $raw_matches ) if $raw_matches ne ' ';
-
-	print $snat "$line\n";
-    }
-
-    progress_message "   Masq record \"$rawcurrentline\" Converted";
-
 }

-sub process_one_masq( $ )
+#
+# Process the masq file
+#
+sub setup_masq()
 {
-    my ( $snat ) = @_;
-
-    if ( $snat ) {
-	unless ( $rawcurrentline =~ /^\s*(?:#.*)?$/ ) {
-	    #
-	    # Line was not blank or all comment
-	    #
-	    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
-		split_rawline2( 'masq file',
-				{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
-				{},    #Nopad
-				undef, #Columns
-				1 );   #Allow inline matches
-
-	    if ( $interfacelist ne '-' ) { 
-		for my $proto ( split_list $protos, 'Protocol' ) {
-		    convert_one_masq1( $snat, $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
-		}
-	    }
-	}
-    } else {
-	my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
-	    split_line2( 'masq file',
-			 { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
-			 {},    #Nopad
-			 undef, #Columns
-			 1 );   #Allow inline matches
-
-	fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
-
-	for my $proto ( split_list $protos, 'Protocol' ) {
-	    process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
-	}
-    }
-}
-
-sub open_snat_for_output( $ ) {
-    my ($fn ) = @_;
-    my ( $snat, $fn1 );
-
-    if ( -f ( $fn1 = find_writable_file( 'snat' ) ) ) {
-	open( $snat , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
-    } else {
-	open( $snat , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
-	#
-	# Transfer permissions from the existing masq file to the new snat file
-	#
-	transfer_permissions( $fn, $fn1 );
-
-	if ( $family == F_IPV4 ) {
-	    print $snat <<'EOF';
-#
-# Shorewall - SNAT/Masquerade File
-#
-# For information about entries in this file, type "man shorewall-snat"
-#
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
-EOF
-	} else {
-	    print $snat <<'EOF';
-#
-# Shorewall6 - SNAT/Masquerade File
-#
-# For information about entries in this file, type "man shorewall6-snat"
-#
-# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
-EOF
-	}
-
-	print $snat <<'EOF';
-###################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
-EOF
-    }
-
-    return ( $snat, $fn1 );
-}
-
-#
-# Convert a masq file into the equivalent snat file
-#
-sub convert_masq() {
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
-	my ( $snat, $fn1 ) = open_snat_for_output( $fn );

-	my $have_masq_rules;
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );

-	directive_callback(
-	    sub ()
-	    {
-		if ( $_[0] eq 'OMITTED' ) {
-		    #
-		    # Convert the raw rule
-		    #
-		    process_one_masq( $snat) if $snat;
-		} else {
-		    print $snat "$_[1]\n"; 0;
-		}
-	    }
-	    );
-
-	first_entry(
-	    sub {
-		my $date = compiletime;
-		progress_message2 "Converting $fn...";
-		print( $snat
-		       "#\n" ,
-		       "# Rules generated from masq file $fn by Shorewall $globals{VERSION} - $date\n" ,
-		       "#\n" );
-	    }
-	    );
-
-	while ( read_a_line( NORMAL_READ ) ) {
-	    #
-	    # Process the file normally
-	    #
-	    process_one_masq(0);
-	    #
-	    # Now Convert it
-	    #
-	    process_one_masq($snat);
-
-	    $have_masq_rules++;
-	}
-
-	if ( $have_masq_rules ) {
-	    progress_message2 "Converted $fn to $fn1";
-	    if ( rename $fn, "$fn.bak" ) {
-		progress_message2 "$fn renamed $fn.bak";
-	    } else {
-		fatal_error "Cannot Rename $fn to $fn.bak: $!";
-	    }
-	} else {
-	    if ( unlink $fn ) {
-		warning_message "Empty masq file ($fn) removed";
-	    } else {
-		warning_message "Unable to remove empty masq file $fn: $!";
-	    }
-	}
-
-	close $snat, directive_callback( 0 );
+	process_one_masq while read_a_line( NORMAL_READ );
    }
 }

@@ -693,9 +449,7 @@ sub do_one_nat( $$$$$ )

    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-    if ( $interfaceref->{root} ) {
-	$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-    } else {
+    unless ( $interfaceref->{root} ) {
 	$rulein  = match_source_dev $interface;
 	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
@@ -790,39 +544,86 @@ sub setup_netmap() {

 		my @rule = do_iproto( $proto, $dport, $sport );

-		my @rulein;
-		my @ruleout;
+		unless ( $type =~ /:/ ) {
+		    my @rulein;
+		    my @ruleout;

-		$net1 = validate_net $net1, 0;
-		$net2 = validate_net $net2, 0;
+		    $net1 = validate_net $net1, 0;
+		    $net2 = validate_net $net2, 0;

-		if ( $interfaceref->{root} ) {
-		    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-		} else {
-		    @rulein  = imatch_source_dev( $interface );
-		    @ruleout = imatch_dest_dev( $interface );
-		    $interface = $interfaceref->{name};
-		}
+		    unless ( $interfaceref->{root} ) {
+			@rulein  = imatch_source_dev( $interface );
+			@ruleout = imatch_dest_dev( $interface );
+			$interface = $interfaceref->{name};
+		    }

-		require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';
+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';

-		if ( $type eq 'DNAT' ) {
-		    dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
-				      j => 'NETMAP' ,
-				      "--to $net2",
-				      $net1 ,
-				      @rulein  ,
-				      imatch_source_net( $net3 ) );
-		} elsif ( $type eq 'SNAT' ) {
-		    source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
-				       j => 'NETMAP' ,
-				       "--to $net2" ,
-				       $net1 ,
-				       @ruleout ,
-				       imatch_dest_net( $net3 ) );
+		    if ( $type eq 'DNAT' ) {
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
+					  j => 'NETMAP' ,
+					  "--to $net2",
+					  $net1 ,
+					  @rulein  ,
+					  imatch_source_net( $net3 ) );
+		    } elsif ( $type eq 'SNAT' ) {
+			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+					   j => 'NETMAP' ,
+					   "--to $net2" ,
+					   $net1 ,
+					   @ruleout ,
+					   imatch_dest_net( $net3 ) );
+		    } else {
+			fatal_error "Invalid type ($type)";
+		    }
+		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
+		    my ( $target , $chain ) = ( $1, $2 );
+		    my $table = 'raw';
+		    my @match;
+
+		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
+
+		    $net2 = validate_net $net2, 0;
+
+		    unless ( $interfaceref->{root} ) {
+			@match = imatch_dest_dev(  $interface );
+			$interface = $interfaceref->{name};
+		    }
+
+		    if ( $chain eq 'P' ) {
+			$chain = prerouting_chain $interface;
+			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
+		    } elsif ( $chain eq 'O' ) {
+			$chain = output_chain $interface;
+		    } else {
+			$chain = postrouting_chain $interface;
+			$table = 'rawpost';
+		    }
+
+		    my $chainref = ensure_chain( $table, $chain );
+
+
+		    if ( $target eq 'DNAT' ) {
+			dest_iexclusion( $chainref ,
+					 j => 'RAWDNAT' ,
+					 "--to-dest $net2" ,
+					 $net1 ,
+					 imatch_source_net( $net3 ) ,
+					 @rule ,
+					 @match
+				       );
+		    } else {
+			source_iexclusion( $chainref ,
+					   j  => 'RAWSNAT' ,
+					   "--to-source $net2" ,
+					   $net1 ,
+					   imatch_dest_net( $net3 ) ,
+					   @rule ,
+					   @match );
+		    }
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
-		    fatal_error "Invalid type ($type)";
+		    fatal_error "Invalid TYPE ($type)";
 		}

 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -125,13 +125,6 @@ sub setup_route_marking() {
    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
-    #
-    # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
-    #
-
-    if ( $config{ZERO_MARKS} ) {
-	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
-    }

    if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
@@ -220,14 +213,7 @@ sub copy_table( $$$ ) {
 	       '            esac',
 	     );
    } else {
-	emit ( '            case $net in',
-	       '                fe80:*)',
-	       '                    ;;',
-	       '                *)',
-	       "                    run_ip route add table $number \$net \$route $realm",
-	       '                    ;;',
-	       '            esac',
-	     );
+	emit ( "            run_ip route add table $number \$net \$route $realm" );
    }

    emit ( '            ;;',
@@ -298,14 +284,7 @@ sub copy_and_edit_table( $$$$$ ) {
 		'                    esac',
 	     );
    } else {
-	emit (  '                    case $net in',
-		'                        fe80:*)',
-		'                            ;;',
-		'                        *)',
-		"                            run_ip route add table $id \$net \$route $realm",
-		'                            ;;',
-		'                    esac',
-	     );
+	emit (  "                    run_ip route add table $id \$net \$route $realm" );
    }

    emit (  '                    ;;',
@@ -323,14 +302,27 @@ sub balance_default_route( $$$$ ) {
    emit '';

    if ( $first_default_route ) {
-	if ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    }
 	} else {
-	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
+	    # IPv6 doesn't support multi-hop routes
+	    #
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+	    }
 	}

 	$first_default_route = 0;
    } else {
+	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
+
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -347,14 +339,27 @@ sub balance_fallback_route( $$$$ ) {
    emit '';

    if ( $first_fallback_route ) {
-	if ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    }
 	} else {
-	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
+	    # IPv6 doesn't support multi-hop routes
+	    #
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+	    }
 	}

 	$first_fallback_route = 0;
    } else {
+	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
+
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -387,7 +392,7 @@ sub start_provider( $$$$$ ) {
 }

 #
-# Look up a provider and return a reference to its table entry. If unknown provider, undef is returned
+# Look up a provider and return it's number. If unknown provider, 0 is returned
 #
 sub lookup_provider( $ ) {
    my $provider    = $_[0];
@@ -403,7 +408,7 @@ sub lookup_provider( $ ) {
 	}
    }

-    $providerref;
+    $providerref ? $providerref->{number} : 0;
 }

 #
@@ -486,14 +491,12 @@ sub process_a_provider( $ ) {

    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, 1 );
+	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
-	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gatewaycase = 'none';
 	$gateway = '';
-	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
@@ -507,23 +510,20 @@ sub process_a_provider( $ ) {
 	}

 	$gatewaycase = 'specified';
-	set_interface_option( $interface, 'gateway', $gateway );
    } else {
 	$gatewaycase = 'omitted';
 	fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
 	$gateway = '';
-	set_interface_option( $interface, 'gateway', $pseudo ? 'detect' : 'omitted' );
    }

-
    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );

    if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
-	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
    } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
    }

    unless ( $options eq '-' ) {
@@ -535,6 +535,7 @@ sub process_a_provider( $ ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
+		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		fatal_error 'The balance setting must be non-zero' unless $1;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' || $option eq 'primary') {
@@ -557,6 +558,7 @@ sub process_a_provider( $ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
+		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$default = $1;
 		$default_balance = 0;
 		fatal_error 'fallback must be non-zero' unless $default;
@@ -603,37 +605,19 @@ sub process_a_provider( $ ) {

    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};

-    unless ( $pseudo ) {
-	if ( $local ) {
-	    fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
-	    fatal_error "'track' not valid with 'local'"           if $track;
-	    fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
-	    fatal_error "'persistent' is not valid with 'local"    if $persistent;
-	} elsif ( $tproxy ) {
-	    fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	    fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
-	    fatal_error "'track' not valid with 'tproxy'"          if $track;
-	    fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
-	    fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
-	    fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
-	    $mark = $globals{TPROXY_MARK};
-	} elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
-	    if ( $config{USE_DEFAULT_RT} ) {
-		if ( $rf ) {
-		    fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
-		} else {
-		    fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
-		}
-	    } else {
-		unless ( $balance ) {
-		    if ( $rf ) {
-			fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
-		    } else {
-			fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
-		    }
-		}
-	    }
-	}
+    if ( $local ) {
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
+	fatal_error "'track' not valid with 'local'"           if $track;
+	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
+	fatal_error "'persistent' is not valid with 'local"    if $persistent;
+    } elsif ( $tproxy ) {
+	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
+	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
+	fatal_error "'track' not valid with 'tproxy'"          if $track;
+	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
+	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
+	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
+	$mark = $globals{TPROXY_MARK};
    }

    my $val = 0;
@@ -682,9 +666,7 @@ sub process_a_provider( $ ) {
    if ( $duplicate ne '-' ) {
 	fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	my $p = lookup_provider( $duplicate );
-	my $n = $p ? $p->{number} : 0;
-	warning_message "Unknown routing table ($duplicate)" unless $n && ( $n == MAIN_TABLE || $n < BALANCE_TABLE );
-	warning_message "An optional provider ($duplicate) is listed in the DUPLICATE column - enable and disable will not work correctly on that provider" if $p && $p->{optional};
+	warning_message "Unknown routing table ($duplicate)" unless $p && ( $p == MAIN_TABLE || $p < BALANCE_TABLE );
    } elsif ( $copy ne '-' ) {
 	fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none';
@@ -702,7 +684,6 @@ sub process_a_provider( $ ) {
 			   interface         => $interface ,
 			   physical          => $physical ,
 			   optional          => $optional ,
-			   wildcard          => $interfaceref->{wildcard} || 0,
 			   gateway           => $gateway ,
 			   gatewaycase       => $gatewaycase ,
 			   shared            => $shared ,
@@ -762,9 +743,9 @@ sub emit_started_message( $$$$$ ) {
    my ( $spaces, $level, $pseudo, $name, $number ) = @_;

    if ( $pseudo ) {
-	emit qq(${spaces}progress_message${level} "Optional interface $name Started");
+	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
    } else {
-	emit qq(${spaces}progress_message${level} "Provider $name ($number) Started");
+	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
    }
 }

@@ -818,10 +799,6 @@ sub add_a_provider( $$ ) {

 	push_indent;

-	emit( "if interface_is_up $physical; then" );
-
-	push_indent;
-
 	if ( $gatewaycase eq 'omitted' ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
@@ -831,19 +808,22 @@ sub add_a_provider( $$ ) {
 	}

 	if ( $gateway ) {
-	    $address = get_interface_address( $interface, 1 ) unless $address;
+	    $address = get_interface_address $interface unless $address;

 	    emit( qq([ -z "$address" ] && return\n) );

 	    if ( $hostroute ) {
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
-		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
-		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+		if ( $family == F_IPV4 ) {
+		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+		} else {
+		    emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
+		    emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
+		    emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+		}
 	    }

-	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
-	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
+	    emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
 	}

 	if ( ! $noautosrc ) {
@@ -872,10 +852,8 @@ sub add_a_provider( $$ ) {
 	    }
 	}

-	pop_indent;
-
-	emit( qq(fi\n),
-	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
+	emit( qq(\n),
+	      qq(rm -f \${VARDIR}/${physical}_enabled) );


 	pop_indent;
@@ -957,11 +935,17 @@ CEOF
    }

    if ( $gateway ) {
-	$address = get_interface_address( $interface, 1 ) unless $address;
+	$address = get_interface_address $interface unless $address;

 	if ( $hostroute ) {
-	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
-	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+	    if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
+		emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
+	    } else {
+		emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
+		emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
+		emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
+	    }
 	}

 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
@@ -975,8 +959,13 @@ CEOF
 	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
+		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    } else {
+		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
+		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    }
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
@@ -1052,12 +1041,23 @@ CEOF
 	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;

-	    if ( $gateway ) {
-		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+	    if ( $family == F_IPV4 ) {
+		if ( $gateway ) {
+		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+		} else {
+		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+		}
 	    } else {
-		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+		#
+		# IPv6 doesn't support multi-hop routes
+		#
+		if ( $gateway ) {
+		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
+		} else {
+		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
+		}
 	    }
-	} else {
+	    	} else {
 	    $weight = 1;
 	}

@@ -1067,40 +1067,19 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}

-	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
+	emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
 	emit_started_message( '', 2, $pseudo, $table, $number );

-	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    emit( '',
-		  'if [ -n "$g_forcereload" ]; then',
-		  "    progress_message2 \"The IP address or gateway of $physical has changed -- forcing reload of the ruleset\"",
-		  '    COMMAND=reload',
-		  '    detect_configuration',
-		  '    define_firewall',
-		  'fi' );
-	}
-
 	pop_indent;

 	unless ( $pseudo ) {
 	    emit( 'else' );
 	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
-	    emit( qq(    rm -f \${VARDIR}/${physical}_disabled) ) if $persistent;
+	    emit( qq(    echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
 	    emit_started_message( '    ', '', $pseudo, $table, $number );
 	}

 	emit "fi\n";
-
-	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
-
-	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
-	}
-
-	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
-	}
    } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
@@ -1115,7 +1094,7 @@ CEOF

    if ( $optional ) {
 	if ( $persistent ) {
-	    emit( "do_persistent_${what}_${table}\n" );
+	    emit( "persistent_${what}_${table}\n" );
 	}

 	if ( $shared ) {
@@ -1125,17 +1104,6 @@ CEOF
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
-
-
-	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
-	    emit( "\necho \$$variable > \${VARDIR}/${physical}.address" );
-	}
-
-	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(\necho "\$$variable" > \${VARDIR}/${physical}.gateway) );
-	}
    } else {
 	if ( $shared ) {
 	    emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" );
@@ -1179,7 +1147,7 @@ CEOF
 		$via = "dev $physical";
 	    }

-	    $via .= " weight $weight" unless $weight < 0;
+	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
 	    $via .= " $realm"         if $realm;

 	    emit( qq(delete_gateway "$via" $tbl $physical) );
@@ -1201,7 +1169,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
+		   "    rm -f \${VARDIR}/${physical}_enabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1274,7 +1242,7 @@ sub add_an_rtrule1( $$$$$ ) {
    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
    } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address( '&', $source, undef, 1 );
+	$source = 'from ' . record_runtime_address '&', $source;
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -1528,17 +1496,11 @@ sub finish_providers() {

    if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-
 	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
-	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
-		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
-		    '    else',
-		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
-		    '    fi',
-		    '' );
+	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
+	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
 	}

 	if ( $config{USE_DEFAULT_RT} ) {
@@ -1592,11 +1554,10 @@ sub finish_providers() {

    if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}

@@ -1713,7 +1674,7 @@ EOF
 		emit ( "    if [ ! -f \${VARDIR}/undo_${provider}_routing ]; then",
 		       "        start_interface_$provider" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit ( "    if [ -f \${VARDIR}/$providerref->{physical}_disabled ]; then",
+		emit ( "    if [ ! -f \${VARDIR}/$providerref->{physical}_enabled ]; then",
 		       "        start_provider_$provider" );
 	    } else {
 		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
@@ -1764,7 +1725,7 @@ EOF
 	    if ( $providerref->{pseudo} ) {
 		emit( "    if [ -f \${VARDIR}/undo_${provider}_routing ]; then" );
 	    } elsif ( $providerref->{persistent} ) {
-		emit( "    if [ ! -f \${VARDIR}/$providerref->{physical}_disabled ]; then" );
+		emit( "    if [ -f \${VARDIR}/$providerref->{physical}_enabled ]; then" );
 	    } else {
 		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
 	    }
@@ -1799,7 +1760,7 @@ sub map_provider_to_interface() {

    my $haveoptional;

-    for my $providerref ( values %providers ) {
+    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
 	if ( $providerref->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
@@ -1963,7 +1924,7 @@ sub compile_updown() {
    }

    my @nonshared = ( grep $providers{$_}->{optional},
-		      values %provider_interfaces );
+		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );

    if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2150,31 +2111,9 @@ sub provider_realm( $ ) {
 #
 sub handle_optional_interfaces( $ ) {

-    my @interfaces;
-    my $wildcards;
+    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';

-    #
-    # First do the provider interfacess. Those that are real providers will never have wildcard physical
-    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
-    # wildcard physical names are also included in the providers table.
-    #
-    for my $providerref ( grep $_->{optional} , values %providers ) {
-	push @interfaces, $providerref->{interface};
-	$wildcards ||= $providerref->{wildcard};
-    }
-
-    #
-    # Now do the optional wild interfaces
-    #
-    for my $interface ( grep interface_is_optional($_) && ! $provider_interfaces{$_}, all_real_interfaces ) {
-	push@interfaces, $interface;
-	unless ( $wildcards ) {
-	    my $interfaceref = find_interface($interface);
-	    $wildcards = 1 if $interfaceref->{wildcard};
-	}
-    }
-
-    if ( @interfaces ) {
+    if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;

@@ -2185,7 +2124,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;

 	if ( $wildcards ) {
 	    #
@@ -2202,109 +2141,74 @@ sub handle_optional_interfaces( $ ) {
 	    emit '';
 	}

-	for my $interface ( @interfaces ) {
-	    if ( my $provider = $provider_interfaces{ $interface } ) {
-		my $physical     = get_physical $interface;
-		my $base         = uc var_base( $physical );
-		my $providerref  = $providers{$provider};
-		my $interfaceref = known_interface( $interface );
-		my $wildbase     = uc $interfaceref->{base};
+	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
+	    my $provider    = $provider_interfaces{$interface};
+	    my $physical    = get_physical $interface;
+	    my $base        = uc var_base( $physical );
+	    my $providerref = $providers{$provider};

-		emit( "$physical)" ), push_indent if $wildcards;
+	    emit( "$physical)" ), push_indent if $wildcards;

-		if ( $provider eq $physical ) {
-		    #
-		    # Just an optional interface, or provider and interface are the same
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		} else {
-		    #
-		    # Provider
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		}
+	    if ( $provider eq $physical ) {
+		#
+		# Just an optional interface, or provider and interface are the same
+		#
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+	    } else {
+		#
+		# Provider
+		#
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
+	    }

+	    push_indent;
+	    if ( $providerref->{gatewaycase} eq 'detect' ) {
+		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+	    } else {
+		emit qq(if interface_is_usable $physical; then);
+	    }
+
+	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
+
+	    emit( "    SW_${base}_IS_USABLE=Yes" ,
+		  'fi' );
+
+	    pop_indent;
+
+	    emit( "fi\n" );
+
+	    emit( ';;' ), pop_indent if $wildcards;
+	}
+
+	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
+	    my $physical    = get_physical $interface;
+	    my $base        = uc var_base( $physical );
+	    my $case        = $physical;
+	    my $wild        = $case =~ s/\+$/*/;
+
+	    if ( $wildcards ) {
+		emit( "$case)" );
 		push_indent;

-		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
-		} else {
-		    emit qq(if interface_is_usable $physical; then);
-		}
-
-		emit( '    HAVE_INTERFACE=Yes' ) if $require;
-
-		emit( "    SW_${base}_IS_USABLE=Yes" );
-		emit( "    SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
-		emit( 'fi' );
-
-		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    my $variable = interface_address( $interface );
-
-		    emit( '',
-			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
-			  '        g_forcereload=Yes',
-			  '    fi',
-			  'fi' );
-		}
-
-		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-		    my $variable = interface_gateway( $interface );
-
-		    emit( '',
-			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
-			  '        g_forcereload=Yes',
-			  '    fi',
-			  'fi' );
-		}
-
-		pop_indent;
-
-		emit( "fi\n" );
-
-		emit( ';;' ), pop_indent if $wildcards;
-	    } else {
-		my $physical    = get_physical $interface;
-		my $base        = uc var_base( $physical );
-		my $case        = $physical;
-		my $wild        = $case =~ s/\+$/*/;
-		my $variable    = interface_address( $interface );
-
-		if ( $wildcards ) {
-		    emit( "$case)" );
+		if ( $wild ) {
+		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
 		    push_indent;
-
-		    if ( $wild ) {
-			emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
-			push_indent;
-			emit ( 'if interface_is_usable $interface; then' );
-		    } else {
-			emit ( "if interface_is_usable $physical; then" );
-		    }
+		    emit ( 'if interface_is_usable $interface; then' );
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
 		}
+	    } else {
+		emit ( "if interface_is_usable $physical; then" );
+	    }

-		emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-		emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		       'fi' );
+	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
+		   'fi' );

-		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    emit( '',
-			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
-			  '        g_forcereload=Yes',
-			  '    fi',
-			  'fi' );
-		}
-
-		if ( $wildcards ) {
-		    pop_indent, emit( 'fi' ) if $wild;
-		    emit( ';;' );
-		    pop_indent;
-		}
+	    if ( $wildcards ) {
+		pop_indent, emit( 'fi' ) if $wild;
+		emit( ';;' );
+		pop_indent;
 	    }
 	}

--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -154,7 +154,7 @@ sub setup_proxy_arp() {

 	emit '';

-	for my $interface ( keys %reset ) {
+	for my $interface ( sort keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}

-	for my $interface ( keys %set ) {
+	for my $interface ( sort keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -122,7 +122,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	    fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1;
 	}

-	my ( $tgt, $options ) = split( ' ', $2, 2 );
+	my ( $tgt, $options ) = split( ' ', $2 );
 	my $target_type = $builtin_target{$tgt};
 	fatal_error "Unknown target ($tgt)" unless $target_type;
 	fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE;
@@ -368,19 +368,12 @@ sub setup_conntrack($) {
    if ( $convert ) {
 	my $conntrack;
 	my $empty  = 1;
-	my $date = compiletime;
-	my $fn1 = find_writable_file 'conntrack';
+	my $date = localtime;

-	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
-
-	if ( -f $fn1 ) {
-	    open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
+	if ( $fn ) {
+	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
 	} else {
-	    open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
-	    #
-	    # Transfer permissions from the existing notrack file
-	    #
-	    transfer_permissions( $fn, $fn1 );
+	    open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";

 	    print $conntrack <<'EOF';
 #
@@ -403,6 +396,8 @@ EOF
 	       "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
 	       "#\n" );

+	$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
+
 	while ( read_a_line( PLAIN_READ ) ) {
 	    #
 	    # Don't copy the header comments from the old notrack file
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	a8dc76638f	Clear inline matches between calls to process_rule() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-16 14:03:47 -07:00
Tom Eastep	9e0c97009c	Add a jump to DOCKER from OUTPUT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-16 10:04:22 -07:00
Tom Eastep	66b2e28e52	Allow USE_DEFAULT_RT with NetworkManager Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-16 09:12:45 -07:00
Tom Eastep	aca72cb4e6	Fix 'check -r' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-10 13:42:42 -08:00
				`@@ -0,0 +1 @@`
				`This is the Shorewall-init stable 4.4 branch of Git.`
				`@@ -0,0 +1 @@`
				`This is the Shorewall-lite stable 4.4 branch of Git.`