Correct 'show macros'

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2017-01-12 08:39:11 -08:00
115 changed files with 2392 additions and 2777 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -22,20 +22,64 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall-core
 Product="Shorewall Core"
-
+ 
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "usage: $ME [ <configuration-file> ] "
-    echo "where <option> is one of"
+    echo "       $ME -v"
-    echo "  -h"
+    echo "       $ME -h"
    echo "  -v"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    echo $dir/$1
 	    return 0
 	fi
    done
    return 2
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
 }
 delete_file() # $1 = file to delete
 {
    rm -f $1
 }
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -54,16 +98,16 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }
 require()
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
 # Source common functions
 #
 . ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
 #
 # Parse the run line
 #
@@ -82,7 +126,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
@@ -104,14 +148,14 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
 	file=./shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
 	file=/usr/share/shorewall/shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -125,7 +169,7 @@ elif [ $# -eq 1 ]; then
 	    ;;
    esac
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -241,12 +285,13 @@ case "$HOST" in
    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
    *)
-	fatal_error "Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
 	exit 1;
 	;;
 esac
 if [ -z "$file" ]; then
-    if [ $HOST = linux ]; then
+    if $HOST = linux; then
 	file=shorewallrc.default
    else
 	file=shorewallrc.${HOST}
@@ -259,8 +304,7 @@ if [ -z "$file" ]; then
    echo "" >&2
    echo "Example:" >&2
    echo "" >&2
-    echo "   ./install.sh $file" >&2
+    echo "   ./install.sh $file" &>2
    exit 1
 fi
 if [ -n "$DESTDIR" ]; then
@@ -271,31 +315,45 @@ if [ -n "$DESTDIR" ]; then
    fi
 fi
-echo "Installing $Product Version $VERSION"
+echo "Installing Shorewall Core Version $VERSION"
 #
 # Create directories
 #
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/shorewall 0755
+mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
 chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall
-make_parent_directory ${DESTDIR}${SHAREDIR}/shorewall 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
 chmod 755 ${DESTDIR}${SHAREDIR}/shorewall
-make_parent_directory ${DESTDIR}${CONFDIR} 0755
+mkdir -p ${DESTDIR}${CONFDIR}
 chmod 755 ${DESTDIR}${CONFDIR}
-[ -n "${SYSCONFDIR}" ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+if [ -n "${SYSCONFDIR}" ]; then
    mkdir -p ${DESTDIR}${SYSCONFDIR}
    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi
 if [ -z "${SERVICEDIR}" ]; then
    SERVICEDIR="$SYSTEMD"
 fi
-[ -n "${SERVICEDIR}" ] && make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+if [ -n "${SERVICEDIR}" ]; then
    mkdir -p ${DESTDIR}${SERVICEDIR}
    chmod 755 ${DESTDIR}${SERVICEDIR}
 fi
-make_parent_directory ${DESTDIR}${SBINDIR} 0755
+mkdir -p ${DESTDIR}${SBINDIR}
 chmod 755 ${DESTDIR}${SBINDIR}
-[ -n "${MANDIR}" ] && make_parent_directory ${DESTDIR}${MANDIR} 0755
+if [ -n "${MANDIR}" ]; then
    mkdir -p ${DESTDIR}${MANDIR}
    chmod 755 ${DESTDIR}${MANDIR}
 fi
 if [ -n "${INITFILE}" ]; then
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${INITDIR}
    chmod 755 ${DESTDIR}${INITDIR}
    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
@@ -311,7 +369,7 @@ fi
 #
 install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
+echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 # Install wait4ifup
 #
@@ -324,14 +382,8 @@ echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 # Install the libraries
 #
 for f in lib.* ; do
-    case $f in
+    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
-        *installer)
+    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
            ;;
        *)
            install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
            echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
            ;;
    esac
 done
 if [ $SHAREDIR != /usr/share ]; then
@@ -346,11 +398,11 @@ fi
 if [ -n "$MANDIR" ]; then
    cd manpages
-    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
    for f in *.8; do
 	gzip -9c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
@@ -367,7 +419,7 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 if [ -z "${DESTDIR}" ]; then
    if [ $update -ne 0 ]; then
@@ -392,20 +444,14 @@ fi
 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
-        case $f in
+	if [ $BUILD != apple ]; then
-            *installer)
+	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
-                ;;
+	else
-            *)
+	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
-                if [ $BUILD != apple ]; then
+	fi
                    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
                else
                    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
                fi
                ;;
        esac
    done
 fi
 #
-# Report Success
+#  Report Success
 #
-echo "$Product Version $VERSION Installed"
+echo "Shorewall Core Version $VERSION Installed"
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -78,6 +78,29 @@ showchain() # $1 = name of chain
    fi
 }
 #
 # The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
 #
 iptablesbug()
 {
    if [ $g_family -eq 4 ]; then
 	if qt mywhich awk ; then
 	    awk 'BEGIN           { sline=""; };\
             /^-[jg]/            { print sline $0; next };\
             /-m policy.*-[jg] / { print $0; next };\
             /-m policy/         { sline=$0; next };\
             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
                                 { print ; sline="" }'
        else
 	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
 	    cat
 	fi
    else
 	cat
    fi
 }
 #
 # Validate the value of RESTOREFILE
 #
@@ -1127,11 +1150,6 @@ show_macros() {
    done
 }
 show_an_action() {
    echo "Shorewall $SHOREWALL_VERSION Action $1 at $g_hostname - $(date)"
    cat ${directory}/action.$1
 }
 show_a_macro() {
    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
    cat ${directory}/macro.$1
@@ -1440,27 +1458,12 @@ show_command() {
 		    ;;
 	    	*)
 		    case $1 in
 			action)
 			    [ $# -lt 2 ] && fatal_error 'Missing <action>'
 			    [ $# -gt 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/action.$2 ]; then
 				    eval show_an_action $2 $g_pager
 				    return
 				fi
 			    done
 			    echo "   WARNING: Action $2 not found" >&2
 			    return
 			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
 			    [ $# -lt 2 ] && fatal_error 'Missing <macro>'
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
@@ -4288,7 +4291,6 @@ usage() # $1 = exit status
    echo "   savesets"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    ecko "   [ show | list | ls ] actions"
    ecko "   [ show | list | ls ] action <action>"
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -4391,10 +4393,7 @@ shorewall_cli() {
    finished=0
    while [ $finished -eq 0 ]; do
-	if [ $# -eq 0 ]; then
+	[ $# -eq 0 ] && usage 1
 	    setup_product_environment 1
 	    usage 1
 	fi
 	option=$1
 	case $option in
 	    -)
@@ -4524,6 +4523,10 @@ shorewall_cli() {
 	esac
    done
    if [ $# -eq 0 ]; then
 	usage 1
    fi
    setup_product_environment 1
   [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -1,89 +0,0 @@
 #
 #
 # Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # The purpose of this library is to hold those functions used by the products installer.
 #
 #########################################################################################
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 delete_file() # $1 = file to delete
 {
    rm -f $1
 }
 require()
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 make_directory() # $1 = directory , $2 = mode
 {
    mkdir $1
    chmod $2 $1
    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
 }
 make_parent_directory() # $1 = directory , $2 = mode
 {
    mkdir -p $1
    chmod $2 $1
    [ -n "$OWNERSHIP" ] && chown $OWNER:$GROUP $1
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
 }
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -1,106 +0,0 @@
 #
 #
 # Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # The purpose of this library is to hold those functions used by the products uninstaller.
 #
 #########################################################################################
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to remove
 {
    if [ -n "$1" ] ; then
        if [ -f $1 -o -L $1 ] ; then
            rm -f $1
            echo "$1 Removed"
        fi
    fi
 }
 remove_directory() # $1 = directory to remove
 {
    if [ -n "$1" ] ; then
        if [ -d $1 ] ; then
            rm -rf $1
            echo "$1 Removed"
        fi
    fi
 }
 remove_file_with_wildcard() # $1 = file with wildcard to remove
 {
    if [ -n "$1" ] ; then
        for f in $1; do
            if [ -d $f ] ; then
                rm -rf $f
                echo "$f Removed"
            elif [ -f $f -o -L $f ] ; then
                rm -f $f
                echo "$f Removed"
            fi
        done
    fi
 }
 restore_file() # $1 = file to restore
 {
    if [ -f ${1}-shorewall.bkout ]; then
 	if (mv -f ${1}-shorewall.bkout $1); then
 	    echo
 	    echo "$1 restored"
        else
 	    exit 1
        fi
    fi
 }
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -685,31 +685,6 @@
      <arg choice="plain"><option>capabilities</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg>options</arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg><option>-f</option></arg>
      <arg choice="plain"><option>{actions|macros}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>options</arg>
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg choice="plain"><option>action</option><arg
      choice="plain"><replaceable>action</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>
@@ -720,7 +695,7 @@
      <arg choice="req"><option>show | list | ls </option></arg>
      <arg
-      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks</option></arg>
+      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|ipsec|macros|zones|policies|marks</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -2440,23 +2415,12 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">action
              <replaceable>action</replaceable></emphasis></term>
              <listitem>
                <para>Lists the named action file. Available on Shorewall and
                Shorewall6 only.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">actions</emphasis></term>
              <listitem>
                <para>Produces a report about the available actions (built-in,
-                standard and user-defined). Available on Shorewall and
+                standard and user-defined).</para>
                Shorewall6 only.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 4.5 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
 ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 4.5 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.sysvinit              #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,8 +1,8 @@
 #
 # Default Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux
 BUILD=                                  #Default is to detect the build system
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,8 +1,8 @@
 #
-# OpenWRT Shorewall 5.0 rc file
+# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
 #
 # Input: host=openwrt
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Core Modules
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,75 +26,63 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version
-PRODUCT=shorewall-core
+PRODUCT="shorewall-core"
 Product="Shorewall Core"
-
+ 
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "usage: $ME [ <shorewallrc file> ]"
    echo "where <option> is one of"
    echo "  -h"
    echo "  -v"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 restore_file() # $1 = file to restore
 {
    if [ -f ${1}-shorewall.bkout ]; then
 	if (mv -f ${1}-shorewall.bkout $1); then
 	    echo
 	    echo "$1 restored"
        else
 	    exit 1
        fi
    fi
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
 	rm -f $1
 	echo "$1 Removed"
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
 # Source common functions
 #
 . ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
 #
 # Parse the run line
 #
 finished=0
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Uninstaller Version $VERSION"
 			exit 0
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -104,11 +92,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -116,26 +104,20 @@ fi
 if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Core Version $VERSION is not installed"
    VERSION=""
 fi
-echo "Uninstalling $Product $VERSION"
+echo "Uninstalling Shorewall Core $VERSION"
-if [ -n "${MANDIR}" ]; then
+rm -rf ${SHAREDIR}/shorewall
-    remove_file_with_wildcard ${MANDIR}/man5/shorewall\*
+rm -f ~/.shorewallrc
-    remove_file_with_wildcard ${MANDIR}/man8/shorewall\*
+
-fi
+echo "Shorewall Core Uninstalled"
 remove_directory ${SHAREDIR}/shorewall
 remove_file ~/.shorewallrc
 #
 # Report Success
 #
 echo "$Product $VERSION Uninstalled"
--- a/Shorewall-init/default.debian.systemd
+++ b/Shorewall-init/default.debian.systemd
@@ -1,21 +0,0 @@
 # List the Shorewall products that Shorewall-init is to
 # initialize (space-separated list).
 #
 # Sample: PRODUCTS="shorewall shorewall6"
 #
 PRODUCTS=""
 #
 # Set this to 1 if you want Shorewall-init to react to
 # ifup/ifdown and NetworkManager events
 #
 IFUPDOWN=0
 #
 # Where Up/Down events get logged
 #
 LOGFILE=/var/log/shorewall-ifupdown.log
 # Startup options - set verbosity to 0 (minimal reporting)
 OPTIONS="-V0"
 # IOF
--- a/Shorewall-init/default.debian.sysvinit
+++ b/Shorewall-init/default.debian.sysvinit
@@ -1,27 +0,0 @@
 # List the Shorewall products that Shorewall-init is to
 # initialize (space-separated list).
 #
 # Sample: PRODUCTS="shorewall shorewall6"
 #
 PRODUCTS=""
 #
 # Set this to 1 if you want Shorewall-init to react to
 # ifup/ifdown and NetworkManager events
 #
 IFUPDOWN=0
 #
 # Set this to the name of the file that is to hold
 # ipset contents. Shorewall-init will load those ipsets
 # during 'start' and will save them there during 'stop'.
 #
 SAVE_IPSETS=""
 #
 # Where Up/Down events get logged
 #
 LOGFILE=/var/log/shorewall-ifupdown.log
 # Startup options - set verbosity to 0 (minimal reporting)
 OPTIONS="-V0"
 # IOF
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -27,21 +27,58 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version.
 PRODUCT=shorewall-init
 Product="Shorewall Init"
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "usage: $ME [ <configuration-file> ]"
-    echo "where <option> is one of"
+    echo "       $ME -v"
-    echo "  -h"
+    echo "       $ME -h"
-    echo "  -v"
+    echo "       $ME -n"
    echo "  -n"
    exit $1
 }
 fatal_error() 
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -60,16 +97,23 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }
 make_directory() # $1 = directory , $2 = mode
 {
    mkdir -p $1
    chmod 0755 $1
    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
 }
 require() 
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
 # Source common functions
 #
 . ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
 #
 # Parse the run line
 #
@@ -90,7 +134,7 @@ while [ $finished -eq 0 ] ; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -115,17 +159,17 @@ done
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    #
    # Load packager's settings if any
    #
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
 	file=./shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+     else
-    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	fatal_error "No configuration file specified and ~/.shorewallrc not found"
 	file=/usr/share/shorewall/shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
@@ -133,11 +177,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -254,10 +298,12 @@ case "$HOST" in
 	echo "Installing Openwrt-specific configuration..."
 	;;
    linux)
-	fatal_error "Shorewall-init is not supported on this system"
+	echo "ERROR: Shorewall-init is not supported on this system" >&2
 	exit 1
 	;;
    *)
-	fatal_error "Unsupported HOST distribution: \"$HOST\""
+	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
 	exit 1;
 	;;
 esac
@@ -269,27 +315,30 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    make_directory ${DESTDIR}${INITDIR} 0755
 fi
-echo "Installing $Product Version $VERSION"
+echo "Installing Shorewall Init Version $VERSION"
 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi
-[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
+if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
 fi
 #
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${INITDIR}
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
@@ -308,21 +357,25 @@ if [ -z "${SERVICEDIR}" ]; then
 fi
 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    [ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
-    install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
+	mkdir -p ${DESTDIR}${SBINDIR}
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
+        chmod 0755 ${DESTDIR}${SBINDIR}
-    echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
+    fi
    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
 #
 # Create /usr/share/shorewall-init if needed
 #
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
 chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init
 #
 # Install logrotate file
@@ -335,53 +388,55 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/$PRODUCT/init
+    rm -f ${SHAREDIR}/shorewall-init/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi
 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
+	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
-	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
+	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
-	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
+	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
    elif [ $configure -eq 0 ]; then
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
    fi
-    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
-	[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755
+	if [ -n "${DESTDIR}" ]; then
 	    mkdir -p ${DESTDIR}${ETC}/default
 	fi
-	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
+	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
-	install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
+	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
-	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi
    IFUPDOWN=ifupdown.debian.sh
 else
    if [ -n "$DESTDIR" ]; then
-	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+	mkdir -p ${DESTDIR}${SYSCONFDIR}
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
-		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    elif [ $HOST = openwrt ]; then
-		# Not implemented on OpenWRT
+		# Not implemented on openwrt
 		/bin/true
 	    else
-		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
+		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi
@@ -403,13 +458,13 @@ if [ $HOST != openwrt ]; then
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
-    make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
+    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
-    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 fi
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
+    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi
@@ -428,8 +483,8 @@ case $HOST in
    suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
-		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
-		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
 	    fi
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
@@ -463,17 +518,17 @@ if [ -z "$DESTDIR" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
-                    echo "$Product will start automatically at boot"
+                    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif mywhich insserv; then
-		if insserv ${INITDIR}/$PRODUCT; then
+		if insserv ${INITDIR}/shorewall-init; then
-                    echo "$Product will start automatically at boot"
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif mywhich update-rc.d ; then
 		if update-rc.d $PRODUCT enable; then
-                    echo "$Product will start automatically at boot"
+		    echo "$PRODUCT will start automatically at boot"
 		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 		else
 		    cant_autostart
@@ -494,31 +549,31 @@ if [ -z "$DESTDIR" ]; then
 	    /bin/true
 	else
 	    if [ -n "$SERVICEDIR" ]; then
-		if systemctl enable ${PRODUCT}.service; then
+		if systemctl enable shorewall-init.service; then
-		    echo "$Product will start automatically at boot"
+		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
-		if insserv ${INITDIR}/$PRODUCT ; then
+		if insserv ${INITDIR}/shorewall-init ; then
-		    echo "$Product will start automatically at boot"
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
-		if chkconfig --add $PRODUCT ; then
+		if chkconfig --add shorewall-init ; then
-		    echo "$Product will start automatically at boot"
+		    echo "Shorewall Init will start automatically in run levels as follows:"
-		    chkconfig --list $PRODUCT
+		    chkconfig --list shorewall-init
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/rc-update ]; then
-		if rc-update add $PRODUCT default; then
+		if rc-update add shorewall-init default; then
-		    echo "$Product will start automatically at boot"
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
 		/etc/init.d/$PRODUCT enable
-		if /etc/init.d/$PRODUCT enabled; then
+		if /etc/init.d/shorewall-init enabled; then
 		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
@@ -532,11 +587,11 @@ else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
-		make_parent_directory ${DESTDIR}/etc/rcS.d 0755
+		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
-	    ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
+	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
-	    echo "$Product will start automatically at boot"
+	    echo "Shorewall Init will start automatically at boot"
 	fi
    fi
 fi
@@ -547,8 +602,8 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-		make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
+		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
+		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
 	    done
 	    ;;
 	redhat)
@@ -559,19 +614,19 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
 		    if grep -qF Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
+			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
 			break
 		    fi
 		else
-		    cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		fi
 	    done
 	    ;;
    esac
 fi
 #
-# Report Success
+#  Report Success
 #
 echo "shorewall Init Version $VERSION Installed"
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Init
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,34 +26,62 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "usage: $ME [ <shorewallrc file> ]"
    echo "where <option> is one of"
    echo "  -h"
    echo "  -v"
    echo "  -n"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
 	rm -f $1
 	echo "$1 Removed"
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
 # Source common functions
 #
 . ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
 #
 # Parse the run line
 #
 finished=0
 configure=1
@@ -90,17 +118,16 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -110,72 +137,72 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file || exit 1
 else
    usage 1
 fi
-if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${SHAREDIR}/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Init Version $VERSION is not installed"
    VERSION=""
 fi
-echo "Uninstalling $Product $VERSION"
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]
 echo "Uninstalling Shorewall Init $VERSION"
 [ -n "$SANDBOX" ] && configure=0
-[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+INITSCRIPT=${CONFDIR}/init.d/shorewall-init
-remove_file  ${SBINDIR}/$PRODUCT
+if [ -f "$INITSCRIPT" ]; then
 FIREWALL=${CONFDIR}/init.d/$PRODUCT
 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if [ $HOST = openwrt ] ; then
+	if [ $HOST = openwrt ]; then
-	    if /etc/init.d/$PRODUCT enabled; then
+	    if /etc/init.d/shorewall-init enabled; then
-		/etc/init.d/$PRODUCT disable
+		/etc/init.d/shorewall-init disable
 	    fi
 	elif mywhich updaterc.d ; then
 	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
-            insserv -r $FIREWALL
+            insserv -r $INITSCRIPT
 	elif mywhich update-rc.d ; then
 	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $FIREWALL)
+	    chkconfig --del $(basename $INITSCRIPT)
 	fi
    fi
-    remove_file $FIREWALL
+    remove_file $INITSCRIPT
 fi
-[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
+if [ -z "${SERVICEDIR}" ]; then
    SERVICEDIR="$SYSTEMD"
 fi
 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
+    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
-    remove_file $SERVICEDIR/${PRODUCT}.service
+    rm -f $SERVICEDIR/shorewall-init.service
 fi
 if [ $HOST = openwrt ]; then
-    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 else
-    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 fi
-remove_file ${CONFDIR}/default/$PRODUCT
+remove_file ${CONFDIR}/default/shorewall-init
-remove_file ${CONFDIR}/sysconfig/$PRODUCT
+remove_file ${CONFDIR}/sysconfig/shorewall-init
 remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
@@ -200,11 +227,10 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi
-remove_directory ${SHAREDIR}/$PRODUCT
+rm -f  ${SBINDIR}/shorewall-init
-remove_directory ${LIBEXECDIR}/$PRODUCT
+rm -rf ${SHAREDIR}/shorewall-init
-remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
+rm -rf ${LIBEXECDIR}/shorewall-init
 echo "Shorewall Init Uninstalled"
 #
 # Report Success
 #
 echo "$Product $VERSION Uninstalled"
--- a/Shorewall-lite/default.debian.sysvinit
+++ b/Shorewall-lite/default.debian.sysvinit
@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following variable to 1 in order to allow Shorewall-lite to start
+# set the following varible to 1 in order to allow Shorewall-lite to start
 startup=0
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 #
-# Global start/restart/reload/stop options
+# Startup options
 #
 OPTIONS=""
@@ -30,16 +30,6 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
--- a/Shorewall-lite/default.debian.systemd
+++ b/Shorewall-lite/default.debian.systemd
@@ -1,26 +0,0 @@
 #
 # Global start/restart/reload/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 # EOF
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,19 +22,62 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "usage: $ME [ <configuration-file> ]"
-    echo "where <option> is one of"
+    echo "       $ME -v"
-    echo "  -h"
+    echo "       $ME -h"
-    echo "  -v"
+    echo "       $ME -n"
    echo "  -n"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    echo $dir/$1
 	    return 0
 	fi
    done
    return 2
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
 }
 delete_file() # $1 = file to delete
 {
    rm -f $1
 }
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -53,6 +96,19 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }
 make_directory() # $1 = directory , $2 = mode
 {
    mkdir -p $1
    chmod 755 $1
    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
 }
 require()
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 #
 # Change to the directory containing this script
 #
@@ -66,11 +122,6 @@ else
    Product="Shorewall6 Lite"
 fi
 #
 # Source common functions
 #
 . ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
 #
 # Parse the run line
 #
@@ -117,14 +168,12 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
 	file=./shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	file=~/.shorewallrc
+	. ~/.shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	file=/usr/share/shorewall/shorewallrc
+	. /usr/share/shorewall/shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -134,11 +183,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -269,7 +318,8 @@ case "$HOST" in
    linux)
 	;;
    *)
-	fatal_error "ERROR: Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
 	exit 1;
 	;;
 esac
@@ -281,7 +331,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    make_directory ${DESTDIR}${INITDIR} 755
 else
    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
@@ -321,20 +371,25 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
-[ -n "${INITFILE}" ] && make_parent_directory ${DESTDIR}${INITDIR} 0755
+[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
+mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-make_parent_directory ${DESTDIR}${SBINDIR} 0755
+mkdir -p ${DESTDIR}${SBINDIR}
-make_parent_directory ${DESTDIR}${VARDIR} 0755
+mkdir -p ${DESTDIR}${VARDIR}
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 if [ -n "$DESTDIR" ]; then
-    make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
    mkdir -p ${DESTDIR}${INITDIR}
    chmod 755 ${DESTDIR}${INITDIR}
 fi
 if [ -n "$INITFILE" ]; then
@@ -355,9 +410,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi
 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -386,14 +441,8 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-        case $f in
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-            *installer)
+	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
                ;;
            *)
                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
                ;;
        esac
    fi
 done
@@ -421,12 +470,12 @@ if [ -f modules ]; then
 fi
 if [ -f helpers ]; then
-    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 0600
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done
@@ -437,19 +486,19 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages
-    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
+    mkdir -p ${DESTDIR}${MANDIR}/man5/
    for f in *.5; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done
-    make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+    mkdir -p ${DESTDIR}${MANDIR}/man8/
    for f in *.8; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
@@ -459,7 +508,7 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 fi
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi
@@ -467,7 +516,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -490,7 +539,10 @@ ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-    [ ${DESTDIR} ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+    if [ ${DESTDIR} ]; then
 	mkdir -p ${DESTDIR}${SYSCONFDIR}
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
    fi
    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
@@ -558,6 +610,6 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 fi
 #
-# Report Success
+#  Report Success
 #
 echo "$Product Version $VERSION Installed"
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Lite
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,7 +26,9 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-lite
 Product="Shorewall Lite"
 usage() # $1 = exit status
 {
@@ -39,27 +41,46 @@ usage() # $1 = exit status
    exit $1
 }
-#
+fatal_error()
-# Change to the directory containing this script
+{
-#
+    echo "   ERROR: $@" >&2
-cd "$(dirname $0)"
+    exit 1
 }
-if [ -f shorewall-lite.service ]; then
+qt()
-    PRODUCT=shorewall-lite
+{
-    Product="Shorewall Lite"
+    "$@" >/dev/null 2>&1
-else
+}
    PRODUCT=shorewall6-lite
    Product="Shorewall6 Lite"
 fi
-#
+split() {
-# Source common functions
+    local ifs
-#
+    ifs=$IFS
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
 	rm -f $1
 	echo "$1 Removed"
    fi
 }
 #
 # Parse the run line
 #
 finished=0
 configure=1
@@ -76,7 +97,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Uninstaller Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -96,17 +117,16 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -116,50 +136,46 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
-if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
    VERSION=""
 fi
-echo "Uninstalling $Product $VERSION"
+echo "Uninstalling Shorewall Lite $VERSION"
 [ -n "$SANDBOX" ] && configure=0
 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-	${SBINDIR}/$PRODUCT clear
+	shorewall-lite clear
    elif qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
 	${SBINDIR}/$PRODUCT clear
    fi
 fi
-remove_file ${SBINDIR}/$PRODUCT
+if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
 if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
    if [ $HOST = openwrt ]; then
-	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
+	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
-	    /etc/init.d/$PRODUCT disable
+	    /etc/init.d/shorewall-lite disable
 	fi
-	FIREWALL=$(readlink ${SHAREDIR}/$PRODUCT/init)
+	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
    else
-	FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
    fi
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
@@ -167,10 +183,10 @@ fi
 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if mywhich insserv ; then
+	if mywhich updaterc.d ; then
 	    updaterc.d shorewall-lite remove
 	elif mywhich insserv ; then
            insserv -r $FIREWALL
 	elif mywhich update-rc.d ; then
 	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
@@ -179,29 +195,26 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi
-[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
+[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    remove_file $SERVICEDIR/${PRODUCT}.service
+    rm -f $SERVICEDIR/shorewall-lite.service
 fi
-remove_directory ${CONFDIR}/$PRODUCT
+rm -f ${SBINDIR}/shorewall-lite
 remove_directory ${VARDIR}
 remove_directory ${SHAREDIR}/$PRODUCT
 remove_directory ${LIBEXECDIR}/$PRODUCT
 remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
-if [ -n "$SYSCONFDIR" ]; then
+rm -rf ${CONFDIR}/shorewall-lite
-    [ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
+rm -rf ${VARDIR}
-fi
+rm -rf ${SHAREDIR}/shorewall-lite
 rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
 rm -f  ${SYSCONFDIR}/shorewall-lite
 if [ -n "${MANDIR}" ]; then
-    remove_file_with_wildcard ${MANDIR}/man5/${PRODUCT}\*
+    rm -f ${MANDIR}/man5/shorewall-lite*
-    remove_file_with_wildcard ${MANDIR}/man8/${PRODUCT}\*
+    rm -f ${MANDIR}/man8/shorewall-lite*
 fi
-#
+echo "Shorewall Lite Uninstalled"
-# Report Success
+
 #
 echo "$Product $VERSION Uninstalled"
--- a/Shorewall/Actions/action.A_Drop
+++ b/Shorewall/Actions/action.A_Drop
@@ -12,7 +12,6 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ?require AUDIT_TARGET
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -22,9 +22,8 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
 ?require AUDIT_TARGET
 DEFAULTS -
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -22,9 +22,8 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
 ?require AUDIT_TARGET
 DEFAULTS -
--- a/Shorewall/Actions/action.BLACKLIST
+++ b/Shorewall/Actions/action.BLACKLIST
@@ -1,50 +0,0 @@
 #
 # Shorewall - /usr/share/shorewall/action.BLACKLIST
 #
 # This action:
 #
 #   - Adds the sender to the dynamic blacklist ipset
 #   - Optionally acts on the packet (default is DROP)
 #
 # Parameters:
 #
 # 1 - Action to take after adding the packet. Default is DROP.
 #     Pass -- if you don't want to take any action.
 # 2 - Timeout for ipset entry. Default is the timeout specified in
 #     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
 #
 ###############################################################################
 # Note -- This action is defined with the 'section' option, so the first
 #         parameter is always the section name. That means that in the
 #         following text, the first parameter passed in the rule is actually
 #         @2.
 ###############################################################################
 ?if $1 eq 'BLACKLIST'
   ?if $BLACKLIST_LOG_LEVEL
       blacklog
   ?else
       $BLACKLIST_DISPOSITION
   ?endif
 ?else
   ?if ! "$SW_DBL_IPSET"
   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
   ?endif
   DEFAULTS -,DROP,-
   #
   # Add to the blacklist
   #
   ?if passed(@3)
       ADD($SW_DBL_IPSET:src:@3)
   ?elsif $SW_DBL_TIMEOUT
       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
   ?else
       ADD($SW_DBL_IPSET:src)
   ?endif
   #
   # Dispose of the packet if asked
   #
   ?if passed(@2)
      @2
   ?endif
 ?endif
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -30,6 +30,7 @@ DEFAULTS DROP,-
 ?if __ADDRTYPE
@1	-	-	-	;; -m addrtype --dst-type BROADCAST
@1	-	-	-	;; -m addrtype --dst-type MULTICAST
@1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
 ?begin perl;
@@ -49,6 +50,9 @@ add_jump $chainref, $action, 0, "-d \$address ";
 decr_cmd_level $chainref;
 add_commands $chainref, 'done';
 log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
 1;
 ?end perl;
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Drop
 #
-# The former default DROP common rules. Use of this action is now deprecated
+# The default DROP common rules
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
@@ -28,7 +28,6 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 ?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
 ?if passed(@1)
    ?if @1 eq 'audit'
@@ -59,10 +58,9 @@ Auth(@2)
 #
 AllowICMPs(@4)	-	-	icmp
 #
-# Don't log broadcasts or multicasts
+# Don't log broadcasts
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
--- a/Shorewall/Actions/action.DropDNSrep
+++ b/Shorewall/Actions/action.DropDNSrep
@@ -1,10 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.DropDNSrep
 #
 # This macro silently drops DNS UDP replies that are in the New state
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 DEFAULTS DROP
@1	-	-	udp	-	53 { comment="Late DNS Replies" }
--- a/Shorewall/Actions/action.Limit
+++ b/Shorewall/Actions/action.Limit
@@ -1,70 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Limit
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Limit(<recent-set>,<num-connections>,<timeout>)
 #
 ###############################################################################
 DEFAULTS -,-,-
 ?begin perl
 use strict;
 use Shorewall::Config;
 use Shorewall::Chains;
 my $chainref        = get_action_chain;
 my @param           = get_action_params(3);
 my ( $level, $tag ) = get_action_logging;
@param = split( ',', $tag ), $tag = $param[0] unless supplied( join '', @param );
 fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
 my $set   = $param[0];
 for ( @param[1,2] ) {
    fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
 }
 my $count = $param[1] + 1;
 require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
 warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
 add_irule $chainref, recent => "--name $set --set";
 if ( $level ne '' ) {
    my $xchainref = new_chain 'filter' , "$chainref->{name}%";
    log_irule_limit( $level, $xchainref, '', 'DROP', [], $tag, 'add' , '' );
    add_ijump $xchainref, j => 'DROP';
    add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
 } else {
    add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
 }
 add_ijump $chainref, j => 'ACCEPT';
 1;
 ?end perl
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -1,50 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Multicast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Multicast[([<action>|-[,{audit|-}])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP,-
 ?if __ADDRTYPE
@1	-	-	-	;; -m addrtype --dst-type MULTICAST
 ?else
 ?begin perl;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 my ( $action )         = get_action_params( 1 );
 my $chainref           = get_action_chain;
 my ( $level, $tag )    = get_action_logging;
 log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
 1;
 ?end perl;
 ?endif
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Reject
 #
-# The former default REJECT action common rules. Use of this action is deprecated.
+# The default REJECT action common rules
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
@@ -20,14 +20,13 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 ?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
 ?if passed(@1)
    ?if @1 eq 'audit'
@@ -62,7 +61,6 @@ AllowICMPs(@4)	-	-	icmp
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
--- a/Shorewall/Actions/action.allowBcast
+++ b/Shorewall/Actions/action.allowBcast
@@ -1,38 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.allowBcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # allowBcast[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
        ?require AUDIT_TARGET
 	Broadcast(A_ACCEPT)
    ?else
        ?error "Invalid argument (@1) to allowBcast"
    ?endif
 ?else
    Broadcast(ACCEPT)
 ?endif
--- a/Shorewall/Actions/action.allowMcast
+++ b/Shorewall/Actions/action.allowMcast
@@ -1,38 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.allowMcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # allowMcast[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
        ?require AUDIT_TARGET
 	Multicast(A_ACCEPT)
    ?else
        ?error "Invalid argument (@1) to allowMcast"
    ?endif
 ?else
    Multicast(ACCEPT)
 ?endif
--- a/Shorewall/Actions/action.allowinUPnP
+++ b/Shorewall/Actions/action.allowinUPnP
@@ -1,40 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.allowinUPnP
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # allowinUPnP[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
        ?require AUDIT_TARGET
 	A_ACCEPT - - 17 1900
 	A_ACCEPT - -  6 49152
    ?else
        ?error "Invalid argument (@1) to allowinUPnP"
    ?endif
 ?else
    ACCEPT - - 17 1900
    ACCEPT - -  6 49152
 ?endif
--- a/Shorewall/Actions/action.dropBcast
+++ b/Shorewall/Actions/action.dropBcast
@@ -1,39 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropBcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropBcast[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
        ?require AUDIT_TARGET
 	Broadcast(A_DROP)
    ?else
        ?error "Invalid argument (@1) to dropBcast"
    ?endif
 ?else
    Broadcast(DROP)
 ?endif
--- a/Shorewall/Actions/action.dropMcast
+++ b/Shorewall/Actions/action.dropMcast
@@ -1,38 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropMcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropMcast[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
        ?require AUDIT_TARGET
 	Multicast(A_DROP)
    ?else
        ?error "Invalid argument (@1) to dropMcast"
    ?endif
 ?else
    Multicast(DROP)
 ?endif
--- a/Shorewall/Actions/action.dropNotSyn
+++ b/Shorewall/Actions/action.dropNotSyn
@@ -1,38 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropNotSyn
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropNotSyn[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
        ?require AUDIT_TARGET
 	A_DROP ;; -p 6 ! --syn
    ?else
        ?error "Invalid argument (@1) to dropNotSyn"
    ?endif
 ?else
    DROP ;; -p 6 ! --syn
 ?endif
--- a/Shorewall/Actions/action.forwardUPnP
+++ b/Shorewall/Actions/action.forwardUPnP
@@ -1,43 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.forwardUPnP
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # forwardUPnP
 #
 ###############################################################################
 DEFAULTS -
 ?begin perl
 use strict;
 use Shorewall::Config;
 use Shorewall::Chains;
 my $chainref = get_action_chain;
 set_optflags( $chainref, DONT_OPTIMIZE );
 add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 1;
 ?end perl
--- a/Shorewall/Actions/action.rejNotSyn
+++ b/Shorewall/Actions/action.rejNotSyn
@@ -1,39 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.rejNotSyn
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # rejNotSyn[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
        ?require AUDIT_TARGET
 	A_REJECT ;; -p 6 ! --syn
    ?else
        ?error "Invalid argument (@1) to rejNotSyn"
    ?endif
 ?else
    REJECT(--reject-with tcp-reset) ;; -p 6 ! --syn
 ?endif
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -0,0 +1,13 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.blacklist
 #
 # This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 ?if $BLACKLIST_LOGLEVEL
 blacklog
 ?else
 $BLACKLIST_DISPOSITION
 ?endif
--- a/Shorewall/Macros/macro.Drop
+++ b/Shorewall/Macros/macro.Drop
@@ -0,0 +1,49 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Drop
 #
 # This macro generates the same rules as the Drop default action
 # It is used in place of action.Drop when USE_ACTIONS=No.
 #
 # Example:
 #
 #	Drop	net	all
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 #
 # Don't log 'auth' DROP
 #
 DROP	-	-	tcp	113
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 DROP	-	-	udp	135,445
 DROP	-	-	udp	137:139
 DROP	-	-	udp	1024:	137
 DROP	-	-	tcp	135,139,445
 DROP	-	-	udp	1900
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -0,0 +1,12 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.DropDNSrep
 #
 # This macro silently drops DNS UDP replies
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 ?COMMENT Late DNS Replies
 DEFAULT DROP
 PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.Reject
+++ b/Shorewall/Macros/macro.Reject
@@ -0,0 +1,49 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Reject
 #
 # This macro generates the same rules as the Reject default action
 # It is used in place of action.Reject when USE_ACTIONS=No.
 #
 # Example:
 #
 #	Reject	loc	fw
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 #
 # Don't log 'auth' REJECT
 #
 REJECT	-	-	tcp	113
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 REJECT	-	-	udp	135,445
 REJECT	-	-	udp	137:139
 REJECT	-	-	udp	1024:	137
 REJECT	-	-	tcp	135,139,445
 DROP	-	-	udp	1900
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DROP	-	-	udp	-	53
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -519,9 +519,9 @@ sub setup_accounting() {
 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 ( keys %accountingjumps ) {
+		    for my $chain1 ( sort  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1223,7 +1223,7 @@ sub merge_rules( $$$ ) {
 	}
    }
-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }
@@ -1239,7 +1239,7 @@ sub merge_rules( $$$ ) {
    set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};
-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }
@@ -3691,7 +3691,7 @@ sub optimize_level8( $$$ ) {
 	}
 	if ( $progress ) {
-	    my @rename = keys %rename;
+	    my @rename = sort keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -6980,13 +6980,13 @@ sub set_global_variables( $$ ) {
    if ( $conditional ) {
 	my ( $interface, @interfaces );
-	@interfaces = keys %interfaceaddr;
+	@interfaces = sort keys %interfaceaddr;
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}
-	@interfaces = keys %interfacegateways;
+	@interfaces = sort keys %interfacegateways;
 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
@@ -6996,36 +6996,36 @@ sub set_global_variables( $$ ) {
 	    emit( qq(fi\n) );
 	}
-	@interfaces = keys %interfacemacs;
+	@interfaces = sort keys %interfacemacs;
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
    } else {
-	emit $_     for values %interfaceaddr;
+	emit $_     for sort values %interfaceaddr;
-	emit "$_\n" for values %interfacegateways;
+	emit "$_\n" for sort values %interfacegateways;
-	emit $_     for values %interfacemacs;
+	emit $_     for sort values %interfacemacs;
    }
    if ( $setall ) {
-	emit $_ for values %interfaceaddrs;
+	emit $_ for sort values %interfaceaddrs;
-	emit $_ for values %interfacenets;
+	emit $_ for sort values %interfacenets;
 	unless ( have_capability( 'ADDRTYPE' ) ) {
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for values %interfacebcasts;
+		emit $_ for sort values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for values %interfaceacasts;
+		emit $_ for sort values %interfaceacasts;
 	    }
 	}
    }
 }
 sub verify_address_variables() {
-    for my $variable ( keys %address_variables ) {
+    for my $variable ( sort keys %address_variables ) {
 	my $type = $address_variables{$variable};
 	my $address = "\$$variable";
@@ -7942,7 +7942,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( values %input_chains, values %forward_chains ) {
+	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
 	    my $digest = '';
 	    assert( $chainref );
@@ -7961,7 +7961,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 	    if ( @input_interfaces > 1 ) {
@@ -8047,7 +8047,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = keys %{zone_interfaces( $zone2 )};
+		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;
 		for my $interface ( @interfaces ) {
@@ -8453,7 +8453,7 @@ sub create_save_ipsets() {
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
-	    my @sets = keys %ipsets;
+	    my @sets = sort keys %ipsets;
 	    emit( '' ,
 		  '    rm -f $file' ,
@@ -8629,7 +8629,7 @@ sub create_load_ipsets() {
 #
 sub create_nfobjects() {
-    my @objects = ( keys %nfobjects );
+    my @objects = ( sort keys %nfobjects );
    if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8644,7 +8644,7 @@ sub create_nfobjects() {
 	}
    }
-    for ( keys %nfobjects ) {
+    for ( sort keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -9120,7 +9120,7 @@ sub initialize_switches() {
    if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	for my $switch ( keys %switches ) {
+	for my $switch ( sort keys %switches ) {
 	    my $setting = $switches{$switch};
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -93,10 +93,11 @@ sub generate_script_1( $ ) {
 	    my $date = compiletime;
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
 	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
 	}
 	copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
 	copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
    }
    my $lib = find_file 'lib.private';
@@ -944,7 +945,7 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	copy $globals{SHAREDIRPL} . 'prog.footer';
+	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
 	disable_script;
 	#
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -748,7 +748,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.1-RC1",
+		    VERSION                 => "5.0.9-Beta2",
 		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -792,7 +792,6 @@ sub initialize( $;$$) {
 	  INVALID_LOG_LEVEL => undef,
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -817,7 +816,6 @@ sub initialize( $;$$) {
 	  ACCEPT_DEFAULT => undef,
 	  QUEUE_DEFAULT => undef,
 	  NFQUEUE_DEFAULT => undef,
 	  BLACKLIST_DEFAULT => undef,
 	  #
 	  # RSH/RCP Commands
 	  #
@@ -906,7 +904,6 @@ sub initialize( $;$$) {
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -2713,13 +2710,13 @@ sub directive_info( $$$$ ) {
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
 #
-sub join_parts( $$$$ ) {
+sub join_parts( $$$ ) {
-    my ( $first, $val, $rest, $just_expand ) = @_;
+    my ( $first, $val, $rest ) = @_;
    $val = '' unless defined $val;
-    $val = "'$val'" unless $just_expand || ( $val =~ /^-?\d+$/               ||    # Value is numeric
+    $val = "'$val'" unless ( $val =~ /^-?\d+$/               ||    # Value is numeric
-					     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
+			     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
-					       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
+			       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
    join( '', $first, $val, $rest );
 }
@@ -2772,7 +2769,7 @@ sub evaluate_expression( $$$$ ) {
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
 	}
-	$expression = join_parts( $first, $val, $rest, $just_expand );
+	$expression = join_parts( $first, $val, $rest );
 	directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
    }
@@ -2783,7 +2780,7 @@ sub evaluate_expression( $$$$ ) {
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
-	    $expression = join_parts( $first, $val, $rest , $just_expand );
+	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
    }
@@ -2855,7 +2852,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -2995,70 +2992,52 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 	  ERROR => sub() {
-	      unless ( $omitting ) {
+	      directive_error( evaluate_expression( $expression ,
-		  directive_error( evaluate_expression( $expression ,
+						    $filename ,
-							$filename ,
+						    $linenumber ,
-							$linenumber ,
+						    1 ) ,
-							1 ) ,
+			       $filename ,
-				   $actparams{callfile} ,
+			       $linenumber ) unless $omitting;
 				   $actparams{callline} ) unless $omitting;
 	      }
 	  } ,
 	  WARNING => sub() {
-	      unless ( $omitting ) {
+	      directive_warning( $config{VERBOSE_MESSAGES} ,
-		  directive_warning( $config{VERBOSE_MESSAGES} ,
+		                 evaluate_expression( $expression ,
-				     evaluate_expression( $expression ,
+						      $filename ,
-							  $filename ,
+						      $linenumber ,
-							  $linenumber ,
+						      1 ),
-							  1 ),
+				 $filename ,
-				     $actparams{callfile} ,
+				 $linenumber ) unless $omitting;
 				     $actparams{callline} ) unless $omitting;
 	      }
 	  } ,
 	  INFO => sub() {
-	      unless ( $omitting ) {
+	      directive_info( $config{VERBOSE_MESSAGES} ,
-		  directive_info( $config{VERBOSE_MESSAGES} ,
+			      evaluate_expression( $expression ,
-				  evaluate_expression( $expression ,
+						   $filename ,
-						       $filename ,
+						   $linenumber ,
-						       $linenumber ,
+						   1 ),
-						       1 ),
+			      $filename ,
-				  $actparams{callfile} ,
+			      $linenumber ) unless $omitting;
 				  $actparams{callline} ) unless $omitting;
 	      }
 	  } ,
 	  'WARNING!' => sub() {
-	      unless ( $omitting ) {
+	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
-		  directive_warning( ! $config{VERBOSE_MESSAGES} ,
+		                 evaluate_expression( $expression ,
-				     evaluate_expression( $expression ,
+						      $filename ,
-							  $filename ,
+						      $linenumber ,
-							  $linenumber ,
+						      1 ),
-							  1 ),
+				 $filename ,
-				     $actparams{callfile} ,
+				 $linenumber ) unless $omitting;
 				     $actparams{callline} ) unless $omitting;
 	      }
 	  } ,
 	  'INFO!' => sub() {
-	      unless ( $omitting ) {
+	      directive_info( ! $config{VERBOSE_MESSAGES} ,
-		  directive_info( ! $config{VERBOSE_MESSAGES} ,
+			      evaluate_expression( $expression ,
-				  evaluate_expression( $expression ,
+						   $filename ,
-						       $filename ,
+						   $linenumber ,
-						       $linenumber ,
+						   1 ),
-						       1 ),
+			      $filename ,
-				  $actparams{callfile} ,
+			      $linenumber ) unless $omitting;
 				  $actparams{callline} ) unless $omitting;
 	      }
 	  } ,
 	  REQUIRE => sub() {
 	      unless ( $omitting ) {
 		  fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
 		  fatal_error "Unknown capability ($expression)" unless $capdesc{$expression};
 		  require_capability( $expression, "The $actparams{action} action", 's' );
 	      }
 	  } ,
 	);
@@ -3560,8 +3539,6 @@ sub push_action_params( $$$$$$ ) {
    $actparams{logtag}      = $logtag;
    $actparams{caller}      = $caller;
    $actparams{disposition} = '' if $chainref->{action};
    $actparams{callfile}    = $currentfilename;
    $actparams{callline}    = $currentlinenumber;
    #
    # The Shorewall variable '@chain' has non-word characters other than hyphen removed
    #
@@ -3776,7 +3753,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO|REQUIRE)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -5302,24 +5279,11 @@ sub update_config_file( $ ) {
    }
    update_default( 'USE_DEFAULT_RT', 'No' );
-
+    update_default( 'EXPORTMODULES',  'No' );
-    if ( $config{USE_DEFAULT_RT} eq '' || $config{USE_DEFAULT_RT} =~ /^no$/i ) {
+    update_default( 'RESTART',        'reload' );
-	update_default( 'BALANCE_PROVIDERS', 'No' );
+    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
-    } else {
+    update_default( 'LOGFORMAT',      'Shorewall:%s:%s:' );
-	update_default( 'BALANCE_PROVIDERS', 'Yes' );
+    update_default( 'LOGLIMIT',       '' );
    }
    update_default( 'EXPORTMODULES',     'No' );
    update_default( 'RESTART',           'reload' );
    update_default( 'PAGER',             $shorewallrc1{DEFAULT_PAGER} );
    update_default( 'LOGFORMAT',         'Shorewall:%s:%s:' );
    update_default( 'LOGLIMIT',          '' );
    if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
    } else {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
    }	
    my $fn;
@@ -6322,7 +6286,6 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'TRACK_PROVIDERS'            , '';
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
    unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6339,8 +6302,6 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }
    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@@ -6381,9 +6342,6 @@ sub get_configuration( $$$$ ) {
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 	    $variables{SW_DBL_IPSET}   = $set;
 	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@@ -6391,8 +6349,6 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
    }
    add_variables( %variables );
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
@@ -6490,12 +6446,6 @@ sub get_configuration( $$$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';
    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
 	validate_level( $val );
    } else {
 	$config{LOG_LEVEL} = 'info';
    }
    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
@@ -6664,16 +6614,13 @@ sub get_configuration( $$$$ ) {
    }
    default 'RESTOREFILE'           , 'restore';
-
+    default 'DROP_DEFAULT'          , 'Drop';
-    default 'DROP_DEFAULT'          , 'none';
+    default 'REJECT_DEFAULT'        , 'Reject';
    default 'REJECT_DEFAULT'        , 'none';
    default 'BLACKLIST_DEFAULT'     , 'none';
    default 'QUEUE_DEFAULT'         , 'none';
    default 'NFQUEUE_DEFAULT'       , 'none';
    default 'ACCEPT_DEFAULT'        , 'none';
-    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
    }
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -127,7 +127,7 @@ sub setup_ecn()
 	}
 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );
 	    progress_message "$doing ECN control on @interfaces...";
@@ -1297,7 +1297,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
    }
-    my @maclist_interfaces = ( keys %maclist_interfaces );
+    my @maclist_interfaces = ( sort keys %maclist_interfaces );
    if ( $phase == 1 ) {
@@ -1618,7 +1618,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
@@ -1639,8 +1639,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};
-	    for my $typeref ( values %{$source_hosts_ref} ) {
+	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
-		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);
 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1662,7 +1662,7 @@ sub add_interface_jumps {
    our %input_jump_added;
    our %output_jump_added;
    our %forward_jump_added;
-    my @interfaces = grep $_ ne '%vserver%', @_;
+    my @interfaces = sort grep $_ ne '%vserver%', @_;
    my $dummy;
    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
    #
@@ -1776,7 +1776,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
-	for my $interface ( keys %$source_ref ) {
+	for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -2288,9 +2288,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( keys %$source_hosts_ref ) {
+	for my $type ( sort keys %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( keys %$typeref ) {
+	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2375,9 +2375,9 @@ sub generate_matrix() {
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
-		for my $type ( keys %{$zone1ref->{hosts}} ) {
+		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( keys %$typeref ) {
+		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -519,11 +519,11 @@ sub process_a_provider( $ ) {
    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
    if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
-	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
    } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
    }
    unless ( $options eq '-' ) {
@@ -603,37 +603,19 @@ sub process_a_provider( $ ) {
    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
-    unless ( $pseudo ) {
+    if ( $local ) {
-	if ( $local ) {
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
-	    fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
+	fatal_error "'track' not valid with 'local'"           if $track;
-	    fatal_error "'track' not valid with 'local'"           if $track;
+	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
-	    fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
+	fatal_error "'persistent' is not valid with 'local"    if $persistent;
-	    fatal_error "'persistent' is not valid with 'local"    if $persistent;
+    } elsif ( $tproxy ) {
-	} elsif ( $tproxy ) {
+	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	    fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
+	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
-	    fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
+	fatal_error "'track' not valid with 'tproxy'"          if $track;
-	    fatal_error "'track' not valid with 'tproxy'"          if $track;
+	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
-	    fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
+	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
-	    fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
+	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
-	    fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
+	$mark = $globals{TPROXY_MARK};
 	    $mark = $globals{TPROXY_MARK};
 	} elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
 	    if ( $config{USE_DEFAULT_RT} ) {
 		if ( $rf ) {
 		    fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
 		} else {
 		    fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
 		}
 	    } else {
 		unless ( $balance ) {
 		    if ( $rf ) {
 			fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
 		    } else {
 			fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
 		    }
 		}
 	    }
 	}
    }
    my $val = 0;
@@ -1799,7 +1781,7 @@ sub map_provider_to_interface() {
    my $haveoptional;
-    for my $providerref ( values %providers ) {
+    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
 	if ( $providerref->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
@@ -1963,7 +1945,7 @@ sub compile_updown() {
    }
    my @nonshared = ( grep $providers{$_}->{optional},
-		      values %provider_interfaces );
+		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );
    if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2158,7 +2140,7 @@ sub handle_optional_interfaces( $ ) {
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
    # wildcard physical names are also included in the providers table.
    #
-    for my $providerref ( grep $_->{optional} , values %providers ) {
+    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
 	push @interfaces, $providerref->{interface};
 	$wildcards ||= $providerref->{wildcard};
    }
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -154,7 +154,7 @@ sub setup_proxy_arp() {
 	emit '';
-	for my $interface ( keys %reset ) {
+	for my $interface ( sort keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}
-	for my $interface ( keys %set ) {
+	for my $interface ( sort keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -138,12 +138,14 @@ our %section_rmap = ( ALL_SECTION ,        'ALL',
 our @policy_chains;
-our %policy_actions;
+our %default_actions;
 our %macros;
 our $family;
 our @builtins;
 #
 # Commands that can be embedded in a basic rule and how many total tokens on the line (0 => unlimited).
 #
@@ -231,7 +233,6 @@ use constant { INLINE_OPT           => 1 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
 	       LOGJUMP_OPT          => 1024 ,
 	       SECTION_OPT          => 2048 ,
 };
 our %options = ( inline      => INLINE_OPT ,
@@ -245,7 +246,6 @@ our %options = ( inline      => INLINE_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
 		 logjump     => LOGJUMP_OPT ,
 		 section     => SECTION_OPT ,
    );
 our %reject_options;
@@ -309,14 +309,11 @@ sub initialize( $ ) {
    # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
    # in the %config hash when shorewall[6].conf was processed.
    #
-    %policy_actions  = ( DROP	    => [] ,
+    %default_actions  = ( DROP     => 'none' ,
-			 REJECT    => [] ,
+		 	  REJECT   => 'none' ,
-			 BLACKLIST => [] ,
+			  ACCEPT   => 'none' ,
-			 ACCEPT    => [] ,
+			  QUEUE    => 'none' ,
-			 QUEUE	   => [] ,
+			  NFQUEUE  => 'none' ,
 			 NFQUEUE   => [] ,
 			 CONTINUE  => [] ,
 			 NONE      => [] ,
 			);
    #
    # These are set to 1 as sections are encountered.
@@ -350,7 +347,7 @@ sub initialize( $ ) {
    #
    $macro_nest_level  = 0;
    #
-    # All actions mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
+    # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
    #
    %actions           = ();
    #
@@ -361,6 +358,7 @@ sub initialize( $ ) {
    @columns           = ( ( '-' ) x LAST_COLUMN, 0 );
    if ( $family == F_IPV4 ) {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
 	%reject_options = ( 'icmp-net-unreachable'   => 1,
 			    'icmp-host-unreachable'  => 1,
 			    'icmp-port-unreachable'  => 1,
@@ -372,6 +370,7 @@ sub initialize( $ ) {
 	                  );
    } else {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn/;
 	%reject_options = ( 'icmp6-no-route'         => 1,
 			    'no-route'               => 1,
 			    'icmp6-adm-prohibited'   => 1,
@@ -428,7 +427,6 @@ sub convert_to_policy_chain($$$$$$)
    $chainref->{audit}       = $audit;
    $chainref->{policychain} = $chainref->{name};
    $chainref->{policypair}  = [ $source, $dest ];
    $chainref->{pactions}    = [];
 }
 #
@@ -478,7 +476,7 @@ sub set_policy_chain($$$$$$)
 		$chainref->{synchain}    = $polchainref->{synchain};
 	    }
-	    $chainref->{pactions}    = $polchainref->{pactions} || [];
+	    $chainref->{default}     = $polchainref->{default} if defined $polchainref->{default};
 	    $chainref->{is_policy}   = 1;
 	    push @policy_chains, $chainref;
 	} else {
@@ -527,12 +525,12 @@ sub normalize_action( $$$ );
 sub normalize_action_name( $ );
 sub normalize_single_action( $ );
-sub process_policy_action( $$$$ ) {
+sub process_default_action( $$$$ ) {
-    my ( $originalpolicy, $policy, $paction, $level ) = @_;
+    my ( $originalpolicy, $policy, $default, $level ) = @_;
-    if ( supplied $paction ) {
+    if ( supplied $default ) {
-	my $paction_option = ( $policy =~ /_DEFAULT$/ );
+	my $default_option = ( $policy =~ /_DEFAULT$/ );
-	my ( $act, $param ) = get_target_param( $paction );
+	my ( $def, $param ) = get_target_param( $default );
 	if ( supplied $level ) {
 	    validate_level( $level );
@@ -540,49 +538,35 @@ sub process_policy_action( $$$$ ) {
 	    $level = 'none';
 	}
-	if ( ( $targets{$act} || 0 ) & ACTION ) {
+	if ( "\L$default" eq 'none' ) {
-	    $paction = supplied $param  ? normalize_action( $act, $level, $param  ) :
+	    if ( supplied $param || ( supplied $level && $level ne 'none' ) ) {
-		       $level eq 'none' ? normalize_action_name $act :
+		if ( $default_option ) {
-		       normalize_action( $act, $level, '' );
+		    fatal_error "Invalid setting ($originalpolicy) for $policy";
-	} elsif ( ( $targets{$act} || 0 ) == INLINE ) {
+		} else {
-	    $paction = $act;
+		    fatal_error "Invalid policy ($originalpolicy)";
-	    $paction = "$act($param)" if supplied $param;
+		}
 	    $paction = join( ':', $paction, $level ) if $level ne 'none';
 	} elsif ( $paction_option ) {
 	    fatal_error "Unknown Action ($paction) in $policy setting";
 	} else {
 	    fatal_error "Unknown Policy Action ($paction)";
 	}
    } else {
 	$paction = $policy_actions{$policy};
    }
    $paction;
 }
 sub process_policy_actions( $$$ ) {
    my ( $originalpolicy, $policy, $pactions ) = @_;
    if ( supplied $pactions ) {
 	my @pactions;
 	if ( lc $pactions ne 'none' ) {
 	    @pactions = @{$policy_actions{$policy}} if $pactions =~ s/^\+//;
 	    for my $paction ( split_list3( $pactions, 'Policy Action' ) ) {
 		my ( $action, $level, $remainder ) = split( /:/, $paction, 3 );
 		fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder;
 		push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level );
 	    }
 	    $default = 'none';
 	} elsif ( ( $targets{$def} || 0 ) == ACTION ) {
 	    $default = supplied $param  ? normalize_action( $def, $level, $param  ) :
 		       $level eq 'none' ? normalize_action_name $def :
 		       normalize_action( $def, $level, '' );
 	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
 	    $default = $def;
 	    $default = "$def($param)" if supplied $param;
 	    $default = join( ':', $default, $level ) if $level ne 'none';
 	} elsif ( $default_option ) {
 	    fatal_error "Unknown Action ($default) in $policy setting";
 	} else {
 	    fatal_error "Unknown Default Action ($default)";
 	}
 	\@pactions;
    } else {
-	$policy_actions{$policy};
+	$default = $default_actions{$policy} || 'none';
    }
    $default;
 }
 #
@@ -670,10 +654,12 @@ sub process_a_policy1($$$$$$$) {
    require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
-    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    my ( $policy, $default, $level, undef, $remainder ) = split( /:/, $originalpolicy, ACTION_TUPLE_ELEMENTS );
    fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
    fatal_error "Invalid default action ($default:$level:$remainder)" if defined $remainder;
    ( $policy , my $queue ) = get_target_param $policy;
    fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
@@ -682,7 +668,7 @@ sub process_a_policy1($$$$$$$) {
 	fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
    }
-    my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
+    $default = process_default_action( $originalpolicy, $policy, $default, $level );
    if ( defined $queue ) {
 	$policy = handle_nfqueue( $queue,
@@ -693,8 +679,6 @@ sub process_a_policy1($$$$$$$) {
 	    if $clientwild || $serverwild;
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
    } elsif ( $policy eq 'BLACKLIST' ) {
 	fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
    }
    unless ( $clientwild || $serverwild ) {
@@ -739,8 +723,11 @@ sub process_a_policy1($$$$$$$) {
 	$chainref->{synchain}  = $chain
    }
-    $chainref->{pactions} = $pactionref;
+    assert( $default );
-    $chainref->{origin}   = shortlineinfo('');
+    my $chainref1 = $usedactions{$default};
    $chainref->{default} = $chainref1 ? $chainref1->{name} : $default;
    $chainref->{origin} = shortlineinfo('');
    if ( $clientwild ) {
 	if ( $serverwild ) {
@@ -773,11 +760,7 @@ sub process_a_policy() {
    our @zonelist;
    my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
-	split_line2( 'policy file',
+	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
 		     { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, rate => 4, connlimit => 5 } ,
 		     {} , # nopad
 		     6  , # maxcolumns
 		    );
    $loglevel  = '' if $loglevel  eq '-';
    $synparams = '' if $synparams eq '-';
@@ -834,35 +817,33 @@ sub process_policies()
    our %validpolicies = (
 			  ACCEPT => undef,
 			  REJECT => undef,
-			  DROP	 => undef,
+			  DROP   => undef,
 			  CONTINUE => undef,
 			  BLACKLIST => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
 			  );
-    our %map = ( DROP_DEFAULT      => 'DROP' ,
+    our %map = ( DROP_DEFAULT    => 'DROP' ,
-		 REJECT_DEFAULT    => 'REJECT' ,
+		 REJECT_DEFAULT  => 'REJECT' ,
-		 BLACKLIST_DEFAULT => 'BLACKLIST' ,
+		 ACCEPT_DEFAULT  => 'ACCEPT' ,
-		 ACCEPT_DEFAULT    => 'ACCEPT' ,
+		 QUEUE_DEFAULT   => 'QUEUE' ,
-		 QUEUE_DEFAULT     => 'QUEUE' ,
+		 NFQUEUE_DEFAULT => 'NFQUEUE' );
 		 NFQUEUE_DEFAULT   => 'NFQUEUE' );
    my $zone;
    my $firewall = firewall_zone;
    our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
-    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
+    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
-	my $actions = $config{$option};
+	my $action = $config{$option};
-	if ( $actions eq 'none' ) {
+	unless ( $action eq 'none' ) {
-	    $actions = [];
+	    my ( $default, $level, $remainder ) = split( /:/, $action, 3 );
-	} else {
+	    fatal_error "Invalid setting ( $action ) for $option" if supplied $remainder;
-	    $actions = process_policy_actions( $actions, $option, $actions );
+	    $action = process_default_action( $action, $option, $default, $level );
 	}
-	$policy_actions{$map{$option}} = $actions;
+	$default_actions{$map{$option}} = $action;
    }
    for $zone ( all_zones ) {
@@ -922,23 +903,19 @@ sub process_policies()
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
 sub add_policy_rules( $$$$$ ) {
-    my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
+    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
    unless ( $target eq 'NONE' ) {
 	my @pactions;
 	@pactions = @$pactions;
 	add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	for my $paction ( @pactions ) {
+	if ( $default && $default ne 'none' ) {
-	    my ( $action ) = split ':', $paction;
+	    my ( $action ) = split ':', $default;
-	    if ( ( $targets{$action} || 0 ) & ACTION ) {
+	    if ( ( $targets{$action} || 0 ) == ACTION ) {
 		#
 		# Default action is a regular action -- jump to the action chain
 		#
-		add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
+		add_ijump $chainref, j => use_policy_action( $default, $chainref->{name} );
 	    } else {
 		#
 		# Default action is an inline 
@@ -950,7 +927,7 @@ sub add_policy_rules( $$$$$ ) {
 				'',           #Matches
 				'',           #Matches1
 				$loglevel,    #Log Level and Tag
-				$paction,     #Target
+				$default,     #Target
 				$param || '', #Param
 				'-',          #Source
 				'-',          #Dest
@@ -974,20 +951,7 @@ sub add_policy_rules( $$$$$ ) {
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
-	if ( $target eq 'BLACKLIST' ) {
+	add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
 	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
 	    if ( my $timeout = $globals{DBL_TIMEOUT} ) {
 		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" );
 	    } else {
 		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" );
 	    }
 	    $target = 'DROP';
 	} else {
 	    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
 	}
 	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
    }
 }
@@ -1003,26 +967,27 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
    my $chainref   = $_[0];
    my $policyref  = $filter_table->{$chainref->{policychain}};
    my $synparams  = $policyref->{synparams};
-    my $defaults   = $policyref->{pactions};
+    my $default    = $policyref->{default};
    my $policy     = $policyref->{policy};
    my $loglevel   = $policyref->{loglevel};
    assert( $policyref );
    if ( $chainref eq $policyref ) {
-	add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
+	add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
    } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
-		add_policy_rules $chainref , $policy , $loglevel , $defaults, $config{MULTICAST};
+		add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
 		add_policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
-	    add_policy_rules $chainref , $policy , $loglevel , $defaults, $config{MULTICAST};
+	    add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_ijump $chainref , g => $policyref;
@@ -1045,7 +1010,7 @@ sub complete_policy_chains() {
 	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
-	    my $defaults    = $chainref->{pactions};
+	    my $default     = $chainref->{default};
 	    my $name        = $chainref->{name};
 	    my $synparms    = $chainref->{synparms};
@@ -1057,7 +1022,7 @@ sub complete_policy_chains() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    ensure_rules_chain $name if ( @$defaults         ||
+		    ensure_rules_chain $name if ( $default ne 'none' ||
 						  $loglevel          ||
 						  $synparms          ||
 						  $config{MULTICAST} ||
@@ -1068,7 +1033,7 @@ sub complete_policy_chains() {
 	    }
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
-		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
+		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
    }
@@ -1097,18 +1062,20 @@ sub complete_standard_chain ( $$$$ ) {
    my ( $stdchainref, $zone, $zone2, $default ) = @_;
    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
-    my ( $policy, $loglevel ) = ( $default , 6 );
+    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
    my $policy_actions = $policy_actions{$policy};
    my $policychainref;
    $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
    if ( $policychainref ) {
-	( $policy, $loglevel, $policy_actions ) = @{$policychainref}{'policy', 'loglevel', 'pactions' };
+	( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' };
 	$stdchainref->{origin} = $policychainref->{origin};
    } elsif ( $defaultaction !~ /:/ ) {
 	$defaultaction = normalize_single_action( $defaultaction );
    }
-    add_policy_rules $stdchainref , $policy , $loglevel, $policy_actions, 0;
+
    add_policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 #
@@ -1704,6 +1671,177 @@ sub map_old_actions( $ ) {
    }
 }
 #
 # The following small functions generate rules for the builtin actions of the same name
 #
 sub dropBcast( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    my $target = require_audit ( 'DROP', $audit );
    if ( have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
 	    if ( $family == F_IPV4 ) {
 		log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' );
 	    } else {
 		log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST );
 	    }
 	}
 	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
    } else {
 	if ( $family == F_IPV4 ) {
 	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
 	} else {
 	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
 	}
 	incr_cmd_level $chainref;
 	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '$address';
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
    }
    if ( $family == F_IPV4 ) {
 	log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
    } else {
 	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
    }
 }
 sub allowBcast( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    my $target = require_audit( 'ACCEPT', $audit );
    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
 	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' );
 	}
 	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
    } else {
 	if ( $family == F_IPV4 ) {
 	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
 	} else {
 	    add_commands $chainref, 'for address in $ALL_MACASTS; do';
 	}
 	incr_cmd_level $chainref;
 	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '$address';
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
    }
    if ( $family == F_IPV4 ) {
 	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
 	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
    } else {
 	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
 	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
    }
 }
 sub dropNotSyn ( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    my $target = require_audit( 'DROP', $audit );
    log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
    add_ijump $chainref , j => $target, p => '6 ! --syn';
 }
 sub rejNotSyn ( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    warning_message "rejNotSyn is deprecated in favor of NotSyn(REJECT)";
    my $target = 'REJECT --reject-with tcp-reset';
    if ( supplied $audit ) {
 	$target = require_audit( 'REJECT' , $audit );
    }
    log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
    add_ijump $chainref , j => $target, p => '6 ! --syn';
 }
 sub forwardUPnP ( $$$$ ) {
    my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE );
    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
 sub allowinUPnP ( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;
    my $target = require_audit( 'ACCEPT', $audit );
    if ( $level ne '' ) {
 	log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' );
 	log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' );
    }
    add_ijump $chainref, j => $target, p => '17 --dport 1900';
    add_ijump $chainref, j => $target, p => '6 --dport 49152';
 }
 sub Limit( $$$$ ) {
    my ($chainref, $level, $tag, $param ) = @_;
    my @param;
    if ( $param ) {
 	@param = split /,/, $param;
    } else {
 	@param = split /,/, $tag;
 	$tag = '';
    }
    fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
    my $set   = $param[0];
    for ( @param[1,2] ) {
 	fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
    }
    my $count = $param[1] + 1;
    require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
    warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
    add_irule $chainref, recent => "--name $set --set";
    if ( $level ne '' ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' );
 	add_ijump $xchainref, j => 'DROP';
 	add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
    } else {
 	add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
    }
    add_ijump $chainref, j => 'ACCEPT';
 }
 my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		   'allowBcast'     => \&allowBcast,
 		   'dropNotSyn'     => \&dropNotSyn,
 		   'rejNotSyn'      => \&rejNotSyn,
 		   'allowinUPnP'    => \&allowinUPnP,
 		   'forwardUPnP'    => \&forwardUPnP,
 		   'Limit'          => \&Limit,
 		 );
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
@@ -1725,6 +1863,12 @@ sub process_action(\$\$$) {
    my $actionref = $actions{$action};
    my $matches   = fetch_inline_matches;
    if ( $type & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
 	$builtinops{$action}->( $chainref, $level, $tag, $param );
 	return 0;
    }
    if ( $type & MANGLE_TABLE ) {
 	fatal_error "Action $action may only be used in the mangle file" unless $chainref->{table} eq 'mangle';
    } else {
@@ -1997,6 +2141,7 @@ sub process_action(\$\$$) {
 #
 # This function is called prior to processing of the policy file. It:
 #
 # - Adds the builtin actions to the target table
 # - Reads actions.std and actions (in that order) and for each entry:
 #   o Adds the action to the target table
 #   o Verifies that the corresponding action file exists
@@ -2005,6 +2150,10 @@ sub process_action(\$\$$) {
 sub process_actions() {
    progress_message2 "Locating Action Files...";
    #
    # Add built-in actions to the target table and create those actions
    #
    $targets{$_} = new_action( $_ , ACTION + BUILTIN, NOINLINE_OPT, '' , '' ) for @builtins;
    for my $file ( qw/actions.std actions/ ) {
 	open_file( $file, 2 );
@@ -2569,7 +2718,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    # Determine the validity of the action
    #
-    $actiontype = $targets{$basictarget} || find_macro( $basictarget );
+    $actiontype = ( $targets{$basictarget} || find_macro ( $basictarget ) );
    if ( $config{ MAPOLDACTIONS } ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
@@ -2977,10 +3126,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $actionchain; # Name of the action chain
    if ( $actiontype & ACTION ) {
 	#
 	# Handle 'section' option
 	#
 	$param = supplied $param ? join( ',' , $section_rmap{$section}, $param ) : $section_rmap{$section} if $actions{$basictarget}{options} & SECTION_OPT;
 	#
 	# Create the action:level:tag:param tuple.
 	#
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1924,7 +1924,7 @@ sub process_traffic_shaping() {
 			my ( $options, $redopts ) = ( '', $tcref->{redopts} );
-			for my $option ( keys %validredoptions ) {
+			for my $option ( sort keys %validredoptions ) {
 			    my $type = $validredoptions{$option};
 			    if ( my $value = $redopts->{$option} ) {
@@ -1943,7 +1943,7 @@ sub process_traffic_shaping() {
 			my ( $options, $codelopts ) = ( '', $tcref->{codelopts} );
-			for my $option ( keys %validcodeloptions ) {
+			for my $option ( sort keys %validcodeloptions ) {
 			    my $type = $validcodeloptions{$option};
 			    if ( my $value = $codelopts->{$option} ) {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -713,10 +713,10 @@ sub zone_report()
 	my $printed = 0;
 	if ( $hostref ) {
-	    for my $type ( keys %$hostref ) {
+	    for my $type ( sort keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};
-		for my $interface ( keys %$interfaceref ) {
+		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
@@ -766,10 +766,10 @@ sub dump_zone_contents() {
 	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};
 	if ( $hostref ) {
-	    for my $type ( keys %$hostref ) {
+	    for my $type ( sort keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};
-		for my $interface ( keys %$interfaceref ) {
+		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
@@ -1275,7 +1275,6 @@ sub process_interface( $$ ) {
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
 		$options{logmartians} = 1 if $option eq 'routefilter' && $numval && ! $config{LOG_MARTIANS};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -2219,9 +2218,9 @@ sub find_hosts_by_option( $ ) {
    }
    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sort keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec  = $host->{ipsec};
@@ -2249,9 +2248,9 @@ sub find_zone_hosts_by_option( $$ ) {
    my @hosts;
    unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sort keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -349,7 +349,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 	case "$default_route" in
 	    *metric*)
 	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes or =Exact. Otherwise, we only replace the one with metric 0
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
--- a/Shorewall/Samples/Universal/params
+++ b/Shorewall/Samples/Universal/params
@@ -1,13 +0,0 @@
 #
 # Shorewall - Sample Params File for universal configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
--- a/Shorewall/Samples/Universal/policy
+++ b/Shorewall/Samples/Universal/policy
@@ -7,6 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
 #				LEVEL	BURST		MASK
 $FW	net	ACCEPT
-net	all	DROP		$LOG_LEVEL
+net	all	DROP
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -33,8 +33,6 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -55,19 +53,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL=info
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
@@ -109,12 +107,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Drop"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT="none"
-QUEUE_DEFAULT=none
+REJECT_DEFAULT="Reject"
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -143,8 +140,6 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall/Samples/one-interface/params
+++ b/Shorewall/Samples/one-interface/params
@@ -1,13 +0,0 @@
 #
 # Shorewall - Sample Params File for one-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
@@ -11,8 +11,8 @@
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
-$FW	net		ACCEPT
+$FW		net		ACCEPT
-net	all		DROP		$LOG_LEVEL
+net		all		DROP		info
 # The FOLLOWING POLICY MUST BE LAST
-all	all		REJECT		$LOG_LEVEL
+all		all		REJECT		info
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -44,8 +44,6 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -66,19 +64,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL="$LOG_LEVEL"
+MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL="$LOG_LEVEL"
+RPFILTER_LOG_LEVEL=info
-SFILTER_LOG_LEVEL="$LOG_LEVEL"
+SFILTER_LOG_LEVEL=info
-SMURF_LOG_LEVEL="$LOG_LEVEL"
+SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
+TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
@@ -120,12 +118,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Drop"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT="none"
-QUEUE_DEFAULT=none
+REJECT_DEFAULT="Reject"
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -154,8 +151,6 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall/Samples/three-interfaces/params
+++ b/Shorewall/Samples/three-interfaces/params
@@ -1,13 +0,0 @@
 #
 # Shorewall - Sample Params File for three-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
-loc	net		ACCEPT
+loc		net		ACCEPT
-net	all		DROP		$LOG_LEVEL
+net		all		DROP		info
 # THE FOLLOWING POLICY MUST BE LAST
-all	all		REJECT		$LOG_LEVEL
+all		all		REJECT		info
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -41,8 +41,6 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -63,19 +61,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL=info
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
@@ -117,12 +115,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Drop"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT="none"
-QUEUE_DEFAULT=none
+REJECT_DEFAULT="Reject"
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -151,8 +148,6 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall/Samples/two-interfaces/params
+++ b/Shorewall/Samples/two-interfaces/params
@@ -1,13 +0,0 @@
 #
 # Shorewall - Sample Params File for two-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
@@ -11,10 +11,10 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 ###############################################################################
-#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
-loc	net		ACCEPT
+loc		net		ACCEPT
-net	all		DROP		$LOG_LEVEL
+net		all		DROP		info
-# THE FOLOWING POLICY MUST BE LAST
+# THE FOLLOWING POLICY MUST BE LAST
-all	all		REJECT		$LOG_LEVEL
+all		all		REJECT		info
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -44,8 +44,6 @@ FIREWALL=
 #		                L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -66,19 +64,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL=info
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
@@ -120,12 +118,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Drop"
-DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT="none"
-QUEUE_DEFAULT=none
+REJECT_DEFAULT="Reject"
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -154,8 +151,6 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -6,46 +6,47 @@
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
 # Builtin Actions are:
 #
 ?if 0
 A_ACCEPT                        # Audits then accepts a connection request
 A_DROP                          # Audits then drops a connection request
 allowBcast		        # Silently Allow Broadcast/multicast
 dropBcast		        # Silently Drop Broadcast/multicast
 dropNotSyn		        # Silently Drop Non-syn TCP packets
 rejNotSyn		        # Silently Reject Non-syn TCP packets
 allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
 forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
 Limit                           # Limit the rate of connections from each individual IP address
 ?endif
 ###############################################################################
 #ACTION
-A_Drop				# Audited Default Action for DROP policy
+A_Drop 		                # Audited Default Action for DROP policy
-A_REJECT     noinline,logjump	# Audits then rejects a connection request
+A_REJECT     noinline,logjump   # Audits then rejects a connection request
-A_REJECT!    inline		# Audits then rejects a connection request
+A_REJECT!    inline             # Audits then rejects a connection request
-A_Reject			# Audited Default action for REJECT policy
+A_Reject	                # Audited Default action for REJECT policy
 allowBcast   inline		# Silently Allow Broadcast
 allowinUPnP  inline		# Allow UPnP inbound (to firewall) traffic
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
-allowMcast   inline		# Silently Allow Multicast
+AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
-AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
+AutoBLL      noinline           # Helper for AutoBL
-AutoBLL	     noinline		# Helper for AutoBL
+Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
-BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
+DNSAmp                          # Matches one-question recursive DNS queries
-Broadcast    noinline,audit	# Handles Broadcast/Anycast
+Drop		                # Default Action for DROP policy
 DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
-dropMcast    inline		# Silently Drop Multicast
+DropSmurfs   noinline           # Drop smurf packets
 dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
 DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
-	     state=ESTABLISHED	#
+	     state=ESTABLISHED  #
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
-IfEvent	     noinline		# Perform an action based on an event
+IfEvent      noinline           # Perform an action based on an event
-Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-	     state=INVALID	#
+             state=INVALID      #
 Limit	     noinline		# Limit the rate of connections from each individual IP address
 Multicast    noinline,audit	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
+NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
-rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
+Reject                          # Default Action for REJECT policy
-Reject				# Default Action for REJECT policy (deprecated)
+Related      inline,\		# Handles packets in the RELATED conntrack state
-Related	     inline,\		# Handles packets in the RELATED conntrack state
+             state=RELATED      #
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit	# Handle packets with RST set
+RST	     inline,audit       # Handle packets with RST set
 SetEvent     inline		# Initialize an event
-TCPFlags			# Handle bad flag combinations.
+TCPFlags    			# Handle bad flag combinations.
-Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
-	     state=UNTRACKED	#
+	     state=UNTRACKED    #
--- a/Shorewall/configfiles/policy
+++ b/Shorewall/configfiles/policy
@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE		DEST		POLICY	LOGLEVEL	RATE	CONNLIMIT
+#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -33,8 +33,6 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -55,19 +53,19 @@ LOGTAGONLY=No
 LOGLIMIT="s:1/sec:10"
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL=info
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
@@ -110,11 +108,10 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT=Drop
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+REJECT_DEFAULT=Reject
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
@@ -143,8 +140,6 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall/default.debian.sysvinit
+++ b/Shorewall/default.debian.sysvinit
@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following variable to 1 in order to allow Shorewall to start
+# set the following varible to 1 in order to allow Shorewall to start
 startup=0
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 #
-# Global start/restart/reload/stop options
+# Global start/restart options
 #
 OPTIONS=""
@@ -28,17 +28,12 @@ STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
-# Stop options
+# Restart options
 #
-STOPOPTIONS=""
+RESTARTOPTIONS=""
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
--- a/Shorewall/default.debian.systemd
+++ b/Shorewall/default.debian.systemd
@@ -1,26 +0,0 @@
 #
 # Global start/restart/reload/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 # EOF
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,22 +22,55 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-VERSION=xxx # The Build script inserts the actual version
+VERSION=4.5.5       #The Build script inserts the actual version
 #
 # Change to the directory containing this script
 #
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "usage: $ME [ <configuration-file> ]"
-    echo "where <option> is one of"
+    echo "       $ME -v"
-    echo "  -h"
+    echo "       $ME -h"
-    echo "  -v"
+    echo "       $ME -s"
-    echo "  -s"
+    echo "       $ME -a"
-    echo "  -a"
+    echo "       $ME -n"
    echo "  -p"
    echo "  -n"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 run_install()
 {
    if ! install $*; then
@@ -47,14 +80,27 @@ run_install()
    fi
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure $PRODUCT to start automatically at boot" >&2
 }
 delete_file() # $1 = file to delete
 {
    rm -f $1
 }
 install_file() # $1 = source $2 = target $3 = mode
 {
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
-#
+require()
-# Change to the directory containing this script
+{
-#
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 cd "$(dirname $0)"
 if [ -f shorewall.service ]; then
@@ -65,11 +111,6 @@ else
    Product=Shorewall6
 fi
 #
 # Source common functions
 #
 . ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
 #
 # Parse the run line
 #
@@ -131,14 +172,11 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	file=./shorewallrc
+	. ./shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	file=~/.shorewallrc
+	. ~/.shorewallrc || exit 1
        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	file=/usr/share/shorewall/shorewallrc
+	. /usr/share/shorewall/shorewallrc
        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -148,11 +186,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -267,7 +305,8 @@ case "$HOST" in
    linux)
 	;;
    *)
-	fatal_error "Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
 	exit 1;
 	;;
 esac
@@ -278,7 +317,8 @@ if [ $PRODUCT = shorewall ]; then
 	#
 	if [ "$DIGEST" != SHA ]; then
 	    if [ "$BUILD" = "$HOST" ] && ! eval perl -e \'use Digest::$DIGEST\;\' 2> /dev/null ; then
-		fatal_error "Perl compilation with Digest::$DIGEST failed"
+		echo "ERROR: Perl compilation with Digest::$DIGEST failed" >&2
 		exit 1;
 	    fi
 	    cp -af Perl/Shorewall/Chains.pm Perl/Shorewall/Chains.pm.bak
@@ -301,7 +341,8 @@ if [ $PRODUCT = shorewall ]; then
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
 	    else
-		fatal_error "Shorewall $VERSION requires either Digest::SHA or Digest::SHA1"
+		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
 		exit 1
 	    fi
 	fi
    fi
@@ -329,10 +370,11 @@ if [ $BUILD != cygwin ]; then
    fi
 fi
-run_install -d $OWNERSHIP -m 0755 ${DESTDIR}${SBINDIR}
+install -d $OWNERSHIP -m 755 ${DESTDIR}${SBINDIR}
-[ -n "${INITFILE}" ] && run_install -d $OWNERSHIP -m 0755 ${DESTDIR}${INITDIR}
+[ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 if [ -z "$DESTDIR" -a $PRODUCT != shorewall ]; then
-    [ -x ${LIBEXECDIR}/shorewall/compiler.pl ] || fatal_error "Shorewall >= 4.5.0 is not installed"
+    [ -x ${LIBEXECDIR}/shorewall/compiler.pl ] || \
 	{ echo "   ERROR: Shorewall >= 4.5.0 is not installed" >&2; exit 1; }
 fi
 echo "Installing $Product Version $VERSION"
@@ -346,7 +388,7 @@ else
    first_install="Yes"
 fi
-if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/shorewall/coreversion ]; then
+if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreversion ]; then
    echo "Shorewall $VERSION requires Shorewall Core which does not appear to be installed"
    exit 1
 fi
@@ -368,16 +410,22 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
+mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-make_parent_directory ${DESTDIR}${PERLLIBDIR}/Shorewall 0755
+mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
-make_parent_directory ${DESTDIR}${VARDIR} 0755
+mkdir -p ${DESTDIR}${VARDIR}
-chmod 0755 ${DESTDIR}${SHAREDIR}/$PRODUCT
+chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
-[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
+if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
 fi
 #
 # Install the .service file
@@ -387,9 +435,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi
 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 0644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -433,16 +481,6 @@ if [ -z "$first_install" ]; then
    delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-stoppedrules
    delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-notrack
    delete_file ${DESTDIR}${MANDIR}/man5/$PRODUCT/${PRODUCT}-blacklist
    if [ $PRODUCT = shorewall ]; then
 	#
 	# Delete deprecated macros and actions
 	#
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/macro.SNMPTrap
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_REJECT
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Drop
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Reject
    fi
 fi
 #
@@ -1046,14 +1084,8 @@ cd ..
 #
 for f in lib.* Perl/lib.*; do
    if [ -f $f ]; then
-        case $f in
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$(basename $f) 0644
-            *installer)
+	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
                ;;
            *)
                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$(basename $f) 0644
                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
                ;;
        esac
    fi
 done
@@ -1063,7 +1095,7 @@ if [ $PRODUCT = shorewall6 ]; then
    #
    ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
    #
-    # And create a symbolic link for the CLI
+    # And create a sybolic link for the CLI
    #
    ln -sf shorewall ${DESTDIR}${SBINDIR}/shorewall6
 fi
@@ -1072,7 +1104,8 @@ if [ -d Perl ]; then
    #
    # ${SHAREDIR}/$PRODUCT/$Product if needed
    #
-    make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT/$Product 0755
+    mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/$Product
    chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/$Product
    #
    # Install the Compiler
    #
@@ -1121,7 +1154,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -1139,7 +1172,7 @@ if [ -n "$MANDIR" ]; then
 cd manpages
-[ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/
 for f in *.5; do
    gzip -9c $f > $f.gz
@@ -1147,7 +1180,7 @@ for f in *.5; do
    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done
-[ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
 for f in *.8; do
    gzip -9c $f > $f.gz
@@ -1170,7 +1203,8 @@ fi
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
    if [ ${DESTDIR} ]; then
-	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+	mkdir -p ${DESTDIR}${SYSCONFDIR}
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
    fi
    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
@@ -1228,6 +1262,6 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 fi
 #
-# Report Success
+#  Report Success
 #
 echo "$Product Version $VERSION Installed"
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -443,21 +443,20 @@ compiler() {
    fi
    options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
-
+    [ -n "$shorewallrc1" ] && options="$options --shorewallrc1=${shorewallrc1}"
-    [ -n "$shorewallrc1" ]     && options="$options --shorewallrc1=${shorewallrc1}"
+    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
-    [ -n "$STARTUP_LOG" ]      && options="$options --log=$STARTUP_LOG"
+    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
-    [ -n "$LOG_VERBOSITY" ]    && options="$options --log_verbosity=$LOG_VERBOSITY";
+    [ -n "$g_export" ] && options="$options --export"
-    [ -n "$g_export" ]         && options="$options --export"
+    [ -n "$g_shorewalldir" ] && options="$options --directory=$g_shorewalldir"
-    [ -n "$g_shorewalldir" ]   && options="$options --directory=$g_shorewalldir"
+    [ -n "$g_timestamp" ] && options="$options --timestamp"
-    [ -n "$g_timestamp" ]      && options="$options --timestamp"
+    [ -n "$g_test" ] && options="$options --test"
-    [ -n "$g_test" ]           && options="$options --test"
+    [ -n "$g_preview" ] && options="$options --preview"
    [ -n "$g_preview" ]        && options="$options --preview"
    [ "$g_debugging" = trace ] && options="$options --debug"
-    [ -n "$g_refreshchains" ]  && options="$options --refresh=$g_refreshchains"
+    [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
-    [ -n "$g_confess" ]        && options="$options --confess"
+    [ -n "$g_confess" ] && options="$options --confess"
-    [ -n "$g_update" ]         && options="$options --update"
+    [ -n "$g_update" ] && options="$options --update"
-    [ -n "$g_annotate" ]       && options="$options --annotate"
+    [ -n "$g_annotate" ] && options="$options --annotate"
-    [ -n "$g_inline" ]         && options="$options --inline"
+    [ -n "$g_inline" ] && options="$options --inline"
    if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -484,9 +483,6 @@ compiler() {
    #
    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
    PERL_HASH_SEED=0
    export PERL_HASH_SEED
    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	eval $PERL $debugflags $pc $options $@ $g_pager
    else
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -191,25 +191,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>section</option></term>
              <listitem>
                <para>Added in Shorewall 5.1.1. When specified, this option
                causes the rules file section name and a comma to be prepended
                to the parameters passed to the action (if any). Note that
                this means that the first parameter passed to the action by
                the user is actually the second parameter to the action. If
                the action is invoked out of the blrules file, 'BLACKLIST' is
                used as the section name.</para>
                <para>Given that neither the <filename>snat</filename> nor the
                <filename>mangle</filename> file is sectioned, this parameter
                has no effect when <option>mangle</option> or
                <option>nat</option> is specified. </para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
@@ -224,9 +205,9 @@
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
-                <option>builtin</option>, indicates that the built-in action
+                <replaceable>builtin</replaceable>, indicates that the
-                is termiating (i.e., if the action is jumped to, the next rule
+                built-in action is termiating (i.e., if the action is jumped
-                in the chain is not evaluated).</para>
+                to, the next rule in the chain is not evaluated).</para>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -303,12 +303,6 @@ loc     eth2            -</programlisting>
                <para>Designates the interface as a bridge. Beginning with
                Shorewall 4.4.7, setting this option also sets
                <option>routeback</option>.</para>
                <note>
                  <para>If you have a bridge that you don't intend to define
                  bport zones on, then it is best to omit this option and
                  simply specify <option>routeback</option>.</para>
                </note>
              </listitem>
            </varlistentry>
@@ -768,13 +762,6 @@ loc     eth2            -</programlisting>
                    </listitem>
                  </itemizedlist>
                </note>
                <para>Beginning with Shorewall 5.1.1, when
                <option>routefilter</option> is set to a non-zero value, the
                <option>logmartians</option> option is also implicitly set. If
                you actually want route filtering without logging, then you
                must also specify <option>logmartians=0</option> after
                <option>routefilter</option>.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -115,12 +115,11 @@
        role="bold">ACCEPT</emphasis>|<emphasis
        role="bold">DROP</emphasis>|<emphasis
        role="bold">REJECT</emphasis>|<emphasis
        role="bold">BLACKLIST</emphasis>|<emphasis
        role="bold">CONTINUE</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
        role="bold">NONE</emphasis>}[<emphasis
-        role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
+        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
        role="bold">None</emphasis>}]</term>
        <listitem>
@@ -138,9 +137,8 @@
            </listitem>
            <listitem>
-              <para>The name of an action with optional parameters enclosed in
+              <para>The name of an action. The action will be invoked before
-              parentheses. The action will be invoked before the policy is
+              the policy is enforced.</para>
              enforced.</para>
            </listitem>
          </orderedlist>
@@ -151,16 +149,7 @@
          applied to each rule in the action or body that does not already
          have a log level.</para>
-          <para>Beginning with Shorewall 5.1.2, multiple
+          <para>Possible actions are:</para>
          <replaceable>action</replaceable>[:<replaceable>level</replaceable>]
          specification may be listeded, separated by commas. The actions are
          invoked in the order listed. Also beginning with Shorewall 5.1.2,
          the policy-action list can be prefixed with a plus sign ("+")
          indicating that the listed actions are in addition to those listed
          in the related _DEFAULT setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>Possible policies are:</para>
          <variablelist>
            <varlistentry>
@@ -188,19 +177,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">BLACKLIST</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.1.1 and requires that the
                DYNAMIC_BLACKLIST setting in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                specifies ipset-based dynamic blacklisting. The SOURCE IP
                address is added to the blacklist ipset and the connection
                request is ignored.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">QUEUE</emphasis></term>
@@ -259,7 +235,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">LOGLEVEL</emphasis> (loglevel) -
+        <term><emphasis role="bold">LOG LEVEL</emphasis> (loglevel) -
        [<emphasis>log-level</emphasis>|<emphasis
        role="bold">ULOG|NFLOG</emphasis>]</term>
@@ -283,7 +259,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">RATE</emphasis> (rate) -
+        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
        [-|<replaceable>limit</replaceable>]</term>
        <listitem>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -208,16 +208,6 @@
                <option>balance=</option><replaceable>weight</replaceable>
                where <replaceable>weight</replaceable> is the weight of the
                route out of this interface.</para>
                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
                <option>balance=1</option> is assumed unless the
                <option>fallback</option>, <option>loose</option>,
                <option>load</option> or <option>tproxy</option> option is
                specified. Beginning with Shorewall 5.1.1, when
                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
                unless the <option>fallback</option>, <option>loose</option>,
                <option>load</option> or <option>tproxy</option> option is
                specified.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-rtrules.xml
+++ b/Shorewall/manpages/shorewall-rtrules.xml
@@ -129,17 +129,6 @@
          <para>Beginning with Shorewall 5.0.2, the priority may be followed
          optionally by an exclaimation mark ("!"). This causes the rule to
          remain in place if the interface is disabled.</para>
          <caution>
            <para>Be careful when using rules of the same PRIORITY as some
            unexpected behavior can occur when multiple rules have the same
            SOURCE. For example, in the following rules, the second rule
            overwrites the first unless the priority in the second is changed
            to 19001 or higher:</para>
            <programlisting>10.10.0.0/24    192.168.5.6 provider1 19000
 10.10.0.0/24    -           provider2 19000</programlisting>
          </caution>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -66,7 +66,7 @@
          this section.</para>
          <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE</para>
+          REJECT, LOG and QUEUE</para>
          <para>There is an implicit ACCEPT rule inserted at the end of this
          section.</para>
@@ -81,7 +81,7 @@
          section.</para>
          <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE</para>
+          REJECT, LOG and QUEUE</para>
          <para>There is an implicit rule added at the end of this section
          that invokes the RELATED_DISPOSITION (<ulink
@@ -97,7 +97,7 @@
          processed by rules in this section.</para>
          <para>The only Actions allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE.</para>
+          REJECT, LOG and QUEUE.</para>
          <para>There is an implicit rule added at the end of this section
          that invokes the INVALID_DISPOSITION (<ulink
@@ -113,7 +113,7 @@
          processed by rules in this section.</para>
          <para>The only Actions allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE.</para>
+          REJECT, LOG and QUEUE.</para>
          <para>There is an implicit rule added at the end of this section
          that invokes the UNTRACKED_DISPOSITION (<ulink
@@ -138,8 +138,9 @@
      comfortable with the differences between the various connection tracking
      states, then it is suggested that you omit the <emphasis
      role="bold">ESTABLISHED</emphasis> and <emphasis
-      role="bold">RELATED</emphasis> sections and place all of your rules in
+      role="bold">RELATED</emphasis> sections and place all of your
-      the NEW section (That's after the line that reads ?SECTION NEW').</para>
+      non-blacklisting rules in the NEW section (That's after the line that
      reads ?SECTION NEW').</para>
    </note>
    <warning>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -109,7 +109,7 @@
    <variablelist>
      <varlistentry>
        <term><emphasis
-        role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
+        role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
@@ -119,7 +119,7 @@
      <varlistentry>
        <term><emphasis
-        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
+        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
@@ -129,7 +129,7 @@
      <varlistentry>
        <term><emphasis
-        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
+        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
@@ -139,7 +139,7 @@
      <varlistentry>
        <term><emphasis
-        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
+        role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
@@ -149,23 +149,13 @@
      <varlistentry>
        <term><emphasis
-        role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
+        role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para/>
+          <para>In earlier Shorewall versions, a "default action" for DROP and
-        </listitem>
+          REJECT policies was specified in the file
-      </varlistentry>
+          /usr/share/shorewall/actions.std.</para>
      <varlistentry>
        <term><emphasis
        role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>][,...]|<emphasis
        role="bold">none</emphasis>}</term>
        <listitem>
          <para>In earlier Shorewall versions, a "<firstterm>default
          action</firstterm>" for DROP and REJECT policies was specified in
          the file /usr/share/shorewall/actions.std.</para>
          <para>In Shorewall 4.4.0, the DROP_DEFAULT, REJECT_DEFAULT,
          ACCEPT_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options were
@@ -179,38 +169,20 @@
          <para>The value applied to these may be:</para>
-          <simplelist>
+          <para>The default values are:</para>
            <member>a) The name of an <replaceable>action</replaceable>. The
            name may optionally be followed by a comma-separated list of
            parameters enclosed in parentheses if the specified action accepts
            parameters (e.g., 'Drop(audit)').</member>
            <member>c) <emphasis role="bold">None</emphasis> or <emphasis
            role="bold">none</emphasis></member>
          </simplelist>
          <para>Prior to Shorewall 5.1.2, the default values are:</para>
          <simplelist>
            <member>DROP_DEFAULT="Drop"</member>
            <member>REJECT_DEFAULT="Reject"</member>
            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
            5.1.1)</member>
            <member>ACCEPT_DEFAULT="none"</member>
            <member>QUEUE_DEFAULT="none"</member>
-            <member>NFQUEUE_DEFAULT="none"</member>
+            <member>NFQUEUE_DEFAULT="None"</member>
          </simplelist>
          <para>Beginning with Shorewall 5.1.2, the default value is 'none'
          for all of these. Note that the sample configuration files do,
          however, provide settings for DROP_DEFAULT, BLACKLIST_DEFAULT and
          REJECT_DEFAULT.</para>
          <para>If you set the value of either option to "None" then no
          default action will be used and the default action or macro must be
          specified in <ulink
@@ -225,10 +197,6 @@
          <replaceable>level</replaceable>. The level will be applied to each
          rule in the action or body that does not already have a log
          level.</para>
          <para>Beginning with Shorewall 5.1.2, multiple
          <replaceable>action</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]
          specifications may be listed, separated by commas.</para>
        </listitem>
      </varlistentry>
@@ -475,24 +443,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
          determines whether the <option>balance</option> provider option (see
          <ulink
          url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
          the default. When BALANCE_PROVIDERS=Yes, then the
          <option>balance</option> option is assumed unless the
          <option>fallback</option>, <option>loose</option>,
          <option>load</option> or <option>tproxy</option> option is
          specified. If this option is not set or is set to the empty value,
          then the default value is the value of USE_DEFAULT_RT.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -1356,20 +1306,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replaceable>log-tag</replaceable>]</term>
        <listitem>
          <para>Added in Shorewall 5.1.2. Beginning with that release, the
          sample configurations use this as the default log level and changing
          it will change all packet logging done by the configuration. In any
          configuration file (except <ulink
          url="shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
          will expand to this value.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -2895,12 +2831,8 @@ INLINE          -       -       -       ;; -j REJECT
            </listitem>
            <listitem>
-              <para>If running Shorewall 5.1.0 or earlier or if
+              <para><emphasis role="bold">balance</emphasis> is assumed unless
-              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
+              <emphasis role="bold">loose</emphasis> is specified.</para>
              <emphasis role="bold">balance</emphasis> provider option is
              assumed unless the <option>fallback</option>,
              <option>loose</option>, <option>load</option> or
              <option>tproxy</option> option is specified.</para>
            </listitem>
            <listitem>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,9 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version
 PRODUCT=shorewall
 Product=Shorewall
 usage() # $1 = exit status
 {
@@ -39,27 +41,51 @@ usage() # $1 = exit status
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
 	rm -f $1
 	echo "$1 Removed"
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 if [ -f shorewall.service ]; then
    PRODUCT=shorewall
    Product=Shorewall
 else
    PRODUCT=shorewall6
    Product=Shorewall6
 fi
 #
 # Source common functions
 #
 . ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
 #
 # Parse the run line
 #
 finished=0
 configure=1
@@ -76,7 +102,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Uninstaller Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -97,16 +123,13 @@ while [ $finished -eq 0 ]; do
    esac
 done
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -116,53 +139,52 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac
-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
-if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${SHAREDIR}/shorewall/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Version $VERSION is not installed"
    VERSION=""
 fi
-echo "Uninstalling $Product $VERSION"
+
 echo "Uninstalling shorewall $VERSION"
 [ -n "$SANDBOX" ] && configure=0
 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
-	${SBINDIR}/$PRODUCT clear
+	shorewall clear
    elif qt ip6tables -L shorewall6 -n && [ ! -f ${SBINDIR}/shorewall6-lite ]; then
 	${SBINDIR}/$PRODUCT clear
    fi
 fi
-remove_file ${SBINDIR}/$PRODUCT
+rm -f ${SBINDIR}/shorewall
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -L ${SHAREDIR}/shorewall/init ]; then
-    FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall/init)
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
 fi
 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if mywhich insserv ; then
+	if mywhich updaterc.d ; then
 	    updaterc.d ${PRODUCT} remove
 	elif mywhich insserv ; then
            insserv -r $FIREWALL
 	elif mywhich update-rc.d ; then
 	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
@@ -171,56 +193,51 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi
-[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
+if [ -z "${SERVICEDIR}" ]; then
-
+    SERVICEDIR="$SYSTEMD"
 fi
 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
-    remove_file $SERVICEDIR/${PRODUCT}.service
+    rm -f $SERVICEDIR/shorewall.service
 fi
-remove_file ${SHAREDIR}/$PRODUCT/version
+rm -rf ${SHAREDIR}/shorewall/version
-remove_directory ${CONFDIR}/$PRODUCT
+rm -rf ${CONFDIR}/shorewall
 if [ -n "$SYSCONFDIR" ]; then
-    [ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
+    [ -n "$SYSCONFFILE" ] && rm -f ${SYSCONFDIR}/${PRODUCT}
 fi
-remove_directory ${VARDIR}
+rm -rf ${VARDIR}/shorewall
-[ ${LIBEXECDIR} = ${SHAREDIR} ] || remove_directory ${LIBEXECDIR}/$PRODUCT
+rm -rf ${PERLLIBDIR}/Shorewall/*
-remove_directory ${SHAREDIR}/$PRODUCT/configfiles
+[ ${LIBEXECDIR} = ${SHAREDIR} ] || rm -rf ${LIBEXECDIR}/shorewall
-remove_file_with_wildcard  ${SHAREDIR}/$PRODUCT/module\*
+rm -rf ${SHAREDIR}/shorewall/configfiles/
-remove_file  ${SHAREDIR}/$PRODUCT/helpers
+rm -rf ${SHAREDIR}/shorewall/Samples/
-remove_file_with_wildcard  ${SHAREDIR}/$PRODUCT/action\*
+rm -rf ${SHAREDIR}/shorewall/Shorewall/
-remove_file_with_wildcard  ${SHAREDIR}/$PRODUCT/macro.\*
+rm -f  ${SHAREDIR}/shorewall/lib.cli-std
 rm -f  ${SHAREDIR}/shorewall/lib.runtime
 rm -f  ${SHAREDIR}/shorewall/compiler.pl
 rm -f  ${SHAREDIR}/shorewall/prog.*
 rm -f  ${SHAREDIR}/shorewall/module*
 rm -f  ${SHAREDIR}/shorewall/helpers
 rm -f  ${SHAREDIR}/shorewall/action*
 rm -f  ${SHAREDIR}/shorewall/macro.*
 rm -f  ${SHAREDIR}/shorewall/init
-if [ $PRODUCT = shorewall ]; then
+for f in ${MANDIR}/man5/shorewall* ${MANDIR}/man8/shorewall*; do
    remove_file_with_wildcard ${PERLLIBDIR}/$Product/\*
    remove_directory ${SHAREDIR}/$PRODUCT/Samples
    remove_directory ${SHAREDIR}/$PRODUCT/$Product
    remove_file  ${SHAREDIR}/$PRODUCT/lib.cli-std
    remove_file  ${SHAREDIR}/$PRODUCT/lib.runtime
    remove_file  ${SHAREDIR}/$PRODUCT/compiler.pl
    remove_file_with_wildcard  ${SHAREDIR}/$PRODUCT/prog.\*
    remove_file  ${SHAREDIR}/$PRODUCT/init
 else
    remove_directory ${SHAREDIR}/$PRODUCT
 fi
 for f in ${MANDIR}/man5/${PRODUCT}* ${MANDIR}/man8/${PRODUCT}*; do
    case $f in
-	shorewall[6]-lite*)
+	shorewall6*|shorewall-lite*)
 	    ;;
 	*)
-	    remove_file $f
+	    rm -f $f
 	    ;;
    esac
 done
-remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
+rm -f  ${CONFDIR}/logrotate.d/shorewall
 [ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall.service
 echo "Shorewall Uninstalled"
 [ -n "$SYSTEMD" ] && remove_file ${SYSTEMD}/${PRODUCT}.service
 #
 # Report Success
 #
 echo "$Product $VERSION Uninstalled"
--- a/Shorewall6-lite/default.debian.sysvinit
+++ b/Shorewall6-lite/default.debian.sysvinit
@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following variable to 1 in order to allow Shorewall6-lite to start
+# set the following varible to 1 in order to allow Shorewall6-lite to start
 startup=0
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 #
-# Global start/restart/reload/stop options
+# Startup options
 #
 OPTIONS=""
@@ -30,16 +30,6 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
--- a/Shorewall6-lite/default.debian.systemd
+++ b/Shorewall6-lite/default.debian.systemd
@@ -1,26 +0,0 @@
 #
 # Global start/restart/reload/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 # EOF
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -0,0 +1,221 @@
 #!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall 6 Lite
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #    Usage:
 #
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall6-lite
 Product="Shorewall6 Lite"
 usage() # $1 = exit status
 {
    ME=$(basename $0)
    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
 	rm -f $1
 	echo "$1 Removed"
    fi
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 finished=0
 configure=1
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
 			configure=0
 			option=${option#n}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 if [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall6-lite/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall6 Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
    echo "WARNING: Shorewall6 Lite Version $VERSION is not installed"
    VERSION=""
 fi
 echo "Uninstalling Shorewall6 Lite $VERSION"
 [ -n "$SANDBOX" ] && configure=0
 if [ $configure -eq 1 ]; then
    if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
 	${SBINDIR}/shorewall6-lite clear
    fi
 fi
 if [ -f ${SHAREDIR}/shorewall6-lite/init ]; then
    if [ $HOST = openwrt ]; then
 	if [ $configure -eq 1 ] && /etc/init.d/shorewall6-lite enabled; then
 	    /etc/init.d/shorewall6-lite disable
 	fi
 	FIREWALL=$(readlink ${SHAREDIR}/shorewall6-lite/init)
    else
 	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6-lite/init)
    fi
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
 fi
 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
 	if mywhich updaterc.d ; then
 	    updaterc.d shorewall6-lite remove
 	elif mywhich insserv ; then
            insserv -r $FIREWALL
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	elif mywhich systemctl ; then
 	    systemctl disable shorewall6-lite
 	fi
    fi
    remove_file $FIREWALL
 fi
 [ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
 if [ -n "$SERVICEDIR" ]; then
    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
    rm -f $SERVICEDIR/shorewall6-lite.service
 fi
 rm -f ${SBINDIR}/shorewall6-lite
 rm -rf ${CONFDIR}/shorewall6-lite
 rm -rf ${VARDIR}
 rm -rf ${SHAREDIR}/shorewall6-lite
 rm -rf ${LIBEXECDIR}/shorewall6-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
 rm -f  ${SYSCONFDIR}/shorewall6-lite
 if [ -n "${MANDIR}" ]; then
    rm -f ${MANDIR}/man5/shorewall6-lite*
    rm -f ${MANDIR}/man8/shorewall6-lite*
 fi
 echo "Shorewall6 Lite Uninstalled"
--- a/Shorewall6/Actions/action.Broadcast
+++ b/Shorewall6/Actions/action.Broadcast
@@ -45,11 +45,12 @@ fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $aud
 if ( have_capability( 'ADDRTYPE' ) ) {
    if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
-	log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
    }
    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
 } else {
    add_commands $chainref, 'for address in $ALL_ACASTS; do';
@@ -58,6 +59,9 @@ if ( have_capability( 'ADDRTYPE' ) ) {
    add_jump $chainref, $target, 0, "-d \$address ";
    decr_cmd_level $chainref;
    add_commands $chainref, 'done';
    log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
    add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
 }
 1;
--- a/Shorewall6/Actions/action.Multicast
+++ b/Shorewall6/Actions/action.Multicast
@@ -1,59 +0,0 @@
 #
 # Shorewall6 -- /usr/share/shorewall6/action.Multicast
 #
 # Multicast/Anycast IPv6 Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Multicast[([<action>|-[,{audit|-}])]
 #
 # Default action is DROP
 #
 ###############################################################################
 DEFAULTS DROP,-
 ?begin perl;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 my $chainref           = get_action_chain;
 my ( $action, $audit ) = get_action_params( 2 );
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
 fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $audit ne 'audit';
 if ( have_capability( 'ADDRTYPE' ) ) {
    if ( $level ne '' ) {
 	log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
    }
    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
 } else {
    log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
    add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
 }
 1;
 ?end perl;
--- a/Shorewall6/Samples6/Universal/params
+++ b/Shorewall6/Samples6/Universal/params
@@ -1,13 +0,0 @@
 #
 # Shorewall - Sample Params File for universal configuration.
 # Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
--- a/Shorewall6/Samples6/Universal/policy
+++ b/Shorewall6/Samples6/Universal/policy
@@ -7,7 +7,8 @@
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
 #				LEVEL	BURST		MASK
 fw	net	ACCEPT
-net	all	DROP		$LOG_LEVEL
+net	all	DROP
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -34,8 +34,6 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -74,7 +72,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -106,12 +104,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Drop"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT="none"
-QUEUE_DEFAULT=none
+REJECT_DEFAULT="Reject"
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -136,8 +133,6 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall6/Samples6/one-interface/params
+++ b/Shorewall6/Samples6/one-interface/params
@@ -1,13 +0,0 @@
 #
 # Shorewall - Sample Params File for one-interface configuration.
 # Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
--- a/Shorewall6/Samples6/one-interface/policy
+++ b/Shorewall6/Samples6/one-interface/policy
@@ -11,9 +11,10 @@
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-policy"
 #
-##############################################################################
+###############################################################################
-#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
-$FW	net		ACCEPT
+$FW		net		ACCEPT
-net	all		DROP		$LOG_LEVEL
+net		$FW		DROP		info
 net		all		DROP		info
 # The FOLLOWING POLICY MUST BE LAST
-all	all		REJECT		$LOG_LEVEL
+all		all		REJECT		info
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -35,8 +35,6 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -107,12 +105,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Drop"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT="none"
-QUEUE_DEFAULT=none
+REJECT_DEFAULT="Reject"
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -137,8 +134,6 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall6/Samples6/three-interfaces/params
+++ b/Shorewall6/Samples6/three-interfaces/params
@@ -1,13 +0,0 @@
 #
 # Shorewall - Sample Params File for three-interface configuration.
 # Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
--- a/Shorewall6/Samples6/three-interfaces/policy
+++ b/Shorewall6/Samples6/three-interfaces/policy
@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-policy"
 ###############################################################################
-#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
-loc	net		ACCEPT
+loc		net		ACCEPT
-net	all		DROP		$LOG_LEVEL
+net		all		DROP		info
-all	all		REJECT		$LOG_LEVEL
+all		all		REJECT		info
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -34,8 +34,6 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -106,12 +104,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Drop"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT="none"
-QUEUE_DEFAULT=none
+REJECT_DEFAULT="Reject"
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -136,8 +133,6 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall6/Samples6/two-interfaces/params
+++ b/Shorewall6/Samples6/two-interfaces/params
@@ -1,13 +0,0 @@
 #
 # Shorewall - Sample Params File for two-interface configuration.
 # Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
--- a/Shorewall6/Samples6/two-interfaces/policy
+++ b/Shorewall6/Samples6/two-interfaces/policy
@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-policy"
 ###############################################################################
-#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
-loc	net		ACCEPT
+loc		net		ACCEPT
-net	all		DROP		$LOG_LEVEL
+net		all		DROP		info
-all	all		REJECT		$LOG_LEVEL
+all		all		REJECT		info
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -34,8 +34,6 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -106,12 +104,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT=none
+ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Drop"
-DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT="none"
-QUEUE_DEFAULT=none
+REJECT_DEFAULT="Reject"
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -136,8 +133,6 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -6,35 +6,35 @@
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
 # Builtin Actions are:
 #
 ?if 0
 allowBcasts                     # Accept multicast and anycast packets
 dropBcasts                      # Silently Drop multicast and anycast packets
 dropNotSyn		        # Silently Drop Non-syn TCP packets
 rejNotSyn		        # Silently Reject Non-syn TCP packets
 ?endif
 ###############################################################################
 #ACTION
 A_Drop	                        # Audited Default Action for DROP policy
 A_Reject	                # Audited Default Action for REJECT policy
 A_AllowICMPs	                # Audited Accept needed ICMP6 types
 AllowICMPs   	                # Accept needed ICMP6 types
 allowBcast   inline		# Silently Allow Broadcast
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 allowMcast   inline		# Silently Allow Multicast
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline      	# Handles Broadcast/Anycast
+Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
-Drop		        	# Default Action for DROP policy (deprecated)
+Drop		        	# Default Action for DROP policy
 dropBcast    inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
 dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
 DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
 IfEvent      noinline           # Perform an action based on an event
 Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
             state=INVALID
 Multicast    noinline      	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
-Reject		        	# Default Action for REJECT policy (deprecated)
+Reject		        	# Default Action for REJECT policy
 rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
 Related      inline,\		# Handles packets in the RELATED conntrack state
             state=RELATED
 ResetEvent   inline		# Reset an Event
--- a/Shorewall6/configfiles/policy
+++ b/Shorewall6/configfiles/policy
@@ -7,4 +7,4 @@
 # http://www.shorewall.net/manpages6/shorewall6-policy.html
 #
 ###############################################################################
-#SOURCE		DEST		POLICY	LOGLEVEL	RATE	CONNLIMIT
+#SOURCE		DEST		POLICY	LOGLEVEL	LIMIT	CONNLIMIT
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -34,8 +34,6 @@ FIREWALL=
 #			       L O G G I N G
 ###############################################################################
 LOG_LEVEL=info
 BLACKLIST_LOG_LEVEL=
 INVALID_LOG_LEVEL=
@@ -54,19 +52,19 @@ LOGLIMIT="s:1/sec:10"
 LOGTAGONLY=No
-MACLIST_LOG_LEVEL=$LOG_LEVEL
+MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG_LEVEL
+RPFILTER_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=$LOG_LEVEL
+SFILTER_LOG_LEVEL=info
-SMURF_LOG_LEVEL=$LOG_LEVEL
+SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall6-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG_LEVEL
+TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
@@ -107,11 +105,10 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT=Drop
 DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+REJECT_DEFAULT=Reject
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
@@ -136,8 +133,6 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
--- a/Shorewall6/default.debian.sysvinit
+++ b/Shorewall6/default.debian.sysvinit
@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following variable to 1 in order to allow Shorewall6 to start
+# set the following varible to 1 in order to allow Shorewall6 to start
 startup=0
@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=
 #
-# Global start/restart/reload/stop options
+# Startup options
 #
 OPTIONS=""
@@ -30,16 +30,6 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
--- a/Shorewall6/default.debian.systemd
+++ b/Shorewall6/default.debian.systemd
@@ -1,26 +0,0 @@
 #
 # Global start/restart/reload/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Reload options
 #
 RELOADOPTIONS=""
 #
 # Stop options
 #
 STOPOPTIONS=""
 # EOF
--- a/Show More
+++ b/Show More