Update the Shared Config document

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Update Shared config article
2017-10-17 16:51:35 -07:00 · 2017-10-15 19:15:13 -07:00 · 2017-10-15 08:26:27 -07:00 · 2017-10-14 13:39:00 -07:00 · 2017-10-11 15:22:07 -07:00 · 2017-10-11 11:24:54 -07:00
148 changed files with 3593 additions and 18228 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -190,7 +190,7 @@ for p in ${!params[@]}; do
 done
 echo '#'                                                                 > shorewallrc
-echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
+echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
 echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -173,7 +173,12 @@ my $outfile;
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
 if ( $ENV{SOURCE_DATE_EPOCH} ) {
    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date  --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
 } else {
    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
 }
 print $outfile "# rc file: $rcfilename\n#\n";
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.base
+# Shorewall 5.1 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=50100
+SHOREWALL_CAPVERSION=50106
 if [ -z "$g_basedir" ]; then
    #
@@ -1137,16 +1137,31 @@ show_a_macro() {
    cat ${directory}/macro.$1
 }
 #
-# Don't dump empty SPD entries
+# Don't dump empty SPD entries or entries from the other address family
 #
-spd_filter()
+spd_filter() {
-{
+    #
-    awk \
+    # af   = Address Family (4 or 6)
-    'BEGIN            { skip=0; }; \
+    # afok = Address Family of entry matches af
-    /^src/            { skip=0; }; \
+    # p    = print the contents of A (entry is not empty)
-    /^src 0.0.0.0\/0/ { skip=1; }; \
+    # i    = Number of lines stored in A
-    /^src ::\/0/      { skip=1; }; \
+    #
-                      { if ( skip == 0 ) print; };'
+    awk -v af=$g_family \
 	'function prnt(A,i,    j) { while ( j < i ) print A[j++]; };\
 \
 	 /^src / { if (p) prnt( A, i );\
 		   afok = 1;\
 		   p	= 0;\
 		   i	= 0;\
 		   if ( af == 4 )\
 		       { if ( /:/ )  afok = 0; }\
 		   else\
 		       { if ( /\./ ) afok = 0; }\
 		 };\
 		 { if ( afok ) A[i++] = $0; };\
 	 /tmpl/	 { p = afok; };\
 \
 	 END	 { if (p) prnt( A, i ); }'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1159,7 +1174,8 @@ heading() {
 show_ipsec() {
    heading "PFKEY SPD"
-    $IP -s xfrm policy | spd_filter
+    $IP -s -$g_family xfrm policy | spd_filter
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -2770,7 +2786,7 @@ determine_capabilities() {
    GOTO_TARGET=
    LOGMARK_TARGET=
    IPMARK_TARGET=
-    LOG_TARGET=Yes
+    LOG_TARGET=
    ULOG_TARGET=
    NFLOG_TARGET=
    PERSISTENT_SNAT=
@@ -2803,6 +2819,8 @@ determine_capabilities() {
    WAIT_OPTION=
    CPU_FANOUT=
    NETMAP_TARGET=
    NFLOG_SIZE=
    RESTORE_WAIT_OPTION=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -2826,9 +2844,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi
    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
    if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	tool="$tool --wait"
+	g_tool="$g_tool --wait"
    fi
    chain=fooX$$
@@ -3134,12 +3154,15 @@ determine_capabilities() {
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG || LOG_TARGET=
+    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
    qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
    qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
    if qt $g_tool -A $chain -j NFLOG; then
 	NFLOG_TARGET=Yes
 	qt $g_tool -A $chain -j NFLOG --nflog-size 64 && NFLOG_SIZE=Yes
    fi
    if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -3295,9 +3318,11 @@ report_capabilities_unsorted() {
    if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
 	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
 	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    fi
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3305,6 +3330,7 @@ report_capabilities_unsorted() {
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3411,6 +3437,8 @@ report_capabilities_unsorted1() {
    report_capability1 WAIT_OPTION
    report_capability1 CPU_FANOUT
    report_capability1 NETMAP_TARGET
    report_capability1 NFLOG_SIZE
    report_capability1 RESTORE_WAIT_OPTION
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3715,7 +3743,7 @@ ipcalc_command() {
    valid_address $address || fatal_error "Invalid IP address: $address"
    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
    address=$address/$vlsm
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,53 +269,48 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
    local modulename
    modulename=$1
    shift
    local moduleoptions
    moduleoptions=$*
    local modulefile
    local suffix
    if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
 		shift
 		for suffix in $MODULE_SUFFIX ; do
 		    for directory in $moduledirectories; do
 			modulefile=$directory/${modulename}.${suffix}
 			if [ -f $modulefile ]; then
 		case $moduleloader in
 		    insmod)
-				    insmod $modulefile $*
+			for directory in $moduledirectories; do
-				    ;;
+			    for modulefile in $directory/${modulename}.*; do
-				*)
+				if [ -f $modulefile ]; then
-				    modprobe $modulename $*
+				    insmod $modulefile $moduleoptions
-				    ;;
+				    return
 			    esac
 			    break 2
 				fi
 			    done
 			done
 			;;
 		    *)
 			modprobe -q $modulename $moduleoptions
 			;;
 		esac
 	    fi
 	fi
    elif ! list_search $modulename $DONT_LOAD $MODULES; then
 	shift
 	for suffix in $MODULE_SUFFIX ; do
 	    for directory in $moduledirectories; do
 		modulefile=$directory/${modulename}.${suffix}
 		if [ -f $modulefile ]; then
 	case $moduleloader in
 	    insmod)
-			    insmod $modulefile $*
+		for directory in $moduledirectories; do
-			    ;;
+		    for modulefile in $directory/${modulename}.*; do
-			*)
+			if [ -f $modulefile ]; then
-			    modprobe $modulename $*
+			    insmod $modulefile $moduleoptions
-			    ;;
+			    return
 		    esac
 		    break 2
 			fi
 		    done
 		done
 		;;
 	    *)
 		modprobe -q $modulename $moduleoptions
 		;;
 	esac
    fi
 }
@@ -338,8 +333,6 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi
    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -394,8 +387,6 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi
    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
+# Shorewall 5.1 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #
-SHOREWALL_LIBVERSION=50100
+SHOREWALL_LIBVERSION=50108
 #
 # Fatal Error
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -1,6 +1,6 @@
 #
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -1,6 +1,6 @@
 #
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -3173,6 +3173,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/</para>
    <para>/etc/shorewall6/</para>
  </refsect1>
  <refsect1>
@@ -3182,13 +3184,17 @@
    url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
    <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-mangle(5),
    shorewall-masq(5), shorewall-modules(5), shorewall-nat(5),
    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall6-proxyndp(5), shorewall-routes(5), shorewall-rtrules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-rtrules(5), shorewall-rules(5), shorewall-secmarks(5),
-    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-snat(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcfilters(5), shorewall-tcinterfaces(5), shorewall-tcpri(5),
    shorewall-tunnels(5), shorewall-vardir(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.0
+#     Shorewall Packet Filtering Firewall Control Program - V5.1
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,6 +25,10 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
 #
 # Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
 # options
 #
 PRODUCT=shorewall
 #
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -159,8 +159,9 @@ shorewall_stop () {
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
      else
 	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
      fi
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -66,6 +66,10 @@ start () {
    printf "Initializing \"Shorewall-based firewalls\": "
    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
 	ipset -R < "$SAVE_IPSETS"
    fi
    for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?
@@ -120,6 +124,15 @@ stop () {
    done
    if [ $retval -eq 0 ]; then
 	if [ -n "$SAVE_IPSETS" ]; then
 	    mkdir -p $(dirname "$SAVE_IPSETS")
 	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
 		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
 	    else
 		rm -f "${SAVE_IPSETS}.tmp"
 	    fi
 	fi
 	rm -f $lockfile
 	success
    else
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -126,7 +126,9 @@ stop () {
    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
 	else
 	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi
 }
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -116,7 +116,9 @@ shorewall_stop () {
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
      else
 	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -126,7 +126,9 @@ shorewall_stop () {
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
      else
 	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi
 }
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -104,7 +104,9 @@ shorewall_stop () {
    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
 	else
 	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,7 +38,6 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
 #        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall/Actions/action.FIN
+++ b/Shorewall/Actions/action.FIN
@@ -0,0 +1,33 @@
 #
 # Shorewall -- /usr/share/shorewall/action.FIN
 #
 # FIN Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # FIN[([<action>])]
 #
 # Default action is ACCEPT
 #
 ###############################################################################
 DEFAULTS ACCEPT,-
@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -107,6 +107,11 @@ if ( $command & $REAP_OPT ) {
 $duration .= '--rttl ' if $command & $TTL_OPT;
 if ( ( $targets{$action} || 0 ) & NATRULE ) {
    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
    $action = 'ACCEPT';
 }
 if ( $command & $RESET_CMD ) {
    require_capability 'MARK_ANYWHERE', '"reset"', 's';
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
@@ -41,6 +41,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 if ( ( $targets{$action} || 0 ) & NATRULE ) {
    perl_action_helper( "${action}-", "" );
    $action = 'ACCEPT';
 }
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
@@ -37,6 +37,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 if ( ( $targets{$action} || 0 ) & NATRULE ) {
    perl_action_helper( "${action}-", "" );
    $action = 'ACCEPT';
 }
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {
--- a/Shorewall/Actions/action.dropBcasts
+++ b/Shorewall/Actions/action.dropBcasts
@@ -0,0 +1,39 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropBcasts
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropBcasts[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
 	?require AUDIT_TARGET
 	Broadcast(A_DROP)
    ?else
 	?error "Invalid argument (@1) to dropBcasts"
    ?endif
 ?else
    Broadcast(DROP)
 ?endif
--- a/Shorewall/Macros/macro.RDP
+++ b/Shorewall/Macros/macro.RDP
@@ -6,4 +6,5 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389
--- a/Shorewall/Makefile-lite
+++ b/Shorewall/Makefile-lite
@@ -1,82 +0,0 @@
 #     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 ################################################################################
 # Place this file in each export directory. Modify each copy to set HOST
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
 #
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
 #
 ################################################################################
 #                             V A R I A B L E S
 #
 # Files in the export directory on which the firewall script does not depend
 #
 IGNOREFILES =  firewall% Makefile% trace% %~
 #
 # Remote Firewall system
 #
 HOST = gateway
 #
 # Save some typing
 #
 LITEDIR = /var/lib/shorewall-lite
 #
 # Set this if the remote system has a non-standard modules directory
 #
 MODULESDIR=
 #
 # Default target is the firewall script
 #
 ################################################################################
 #                                T A R G E T S
 #
 all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
 capabilities:
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
 # Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
 # 'filter-out' will be presented with the list of files in this directory rather than "*"
 #
 firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
 	shorewall compile -e . firewall
 #
 # Only reload on demand.
 #
 install: firewall
 	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
 	ssh root@$(HOST) "/sbin/shorewall-lite restart"
 #
 # Save running configuration
 #
 save:
 	ssh root@$(HOST) "/sbin/shorewall-lite save"
 #
 # Remove generated files
 #
 clean:
 	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -195,7 +195,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';
-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT_SECTION;
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
    my $prerule = '';
@@ -266,7 +266,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    if ( $source eq 'any' || $source eq 'all' ) {
        $source = ALLIP;
    } else {
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
+	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT_SECTION || ! $asection );
    }
    if ( have_bridges && ! $asection ) {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -32,6 +32,7 @@ require Exporter;
 use Scalar::Util 'reftype';
 use Digest::SHA qw(sha1_hex);
 use File::Basename;
 use Socket;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
@@ -137,6 +138,12 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 				       validate_port
 				       validate_portpair
 				       validate_portpair1
 				       validate_port_list
 				       expand_port_range
 				       PREROUTING
 				       INPUT
 				       FORWARD
@@ -509,6 +516,7 @@ our $idiotcount1;
 our $hashlimitset;
 our $global_variables;
 our %address_variables;
 our %port_variables;
 our $ipset_rules;
 #
@@ -784,6 +792,7 @@ sub initialize( $$$ ) {
    %interfaceacasts    = ();
    %interfacegateways  = ();
    %address_variables  = ();
    %port_variables     = ();
    $global_variables   = 0;
    $idiotcount         = 0;
@@ -819,6 +828,211 @@ sub initialize( $$$ ) {
    #
 }
 sub record_runtime_port( $ ) {
    my ( $variable ) = @_;
    if ( $variable =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Variable %variable is already used as an address variable" if $address_variables{$1};
 	$port_variables{$1} = 1;
    } else {
 	fatal_error( "Invalid port variable (%$variable)" );
    }
    "\$$variable";
 }
 ################################################################################
 # Functions moved from IPAddrs.pm in 5.1.5				       #
 ################################################################################
 sub validate_port( $$ ) {
    my ($proto, $port) = @_;
    my $value;
    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
 	$value = numeric_value $port;
 	if ( defined $value ) {
 	    if ( $value && $value <= 65535 ) {
 		return $value;
 	    } else {
 		$value = undef;
 	    }
 	}
    } elsif ( $port =~ /^%(.*)/ ) {
 	$value = record_runtime_port( $1 );
    } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
    }
    return $value if defined $value;
    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    my $pair = $portpair;
    #
    # Accept '-' as a port-range separator
    #
    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
    my @ports = split /:/, $pair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
    $_ = validate_port( $protonum, $_) for grep $_, @ports;
    if ( @ports == 2 ) {
 	$what = 'port range';
 	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
 	    fatal_error "Invalid port range ($_[1])" unless $ports[0] < $ports[1];
 	}
    } else {
 	$what = 'port';
    }
    fatal_error "Using a $what ( $_[1] ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP     ||
 			       $protonum == UDP     ||
 			       $protonum == UDPLITE ||
 			       $protonum == SCTP    ||
 			       $protonum == DCCP );
    join ':', @ports;
 }
 sub validate_portpair1( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
    my @ports = split /-/, $portpair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
    $_ = validate_port( $protonum, $_) for grep $_, @ports;
    if ( @ports == 2 ) {
 	$what = 'port range';
 	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
 	    fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
 	}
    } else {
 	$what = 'port';
 	fatal_error 'Invalid port number (0)' unless $portpair;
    }
    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP  ||
 			       $protonum == UDP  ||
 			       $protonum == SCTP ||
 			       $protonum == DCCP );
    join '-', @ports;
 }
 sub validate_port_list( $$ ) {
    my $result = '';
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );
    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }
    $proto = proto_name $proto;
    for ( @list ) {
 	my $value = validate_portpair( $proto , $_ );
 	$result = $result ? join ',', $result, $value : $value;
    }
    $result;
 }
 #
 # Expands a port range into a minimal list of ( port, mask ) pairs.
 # Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
 #
 # Example:
 #
 #       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
 #       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
 #
 sub expand_port_range( $$ ) {
    my ( $proto, $range ) = @_;
    if ( $range =~ /^(.*):(.*)$/ ) {
 	my ( $first, $last ) = ( $1, $2);
 	my @result;
 	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
 	#
 	# Supply missing first/last port number
 	#
 	$first = 0     if $first eq '';
 	$last  = 65535 if $last eq '';
 	#
 	# Validate the ports
 	#
 	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
 	$last++; #Increment last address for limit testing.
 	#
 	# Break the range into groups:
 	#
 	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
 	#      - Otherwise, find the largest power of two P that divides the first address such that
 	#        the remaining range has less than or equal to P ports. The next group is
 	#        ( <first> , ~( P-1 ) ).
 	#
 	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
 	    my $mask = 0xffff;         #Mask for current ports in group.
 	    my $y    = 2;              #Next power of two to test
 	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
 	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
 		$mask <<= 1;
 		$z  = $y;
 		$y <<= 1;
 	    }
 	    #
 	    #
 	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
 	    $first += $z;
 	}
 	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
 	@result;
    } else {
 	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
    }
 }
 ################################################################################
 # End functions moved from IPAddrs.pm in 5.1.5				       #
 ################################################################################
 #
 # Functions to manipulate cmdlevel
 #
@@ -1131,8 +1345,6 @@ sub format_rule( $$;$ ) {
 	    } else {
 		$rule .= join( '' , ' --', $_, ' ', $value );
 	    }
 	    next;
 	} elsif ( $type == EXPENSIVE ) {
 	    #
 	    # Only emit expensive matches now if there are '-m nfacct' or '-m recent' matches in the rule
@@ -1191,13 +1403,15 @@ sub compatible( $$ ) {
    }
    #
    # Don't combine chains where each specifies
-    #    -m policy
+    #    -m policy and the policies are different
    # or when one specifies
    #    -m multiport
    # and the other specifies
    #    --dport or --sport or -m multiport
    #
-    return ! ( $ref1->{policy} && $ref2->{policy} ||
+    my ( $p1, $p2 );
    return ! ( ( ( $p1 = $ref1->{policy} ) && ( $p2 = $ref2->{policy} ) && $p1 ne $p2 ) ||
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
 		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
@@ -1715,7 +1929,7 @@ sub delete_reference( $$ ) {
    assert( $toref );
-    delete $toref->{references}{$fromref->{name}} unless --$toref->{references}{$fromref->{name}} > 0;
+    delete $toref->{references}{$fromref->{name}} if --$toref->{references}{$fromref->{name}} <= 0;
 }
 #
@@ -1853,7 +2067,7 @@ sub adjust_reference_counts( $$$ ) {
    my ($toref, $name1, $name2) = @_;
    if ( $toref ) {
-	delete $toref->{references}{$name1} unless --$toref->{references}{$name1} > 0;
+	delete $toref->{references}{$name1} if --$toref->{references}{$name1} <= 0;
 	$toref->{references}{$name2}++;
    }
 }
@@ -3061,8 +3275,10 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS   ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
    }
@@ -3459,7 +3675,7 @@ sub optimize_level4( $$ ) {
 				#
 				delete_chain_and_references( $chainref );
 				$progress = 1;
-			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
+			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
@@ -3686,6 +3902,15 @@ sub optimize_level8( $$$ ) {
 		    }
 		    $combined{ $chainref1->{name} } = $chainref->{name};
 		    #
 		    # While rare, it is possible for a policy chain to be combined with a non-policy chain. So we need to preserve
 		    # the policy attributes in the combined chain
 		    #
 		    if ( $chainref->{policychain} ) {
 			@{$chainref1}{qw(policychain policy)} = @{$chainref}{qw(policychain policy)} unless $chainref1->{policychain};
 		    } elsif ( $chainref1->{policychain} ) {
 			@{$chainref}{qw(policychain policy)} = @{$chainref1}{qw(policychain policy)} unless $chainref->{policychain};
 		    }
 		}
 	    }
 	}
@@ -4612,7 +4837,7 @@ sub do_proto( $$$;$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
 				$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
 			    }
 			}
@@ -4819,7 +5044,7 @@ sub do_iproto( $$$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
 				if ( $srcndst ) {
 				    push @output, multiport => "${invert}--ports ${ports}";
@@ -5758,6 +5983,7 @@ sub record_runtime_address( $$;$$ ) {
    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
 	fatal_error "Variable %variable is already used as a port variable" if $port_variables{$1};
 	$address_variables{$1} = $addrtype;
 	return '$' . "$1 ";
    }
@@ -6103,7 +6329,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
    }
-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
    $net eq ALLIP ? '' : "-d $net ";
 }
@@ -6184,7 +6410,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
    }
-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
    $net eq ALLIP ? () : ( d =>  $net );
 }
@@ -6843,6 +7069,8 @@ sub interface_gateway( $ ) {
 sub get_interface_gateway ( $;$$ ) {
    my ( $logical, $protect, $provider ) = @_;
    $provider = '' unless defined $provider;
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
    my $gateway  = get_interface_option( $interface, 'gateway' );
@@ -6856,9 +7084,9 @@ sub get_interface_gateway ( $;$$ ) {
    }
    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider));
    } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }
@@ -7045,6 +7273,19 @@ sub verify_address_variables() {
 	      qq(    startup_error "Invalid value ($address) for address variable $variable"),
 	      qq(fi\n) );
    }
    for my $variable( keys %port_variables ) {
 	my $port = "\$$variable";
 	my $type = $port_variables{$variable};
 	emit( qq(if [ -z "$port" ]; then) ,
 	      qq(    $variable=255) ,
 	      qq(elif qt \$g_tool -A INPUT -p 6 --dport $port; then) ,
 	      qq(    qt \$g_tool -D INPUT -p 6 --dport $variable) ,
 	      qq(else) ,
 	      qq(    startup_error "Invalid valid ($port) for port variable $variable") ,
 	      qq(fi\n) );
    }
 }
 #
@@ -7294,6 +7535,11 @@ sub isolate_dest_interface( $$$$ ) {
 	    $rule .= "-d $variable ";
 	}
    } elsif ( $dest =~ /^\$/ ) {
 	#
 	# Runtime address variable
 	#
 	$dnets  = $dest;
    } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
@@ -8217,6 +8463,7 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
 	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
 	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);
@@ -8232,6 +8479,7 @@ sub save_docker_rules($) {
 	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
@@ -8674,9 +8922,15 @@ sub create_netfilter_load( $ ) {
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
    emit( '',
-	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
+	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then' );
-	  '    option="--counters"',
+
-	  '',
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
 	emit( '    option="--counters --wait "' . $config{MUTEX_TIMEOUT} );
    } else {
 	emit( '    option="--counters"' );
    }
    emit( '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
@@ -8684,7 +8938,11 @@ sub create_netfilter_load( $ ) {
    push_indent;
    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
 	emit 'option="--wait "' . $config{MUTEX_TIMEOUT};
    } else {
 	emit 'option=';
    }
    save_progress_message "Preparing $utility input...";
@@ -8733,6 +8991,10 @@ sub create_netfilter_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
 			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -8837,6 +9099,11 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
 		    } else {		    
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
@@ -9074,6 +9341,10 @@ sub create_stop_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
 			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9099,7 +9370,11 @@ sub create_stop_load( $ ) {
    enter_cmd_mode;
    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
 	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' --wait ' . $config{MUTEX_TIMEOUT} . '"' );
    } else {
 	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
    }
    emit( '',
 	  'progress_message2 "Running $command..."',
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -109,7 +109,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF
-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -209,6 +209,8 @@ sub generate_script_2() {
    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );
    emit 'TEMPFILE=';
@@ -266,7 +268,8 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
 	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
 	emit( '' );
    }
@@ -689,6 +692,7 @@ sub compiler {
    set_timestamp( $timestamp );
    set_debug( $debug , $confess );
    #
    #                                      S H O R E W A L L R C ,
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
    get_configuration( $export , $update , $annotate , $inline );
@@ -793,13 +797,10 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
    }
    disable_script;
    #
    #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
    enable_script;
    #
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -36,11 +36,13 @@ use strict;
 use warnings;
 use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
 use File::Glob ':globally';
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
 use Errno qw(:POSIX);
 our @ISA = qw(Exporter);
 #
@@ -315,7 +317,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -413,7 +415,9 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                 WAIT_OPTION     => 'iptables --wait option',
                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                 NETMAP_TARGET   => 'NETMAP Target',
-
+                 NFLOG_SIZE      => '--nflog-size support',
 		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -500,6 +504,7 @@ our %config_files = ( #accounting      => 1,
 		      interfaces       => 1,
 		      isusable	       => 1,
 		      maclist	       => 1,
 		      mangle	       => 1,
 		      masq	       => 1,
 		      nat	       => 1,
 		      netmap	       => 1,
@@ -518,6 +523,7 @@ our %config_files = ( #accounting      => 1,
 		      rules	       => 1,
 		      scfilter	       => 1,
 		      secmarks	       => 1,
 		      snat	       => 1,
 		      start	       => 1,
 		      started	       => 1,
 		      stop	       => 1,
@@ -534,7 +540,7 @@ our %config_files = ( #accounting      => 1,
 		      tunnels	       => 1,
 		      zones	       => 1 );
 #
-# Options that involve the the AUDIT target
+# Options that involve the AUDIT target
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
@@ -644,6 +650,7 @@ our %eliminated = ( LOGRATE          => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
                    MODULE_SUFFIX    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -748,8 +755,8 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.4-Beta1",
+		    VERSION                 => "5.1.8-Beta1",
-		    CAPVERSION              => 50100 ,
+		    CAPVERSION              => 50106 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -844,7 +851,6 @@ sub initialize( $;$$) {
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
 	  MODULE_SUFFIX => undef,
 	  DISABLE_IPV6 => undef,
 	  DYNAMIC_ZONES => undef,
 	  PKTTYPE=> undef,
@@ -908,6 +914,7 @@ sub initialize( $;$$) {
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
 	  PERL_HASH_SEED => undef ,
 	  USE_NFLOG_SIZE => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1003,7 +1010,7 @@ sub initialize( $;$$) {
 	       CONNLIMIT_MATCH => undef,
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
-	       LOG_TARGET => 1,         # Assume that we have it.
+	       LOG_TARGET => undef,
 	       ULOG_TARGET => undef,
 	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
@@ -1041,6 +1048,8 @@ sub initialize( $;$$) {
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
 	       NFLOG_SIZE => undef,
 	       RESTORE_WAIT_OPTION => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1166,7 +1175,7 @@ sub initialize( $;$$) {
    #
    # Process the global shorewallrc file
    #
-    #   Note: The build file executes this function passing only the protocol family
+    #   Note: The build script calls this function passing only the protocol family
    #
    process_shorewallrc( $shorewallrc,
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
@@ -1217,9 +1226,8 @@ sub compiletime() {
 # Create 'currentlineinfo'
 #
 sub currentlineinfo() {
    my $linenumber = $currentlinenumber || 1;
    if ( $currentfilename ) {
 	my $linenumber = $currentlinenumber || 1;
 	my $lineinfo   = " $currentfilename ";
 	if ( $linenumber eq 'EOF' ) {
@@ -1986,6 +1994,7 @@ sub find_file($)
    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
 	$!{ENOENT} || fatal_error "Unable to access $file: " . $!; 
    }
    "$config_path[0]$filename";
@@ -2340,7 +2349,7 @@ sub split_line2( $$;$$$ ) {
 	    $inline_matches = $pairs;
-	    if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
+	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
 		#
 		# Pairs are enclosed in curly brackets.
 		#
@@ -2356,7 +2365,7 @@ sub split_line2( $$;$$$ ) {
 	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;
-		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
+		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
 		    #
 		    # Pairs are enclosed in curly brackets.
 		    #
@@ -2370,7 +2379,7 @@ sub split_line2( $$;$$$ ) {
 	} elsif ( $checkinline ) {
 	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
 	}
-    } elsif ( $currline =~ /^(\s*|.*[^&@%]){(.*)}$/ ) {
+    } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
 	#
@@ -2568,7 +2577,7 @@ sub open_file( $;$$$$ ) {
 	$max_format       = supplied $mf ? $mf : 1;
 	$comments_allowed = supplied $ca ? $ca : 0;
 	$nocomment        = $nc;
-	do_open_file $fname;;
+	do_open_file $fname;
    } else {
 	$ifstack = @ifstack;
 	'';
@@ -4045,7 +4054,7 @@ sub make_mask( $ ) {
    0xffffffff >> ( 32 - $_[0] );
 }
-my @suffixes = qw(group range threshold nlgroup cprange qthreshold);
+my @suffixes;
 #
 # Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate"
@@ -4281,7 +4290,7 @@ sub which( $ ) {
 # Load the kernel modules defined in the 'modules' file.
 #
 sub load_kernel_modules( ) {
-    my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );
+    my $moduleloader = which( 'modprobe' ) || which( 'insmod' );
    my $modulesdir = $config{MODULESDIR};
@@ -4314,25 +4323,20 @@ sub load_kernel_modules( ) {
 	close LSMOD;
-	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
+      MODULE:
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
 	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
-		for my $directory ( @moduledirectories ) {
+		if ( $moduleloader =~ /modprobe$/ ) {
-		    for my $suffix ( @suffixes ) {
+		    system( "modprobe -q $module $arguments" );
 			my $modulefile = "$directory/$module.$suffix";
 			if ( -f $modulefile ) {
 			    if ( $moduleloader eq 'insmod' ) {
 				system ("insmod $modulefile $arguments" );
 			    } else {
 				system( "modprobe $module $arguments" );
 			    }
 		    $loadedmodules{ $module } = 1;
 		} else {
 		    for my $directory ( @moduledirectories ) {
 			for my $modulefile ( <$directory/$module.*> ) {
 			    system ("insmod $modulefile $arguments" );
 			    $loadedmodules{ $module } = 1;
 			    next MODULE;
 			}
 		    }
 		}
@@ -4817,6 +4821,10 @@ sub NFLog_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -j NFLOG" );
 }
 sub NFLog_Size() {
    have_capability( 'NFLOG_TARGET' ) && qt1( "$iptables $iptablesw -A $sillyname -j NFLOG --nflog-size 64" );
 }
 sub Logmark_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -j LOGMARK" );
 }
@@ -4940,6 +4948,10 @@ sub Cpu_Fanout() {
    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }
 sub Restore_Wait_Option() {
    length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0;
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4992,6 +5004,7 @@ our %detect_capability =
      LOG_TARGET => \&Log_Target,
      ULOG_TARGET => \&Ulog_Target,
      NFLOG_TARGET => \&NFLog_Target,
      NFLOG_SIZE => \&NFLog_Size,
      MANGLE_ENABLED => \&Mangle_Enabled,
      MANGLE_FORWARD => \&Mangle_Forward,
      MARK => \&Mark,
@@ -5019,6 +5032,7 @@ our %detect_capability =
      REALM_MATCH => \&Realm_Match,
      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
      RESTORE_WAIT_OPTION => \&Restore_Wait_Option,
      RPFILTER_MATCH => \&RPFilter_Match,
      SANE_HELPER => \&SANE_Helper,
      SANE0_HELPER => \&SANE0_Helper,
@@ -5185,6 +5199,9 @@ sub determine_capabilities() {
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
 	$capabilities{RESTORE_WAIT_OPTION}
 				       = detect_capability( 'RESTORE_WAIT_OPTION' );
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -6051,7 +6068,6 @@ sub get_configuration( $$$$ ) {
    #
    # get_capabilities requires that the true settings of these options be established
    #
    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
    if ( ! $export && $> == 0 ) {
@@ -6237,7 +6253,7 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_VERBOSITY} = -1;
    }
-    default_yes_no 'ADD_IP_ALIASES'             , 'Yes';
+    default_yes_no 'ADD_IP_ALIASES'             , $family == F_IPV4 ? 'Yes' : '';
    default_yes_no 'ADD_SNAT_ALIASES'           , '';
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
@@ -6392,6 +6408,17 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'TRACK_PROVIDERS'            , '';
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
    default_yes_no 'USE_NFLOG_SIZE'             , '';
    if ( $config{USE_NFLOG_SIZE} ) {
 	if ( have_capability( 'NFLOG_SIZE' ) ) {
 	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
 	} else {
 	    fatal_error "USE_NFLOG_SIZE=Yes, but the --nflog-size capabiity is not present";
 	}
    } else {
 	@suffixes = qw(group range threshold nlgroup cprange qthreshold);
    }
    unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6812,6 +6839,12 @@ sub get_configuration( $$$$ ) {
 	}
    }
    if ( supplied( $val = $config{MUTEX_TIMEOUT} ) ) {
 	fatal_error "Invalid value ($val) for MUTEX_TIMEOUT" unless $val && $val =~ /^\d+$/;
    } else {
 	$config{MUTEX_TIMEOUT} = 60;
    }
    add_variables %config;
    while ( my ($var, $val ) = each %renamed ) {
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -63,7 +63,6 @@ our @EXPORT = ( qw( ALLIPv4
 		  validate_host
 		  validate_range
 		  ip_range_explicit
 		  expand_port_range
 		  allipv4
 		  allipv6
 		  allip
@@ -74,10 +73,6 @@ our @EXPORT = ( qw( ALLIPv4
 		  resolve_proto
 		  resolve_dnsname
 		  proto_name
 		  validate_port
 		  validate_portpair
 		  validate_portpair1
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
 		 ) );
@@ -411,114 +406,6 @@ sub proto_name( $ ) {
    $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
 }
 sub validate_port( $$ ) {
    my ($proto, $port) = @_;
    my $value;
    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
 	$port = numeric_value $port;
 	return $port if defined $port && $port && $port <= 65535;
    } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
    }
    return $value if defined $value;
    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    my $pair = $portpair;
    #
    # Accept '-' as a port-range separator
    #
    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
    my @ports = split /:/, $pair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
    $_ = validate_port( $protonum, $_) for grep $_, @ports;
    if ( @ports == 2 ) {
 	$what = 'port range';
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
    } else {
 	$what = 'port';
    }
    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP     ||
 			       $protonum == UDP     ||
 			       $protonum == UDPLITE ||
 			       $protonum == SCTP    ||
 			       $protonum == DCCP );
    join ':', @ports;
 }
 sub validate_portpair1( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
    my @ports = split /-/, $portpair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
    $_ = validate_port( $protonum, $_) for grep $_, @ports;
    if ( @ports == 2 ) {
 	$what = 'port range';
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
    } else {
 	$what = 'port';
 	fatal_error 'Invalid port number (0)' unless $portpair;
    }
    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP  ||
 			       $protonum == UDP  ||
 			       $protonum == SCTP ||
 			       $protonum == DCCP );
    join '-', @ports;
 }
 sub validate_port_list( $$ ) {
    my $result = '';
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );
    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }
    $proto = proto_name $proto;
    for ( @list ) {
 	my $value = validate_portpair( $proto , $_ );
 	$result = $result ? join ',', $result, $value : $value;
    }
    $result;
 }
 my %icmp_types = ( any                          => 'any',
 		   'echo-reply'                 => 0,
 		   'destination-unreachable'    => 3,
@@ -572,67 +459,6 @@ sub validate_icmp( $ ) {
    fatal_error "Invalid ICMP Type ($type)"
 }
 #
 # Expands a port range into a minimal list of ( port, mask ) pairs.
 # Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
 #
 # Example:
 #
 #       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
 #       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
 #
 sub expand_port_range( $$ ) {
    my ( $proto, $range ) = @_;
    if ( $range =~ /^(.*):(.*)$/ ) {
 	my ( $first, $last ) = ( $1, $2);
 	my @result;
 	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
 	#
 	# Supply missing first/last port number
 	#
 	$first = 0     if $first eq '';
 	$last  = 65535 if $last eq '';
 	#
 	# Validate the ports
 	#
 	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
 	$last++; #Increment last address for limit testing.
 	#
 	# Break the range into groups:
 	#
 	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
 	#      - Otherwise, find the largest power of two P that divides the first address such that
 	#        the remaining range has less than or equal to P ports. The next group is
 	#        ( <first> , ~( P-1 ) ).
 	#
 	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
 	    my $mask = 0xffff;         #Mask for current ports in group.
 	    my $y    = 2;              #Next power of two to test
 	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
 	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
 		$mask <<= 1;
 		$z  = $y;
 		$y <<= 1;
 	    }
 	    #
 	    #
 	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
 	    $first += $z;
 	}
 	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
 	@result;
    } else {
 	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
    }
 }
 sub valid_6address( $ ) {
    my $address = $_[0];
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -667,6 +667,7 @@ sub create_docker_rules() {
    my $chainref = $filter_table->{FORWARD};
    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
    if ( my $dockerref = known_interface('docker0') ) {
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -941,7 +941,17 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-	    my @servers = validate_address $server, 1;
+
 	    my @servers;
 	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
 		$server = record_runtime_address( $1, $2 );
 		$server =~ s/ $//;
 		@servers = ( $server );
 	    } else {
 		@servers = validate_address $server, 1;
 	    }
 	    $server = join ',', @servers;
 	}
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -64,6 +64,8 @@ our @load_interfaces;
 our $balancing;
 our $fallback;
 our $balanced_providers;
 our $fallback_providers;
 our $metrics;
 our $first_default_route;
 our $first_fallback_route;
@@ -99,6 +101,8 @@ sub initialize( $ ) {
    %provider_interfaces    = ();
    @load_interfaces        = ();
    $balancing              = 0;
    $balanced_providers     = 0;
    $fallback_providers     = 0;
    $fallback               = 0;
    $metrics                = 0;
    $first_default_route    = 1;
@@ -323,7 +327,13 @@ sub balance_default_route( $$$$ ) {
    emit '';
    if ( $first_default_route ) {
 	if ( $balanced_providers == 1 ) {
 	    if ( $gateway ) {
 		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
 		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
 	    }
 	} elsif ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
 	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
@@ -347,7 +357,13 @@ sub balance_fallback_route( $$$$ ) {
    emit '';
    if ( $first_fallback_route ) {
 	if ( $fallback_providers == 1 ) {
 	    if ( $gateway ) {
 		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
 		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
 	    }
 	} elsif ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
 	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
@@ -486,7 +502,7 @@ sub process_a_provider( $ ) {
    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, 1 );
+	$gateway = get_interface_gateway( $interface, undef, $number );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
@@ -586,6 +602,7 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'nohostroute' ) {
 		$hostroute = 0;
 	    } elsif ( $option eq 'persistent' ) {
 		warning_message "When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option may not work as expected" if $config{RESTORE_DEFAULT_ROUTE};
 		$persistent = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -593,7 +610,12 @@ sub process_a_provider( $ ) {
 	}
    }
-    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;
+    if ( $balance ) {
 	fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $default;
 	$balanced_providers++;
    } elsif ( $default ) {
 	$fallback_providers++;
    }
    if ( $load ) {
 	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
@@ -826,7 +848,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}
@@ -842,7 +864,7 @@ sub add_a_provider( $$ ) {
 		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }
-	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
 	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
@@ -852,9 +874,9 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( "find_interface_addresses $physical | while read address; do" );
+		emit  ( "find_interface_addresses $physical | while read address; do",
-		emit  ( "    qt \$IP -$family rule del from \$address" );
+			"    qt \$IP -$family rule del from \$address",
-		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
+			"    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
 			'done'
@@ -877,7 +899,6 @@ sub add_a_provider( $$ ) {
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 	pop_indent;
 	emit( "}\n" );
@@ -903,7 +924,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}
    }
@@ -935,7 +956,7 @@ CEOF
 	my $hexmark = in_hex( $mark );
 	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $persistent || $config{DELETE_THEN_ADD};
 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
@@ -964,7 +985,7 @@ CEOF
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}
-	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	emit "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm";
    }
    if ( $balance ) {
@@ -976,14 +997,16 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route add default table $id dev $physical metric $number);
+	    emit qq(run_ip route replace default table $id dev $physical metric $number);
 	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}
 	emit( 'g_fallback=Yes' ) if $persistent;
 	$metrics = 1;
    }
@@ -1005,12 +1028,13 @@ CEOF
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
 		if ( $persistent ) {
-		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
+		    emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),
 			  qq(    qt \$IP -$family rule del from $address pref 20000),
 			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
-		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		    emit  "qt \$IP -$family rule del from $address" if $persistent || $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
@@ -1067,7 +1091,21 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
-	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
 	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
 	    );
 	if ( ! $pseudo && $config{USE_DEFAULT_RT} && $config{RESTORE_DEFAULT_ROUTE} ) {
 	    emit  ( '#',
 		    '# We now have a viable default route in the \'default\' table so delete any default routes in the main table',
 		    '#',
 		    'while qt \$IP -$family route del default table ' . MAIN_TABLE . '; do',
 		    '    true',
 		    'done',
 		    ''
 		);
 	}
 	emit_started_message( '', 2, $pseudo, $table, $number );
 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1212,7 +1250,9 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
-	emit( "echo 1 > \${VARDIR}/${physical}.status" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status",
 	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
 	    );
 	if ( $pseudo ) {
 	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
@@ -1318,7 +1358,7 @@ sub add_an_rtrule1( $$$$$ ) {
    $priority = "pref $priority";
-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $persistent || $config{DELETE_THEN_ADD};
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    if ( $persistent ) {
@@ -1416,22 +1456,22 @@ sub add_a_route( ) {
    if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes,            qq(run_ip route add $dest via $gateway dev $physical table $id);
+	    push @$routes,            qq(run_ip route replace $dest via $gateway dev $physical table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway dev $physical table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway dev $physical table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} elsif ( $null ) {
-	    push @$routes,            qq(run_ip route add $null $dest table $id);
+	    push @$routes,            qq(run_ip route replace $null $dest table $id);
-	    push @$persistent_routes, qq(run_ip route add $null $dest table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route replace $null $dest table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes,            qq(run_ip route add $dest via $gateway table $id);
+	    push @$routes,            qq(run_ip route replace $dest via $gateway table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
    } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes,            qq(run_ip route add $dest dev $physical table $id);
+	push @$routes,            qq(run_ip route replace $dest dev $physical table $id);
-	push @$persistent_routes, qq(run_ip route add $dest dev $physical table $id) if $persistent;
+	push @$persistent_routes, qq(run_ip route replace $dest dev $physical table $id) if $persistent;
 	push @$routes,             q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
    }
@@ -1534,9 +1574,9 @@ sub finish_providers() {
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
 		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
-		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
-		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
 		    '    fi',
 		    '' );
 	}
@@ -1554,7 +1594,7 @@ sub finish_providers() {
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit qq(    [ -z "\${FALLBACK_ROUTE}\${g_fallback}" ] && restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -1581,7 +1621,7 @@ sub finish_providers() {
 	}
 	emit ( '#',
-	       '# Delete any routes in the \'balance\' table',
+	       '# Delete any default routes with metric 0 in the \'balance\' table',
 	       '#',
 	       "while qt \$IP -$family route del default table $balance; do",
 	       '    true',
@@ -1609,7 +1649,10 @@ sub finish_providers() {
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( "delete_default_routes $default",
+	emit( '#',
 	      '# No balanced fallback routes - delete any routes with metric 0 from the \'default\' table',
 	      '#',
 	      "delete_default_routes $default",
 	      ''
 	    );
    }
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -216,6 +216,10 @@ our %statetable;
 # Tracks which of the state match actions (action.Invalid, etc.) that is currently being expanded
 #
 our $statematch;
 #
 # Remembers NAT-oriented columns from top-level action invocations
 #
 our %nat_columns;
 #
 # Action/Inline options
@@ -384,6 +388,8 @@ sub initialize( $ ) {
 	                  );
    }
    %nat_columns = ( dest => '-', proto => '-', ports => '-' );
    ############################################################################
    # Initialize variables moved from the Tc module in Shorewall 5.0.7         #
    ############################################################################
@@ -1652,6 +1658,19 @@ sub merge_inline_source_dest( $$ ) {
    $body || '';
 }
 #
 # This one is used by perl_action_helper()
 #
 sub merge_action_column( $$ ) {
    my ( $body, $invocation ) = @_;
    if ( supplied( $body ) && $body ne '-' ) {
 	$body;
    } else {
 	$invocation;
    }
 }
 sub merge_macro_column( $$ ) {
    my ( $body, $invocation ) = @_;
@@ -2510,6 +2529,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $exceptionrule = '';
    my $usergenerated;
    my $prerule = '';
    my %save_nat_columns = %nat_columns;
    my $generated = 0;
    #
    # Subroutine for handling MARK and CONNMARK.
    #
@@ -2591,7 +2612,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$current_param = $param unless $param eq '' || $param eq 'PARAM';
-	my $generated = process_macro( $basictarget,
+	$generated = process_macro( $basictarget,
 				    $chainref,
 				    $rule . $raw_matches,
 				    $matches1,
@@ -2614,9 +2635,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 				    $wildcard );
 	$macro_nest_level--;
-
+	goto EXIT;
 	return $generated;
    } elsif ( $actiontype & NFQ ) {
 	$action = handle_nfqueue( $param,
 				  1 # Allow 'bypass'
@@ -2688,6 +2707,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
 		  if ( $dest eq '-' ) {
 		      if ( $family == F_IPV4 ) {
 			  $dest = ( $inchain ) ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
@@ -2816,6 +2836,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    }
 	}
    }
    #
    # Isolate and validate source and destination zones
    #
@@ -2909,7 +2930,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	if ( $destref->{type} & BPORT ) {
 	    unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
-		return 0 if $wildcard;
+		goto EXIT if $wildcard;
 		fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 	    }
 	}
@@ -2924,7 +2945,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	my $policy = $chainref->{policy};
 	if ( $policy eq 'NONE' ) {
-	    return 0 if $wildcard;
+	    goto EXIT if $wildcard;
 	    fatal_error "Rules may not override a NONE policy";
 	}
 	#
@@ -2933,9 +2954,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	if ( $optimize == 1 && $section == NEW_SECTION ) {
 	    my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 	    if ( $loglevel ne '' ) {
-		return 0 if $target eq "${policy}:${loglevel}";
+		goto EXIT if $target eq "${policy}:${loglevel}";
 	    } else {
-		return 0 if $basictarget eq $policy;
+		goto EXIT if $basictarget eq $policy;
 	    }
 	}
 	#
@@ -2980,6 +3001,21 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $actionchain; # Name of the action chain
    if ( $actiontype & ACTION ) {
 	#
 	# Save NAT-oriented column contents
 	#
 	@nat_columns{'dest', 'proto', 'ports' } = ( $dest,
 						    $proto eq '-' ? $nat_columns{proto} : $proto,
 						    $ports eq '-' ? $nat_columns{ports} : $ports );
 	#
 	# Push the current column array onto the column stack
 	#
        my @savecolumns = @columns;
 	#
 	# And store the (modified) columns into the columns array for use by perl_action[_tcp]_helper. We
 	# only need the NAT-oriented columns
 	#
 	@columns = ( undef , undef, $dest, $proto, $ports);
 	#
 	# Handle 'section' option
 	#
@@ -3023,6 +3059,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	}
 	$action = $basictarget; # Remove params, if any, from $action.
 	@columns = @savecolumns;
    } elsif ( $actiontype & INLINE ) {
 	#
 	# process_inline() will call process_rule() recursively for each rule in the action body
@@ -3039,7 +3077,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$actionresult = 0;
-	my $generated = process_inline( $basictarget,
+	$generated = process_inline( $basictarget,
 				     $chainref,
 				     $prerule . $rule,
 				     $matches1 . $raw_matches,
@@ -3066,7 +3104,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$macro_nest_level--;
-	return $generated;
+	goto EXIT;
    }
    #
    # Generate Fixed part of the rule
@@ -3252,7 +3290,14 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }
-    return 1;
+    $generated = 1;
  EXIT:
    {
      %nat_columns = %save_nat_columns;
    }
    return $generated;
 }
@@ -3405,6 +3450,37 @@ sub perl_action_helper($$;$$) {
 				 merge_target( $ref, $target ),
 				 '',                              # CurrentParam
 				 @columns );
    } else {
 	if ( ( $targets{$target} || 0 ) & NATRULE ) {
 	    $result = process_rule( $chainref,
 				    $matches,
 				    $matches1,
 				    merge_target( $actions{$action}, $target ),
 				    '',                               # Current Param
 				    '-',                              # Source
 				    merge_action_column(              # Dest
 					$columns[2],			      
 					$nat_columns{dest}
 				    ),
 				    merge_action_column(              #Proto
 					$columns[3],
 					$nat_columns{proto}
 				    ),
 				    merge_action_column(              #Ports
 					$columns[4],
 					$nat_columns{ports}),
 				    '-',                              # Source Port(s)
 				    '-',                              # Original Dest
 				    '-',                              # Rate Limit
 				    '-',                              # User
 				    '-',                              # Mark
 				    '-',                              # Connlimit
 				    '-',                              # Time
 				    '-',                              # Headers,
 				    '-',                              # condition,
 				    '-',                              # helper,
 				    0,                                # Wildcard
 		);
 	} else {
 	    $result = process_rule( $chainref,
 				    $matches,
@@ -3427,6 +3503,8 @@ sub perl_action_helper($$;$$) {
 				    '-',                              # helper,
 				    0,                                # Wildcard
 		);
 	}
 	allow_optimize( $chainref );
    }
    #
@@ -3493,6 +3571,7 @@ sub perl_action_tcp_helper($$) {
 				    '-',                              # helper,
 				    0,                                # Wildcard
 		                  );
 	    allow_optimize( $chainref );
 	}
 	#
@@ -4063,10 +4142,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		expand_rule( $chainref,
 			     $restriction,
 			     $prerule ,
 			     do_proto( $proto, $ports, $sports ) .
 			     $match .
 			     do_user( $user ) .
-			     do_test( $testval, $globals{TC_MASK} ) .
+			     do_test( $testval, $mask ) .
 			     do_test( $testval, $globals{TC_MASK} ) .
 			     do_length( $length ) .
 			     do_tos( $tos ) .
 			     do_connbytes( $connbytes ) .
@@ -4074,6 +4153,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 			     do_headers( $headers ) .
 			     do_probability( $probability ) .
 			     do_dscp( $dscp ) .
 			     do_time( $time ) .
 			     do_condition( $condition, $chainref->{name} ) .
 			     state_match( $state ) .
 			     $raw_matches ,
@@ -5286,7 +5366,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $interfaces = $1;
 	} elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) {
 	    my ( $one, $two ) = ( $1, $2 );
-	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+	    if ( $2 =~ /\./ || $2 =~ /^[+%!]/ ) {
 		$interfaces = $one;
 		$destnets = $two;
 	    } else {
@@ -5642,16 +5722,24 @@ sub process_snat( )
 sub setup_snat( $ ) # Convert masq->snat if true
 {
    my $fn;
    my $have_masq;
-    convert_masq() if $_[0];
+    if ( $_[0] ) {
-
+	convert_masq();
-    if ( $fn = open_file( 'masq', 1, 1 ) ) {
+    } elsif ( $fn = open_file( 'masq', 1, 1 ) ) {
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
-	process_one_masq(0) while read_a_line( NORMAL_READ );
+	process_one_masq(0), $have_masq = 1 while read_a_line( NORMAL_READ );
-    } elsif ( $fn = open_file( 'snat', 1, 1 ) ) {
+    }
    unless ( $have_masq ) {
 	#
 	# Masq file empty or didn't exist
 	#
 	if ( $fn = open_file( 'snat', 1, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
 	    process_snat while read_a_line( NORMAL_READ );
 	}
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 	    while ( @sportlist ) {
 		my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
-		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
+		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
 		$rule .= ' or' if @sportlist;
 	    }
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -701,6 +701,40 @@ sub haveipseczones() {
    0;
 }
 #
 # Returns 1 if the two interfaces passed are related
 #
 sub interface_match( $$ ) {
    my ( $piface, $ciface ) = @_;
    return 1 if $piface eq $ciface;
    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
    return 1 if $piface eq $cifaceref->{bridge};
    return 1 if $ciface eq $pifaceref->{bridge};
    if ( $minroot ) {
 	if ( $piface =~ /\+$/ ) {
 	    my $root    = $pifaceref->{root};
 	    my $rlength = length( $root );
 	    while ( length( $ciface ) >= $rlength ) {
 		return 1 if $ciface eq $root;
 		chop $ciface;
 	    }
 	} elsif ( $ciface =~ /\+$/ ) {
 	    my $root    = $cifaceref->{root};
 	    my $rlength = length( $root );
 	    while ( length( $piface ) >= $rlength ) {
 		return 1 if $piface eq $root;
 		chop $piface;
 	    }
 	}
    }
    0;
 }
 #
 # Report about zones.
 #
@@ -738,7 +772,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
+				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
 			    }
 			    $printed = 1;
 			}
@@ -747,6 +781,17 @@ sub zone_report()
 	    }
 	}
      PARENT:
 	for my $p ( @{$zoneref->{parents}} ) {
 	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
 		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
 		    next PARENT if interface_match( $pi, $ci );
 		}
 	    }
 	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
 	}
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -1575,9 +1620,7 @@ sub known_interface($)
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface > $minroot ) {
+	while ( length $iface >= $minroot ) {
 	    chop $iface;
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1599,6 +1642,8 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
 	    chop $iface;
 	}
    }
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1,4 +1,4 @@
-#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -369,7 +369,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 delete_default_routes() # $1 = table number
 {
    $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
-	qt $IP -$g_family route del $route
+	qt $IP -$g_family route del $route table $1
    done
 } 
@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {
    if [ -n "$g_purge" ]; then
-	if [ -n $(mywhich conntrack) ]; then
+	if [ -n "$(mywhich conntrack)" ]; then
            conntrack -F
 	else
            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -899,7 +899,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface
+detect_gateway() # $1 = interface $2 = table number
 {
    local interface
    interface=$1
@@ -912,6 +912,8 @@ detect_gateway() # $1 = interface
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -78,11 +78,13 @@ reload_command() {
    detect_configuration
    define_firewall
    status=$?
    if [ -n "$SUBSYSLOCK" ]; then
 	[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
    fi
-    [ $status -eq 0 ] && progress_message3 "done."
+    if [ $status -eq 0 ]; then
 	[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
 	progress_message3 "done."
    else
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
    fi
 }
 ################################################################################
@@ -127,8 +129,10 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
 g_dockeringress=
 g_dockernetwork=
 g_forcereload=
 g_fallback=
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
@@ -418,9 +422,12 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
 	    COMMAND=disable
 	    detect_configuration $1
-	    COMMAND=enable  disable_provider $1 Yes
+	    disable_provider $1 Yes
-	    COMMAND=disable enable_provider  $1 Yes
+	    COMMAND=enable
 	    detect_configuration $1
 	    enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -205,8 +205,6 @@ MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -249,6 +247,8 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -216,8 +216,6 @@ MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -260,6 +258,8 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -213,8 +213,6 @@ MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -257,6 +255,8 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -216,8 +216,6 @@ MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -260,6 +258,8 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -25,6 +25,7 @@ Broadcast    noinline,audit	# Handles Broadcast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts    inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
 dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
@@ -32,6 +33,7 @@ DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
 FIN	     inline,audit	# Handles ACK,FIN,PSH packets
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
--- a/Shorewall/configfiles/disabled
+++ b/Shorewall/configfiles/disabled
@@ -0,0 +1,12 @@
 #
 # Shorewall -- /etc/shorewall/disabled
 #
 # Add commands below that you want executed when an optional
 # interface is successfully disabled using the 'disable' command
 #
 # When the commands are invoked:
 #
 #  $1 contains the physical name of the interface
 #  $2 contains the logical name of the interface
 #  $3 contains the name of the provider associated with the interface,
      if any
--- a/Shorewall/configfiles/enabled
+++ b/Shorewall/configfiles/enabled
@@ -0,0 +1,12 @@
 #
 # Shorewall -- /etc/shorewall/enabled
 #
 # Add commands below that you want executed when an optional
 # interface is successfully enabled using the 'enable' command
 #
 # When the commands are invoked:
 #
 #  $1 contains the physical name of the interface
 #  $2 contains the logical name of the interface
 #  $3 contains the name of the provider associated with the interface,
      if any
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -205,8 +205,6 @@ MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
 MODULE_SUFFIX=ko
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -249,6 +247,8 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -493,7 +493,10 @@ fi
 # Install the config file
 #
 run_install $OWNERSHIP -m 0644 $PRODUCT.conf            ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
-run_install $OWNERSHIP -m 0644 $PRODUCT.conf.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+
 if [ $PRODUCT = shorewall ]; then
    run_install $OWNERSHIP -m 0644 shorewall.conf.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
 fi
 if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
    run_install $OWNERSHIP -m 0600 ${PRODUCT}.conf${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
@@ -613,8 +616,14 @@ run_install $OWNERSHIP -m 0644 params.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/c
 if [ -f ${DESTDIR}${CONFDIR}/$PRODUCT/params ]; then
    chmod 0644 ${DESTDIR}${CONFDIR}/$PRODUCT/params
 else
    case "$SPARSE" in
 	[Vv]ery)
 	;;
 	*)
 	    run_install $OWNERSHIP -m 0600 params${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/params
 	    echo "Parameter file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/params"
 	    ;;
    esac
 fi
 if [ $PRODUCT = shorewall ]; then
@@ -690,10 +699,16 @@ fi
 run_install $OWNERSHIP -m 0644 conntrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 run_install $OWNERSHIP -m 0644 conntrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 case "$SPARSE" in
    [Vv]ery)
    ;;
    *)
 	if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
 	    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
 	    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
 	fi
 	;;
 esac
 #
 # Install the Mangle file
@@ -1147,6 +1162,7 @@ if [ -n "$MANDIR" ]; then
 cd manpages
 if [ $PRODUCT = shorewall ]; then
    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
    for f in *.5; do
@@ -1154,6 +1170,31 @@ for f in *.5; do
 	run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done
 fi
 if [ $PRODUCT = shorewall6 ]; then
    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
    rm -f ${DESTDIR}${MANDIR}/man5/shorewall6*
    for f in \
 	shorewall-accounting.5  shorewall-ipsets.5   shorewall-providers.5     shorewall-tcclasses.5     \
 	shorewall-actions.5     shorewall-maclist.5                            shorewall-tcdevices.5     \
 	                        shorewall-mangle.5   shorewall-proxyndp.5      shorewall-tcfilters.5     \
 	shorewall-blacklist.5   shorewall-masq.5     shorewall-routes.5        shorewall-tcinterfaces.5  \
 	shorewall-blrules.5     shorewall-modules.5  shorewall-routestopped.5  shorewall-tcpri.5         \
 	shorewall-conntrack.5   shorewall-nat.5      shorewall-rtrules.5       shorewall-tcrules.5       \
                                shorewall-nesting.5  shorewall-rules.5         shorewall-tos.5           \
 	shorewall-exclusion.5   shorewall-netmap.5   shorewall-secmarks.5      shorewall-tunnels.5       \
 	shorewall-hosts.5       shorewall-params.5   shorewall-snat.5          shorewall-vardir.5        \
 	shorewall-interfaces.5  shorewall-policy.5   shorewall-stoppedrules.5  shorewall-zones.5
    do
 	f6=shorewall6-${f#*-}
 	echo ".so man5/$f" > ${DESTDIR}${MANDIR}/man5/$f6
    done
    echo ".so man5/shorewall.conf.5" > ${DESTDIR}${MANDIR}/man5/shorewall6.conf.5
 fi
 [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1556,10 +1556,10 @@ remote_reload_command() # $* = original arguments less the command.
 	progress_message "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
-	    if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
 	    fi
-	elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+	elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
 	    fatal_error "Capturing capabilities on system $system failed"
 	fi
    fi
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/accounting</command>
+      <command>/etc/shorewall[6]/accounting</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -783,6 +783,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/accounting</para>
    <para>/etc/shorewall6/accounting</para>
  </refsect1>
  <refsect1>
@@ -798,14 +800,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
+    <para>shorewall(8)</para>
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/actions</command>
+      <command>/etc/shorewall[6]/actions</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -148,8 +148,8 @@
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
-                url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
+                url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
-                than <ulink
+                rather than <ulink
                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>
@@ -160,11 +160,11 @@
              <listitem>
                <para>Added in Shorewall 5.0.13. Specifies that this action is
                to be used in <ulink
-                url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink> rather
+                url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink>
-                than <ulink
+                rather than <ulink
-                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>. The
+                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.
-                <option>mangle</option> and <option>nat</option> options are
+                The <option>mangle</option> and <option>nat</option> options
-                mutually exclusive.</para>
+                are mutually exclusive.</para>
              </listitem>
            </varlistentry>
@@ -239,6 +239,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/actions</para>
    <para>/etc/shorewall6/actions</para>
  </refsect1>
  <refsect1>
@@ -247,14 +249,6 @@
    <para><ulink
    url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
+    <para>shorewall(8)</para>
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-arprules.xml
+++ b/Shorewall/manpages/shorewall-arprules.xml
@@ -25,6 +25,8 @@
  <refsect1>
    <title>Description</title>
    <para>IPv4 only.</para>
    <para>This file was added in Shorewall 4.5.12 and is used to describe
    low-level rules managed by arptables (8). These rules only affect Address
    Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and
@@ -377,4 +379,10 @@ SNAT:10.1.10.11        -                       eth1:10.1.10.0/24   1</programlis
    <para>/etc/shorewall/arprules</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para>shorewall(8)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/blrules</command>
+      <command>/etc/shorewall[6]/blrules</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -27,12 +27,9 @@
    <para>This file is used to perform blacklisting and whitelisting.</para>
-    <para>Rules in this file are applied depending on the setting of
+    <para>Rules in this file are applied depending on the setting of BLACKLIST
-    BLACKLISTNEWONLY in <ulink
+    in <ulink
-    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If
+    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
    BLACKLISTNEWONLY=No, then they are applied regardless of the connection
    tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
    connections in the NEW and INVALID states.</para>
    <para>The format of rules in this file is the same as the format of rules
    in <ulink url="/manpages/shorewall-rules.html">shorewall-rules
@@ -118,10 +115,10 @@
            </varlistentry>
            <varlistentry>
-              <term>A_DROP and A_DROP!</term>
+              <term>A_DROP</term>
              <listitem>
-                <para>Audited versions of DROP. Requires AUDIT_TARGET support
+                <para>Audited version of DROP. Requires AUDIT_TARGET support
                in the kernel and ip6tables.</para>
              </listitem>
            </varlistentry>
@@ -276,11 +273,11 @@
  </refsect1>
  <refsect1>
-    <title>Example</title>
+    <title>Examples</title>
    <variablelist>
      <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
        <listitem>
          <para>Drop Teredo packets from the net.</para>
@@ -290,7 +287,28 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
        <listitem>
          <para>Don't subject packets from 2001:DB8::/64 to the remaining
          rules in the file.</para>
          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 1:</term>
        <listitem>
          <para>Drop Teredo packets from the net.</para>
          <programlisting>DROP          net:[2001::/32]            all</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 2:</term>
        <listitem>
          <para>Don't subject packets from 2001:DB8::/64 to the remaining
@@ -306,6 +324,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/blrules</para>
    <para>/etc/shorewall6/blrules</para>
  </refsect1>
  <refsect1>
@@ -317,12 +337,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
    shorewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5),
    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/conntrack</command>
+      <command>/etc/shorewall[6]/conntrack</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -35,7 +35,7 @@
    <emphasis role="bold">conntrack</emphasis>.</para>
    <para>The file supports three different column layouts: FORMAT 1, FORMAT
-    2, and FORMAT 3, FORMAT 1 being the default. The three differ as
+    2, and FORMAT 3 with FORMAT 1 being the default. The three differ as
    follows:</para>
    <itemizedlist>
@@ -311,9 +311,9 @@
            <listitem>
              <para><option>ULOG</option></para>
-              <para>Added in Shoreawll 4.6.0. Queues the packet to a backend
+              <para>IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to
-              logging daemon using the ULOG netfilter target with the
+              a backend logging daemon using the ULOG netfilter target with
-              specified <replaceable>ulog-parameters</replaceable>.</para>
+              the specified <replaceable>ulog-parameters</replaceable>.</para>
            </listitem>
          </itemizedlist>
@@ -689,31 +689,57 @@
  <refsect1>
    <title>EXAMPLE</title>
-    <para>Example 1:</para>
+    <para>IPv4 Example 1:</para>
    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
-    <para>Example 2 (Shorewall 4.5.10 or later):</para>
+    <para>IPv4 Example 2 (Shorewall 4.5.10 or later):</para>
    <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
-    <programlisting>FORMAT 2
+    <programlisting>?FORMAT 2
 #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP                          all-:1.2.3.4       -
 DROP                          all                1.2.3.4</programlisting>
-    <para>or<programlisting>FORMAT 3
+    <para>or<programlisting>?FORMAT 3
 #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP:P                        1.2.3.4            -
 DROP:PO                       -                  1.2.3.4
 </programlisting></para>
    <para>IPv6 Example 1:</para>
    <para>Use the FTP helper for TCP port 21 connections from the firewall
    itself.</para>
    <programlisting>FORMAT 2
 #ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
    <para>IPv6 Example 2 (Shorewall 4.5.10 or later):</para>
    <para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
    <programlisting>FORMAT 2
 #ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
 DROP                          all-:2001:1.2.3::4 -
 DROP                          all                2001:1.2.3::4
 </programlisting>
    <para>or<programlisting>FORMAT 3
 #ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
 DROP:P                        2001:1.2.3::4      -
 DROP:PO                       -                  2001:1.2.3::4</programlisting></para>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall/conntrack</para>
    <para>/etc/shorewall6/conntrack</para>
  </refsect1>
  <refsect1>
@@ -722,14 +748,6 @@ DROP:PO                       -                  1.2.3.4
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-ecn.xml
+++ b/Shorewall/manpages/shorewall-ecn.xml
@@ -25,8 +25,12 @@
  <refsect1>
    <title>Description</title>
    <para>IPv4 only.</para>
    <para>Use this file to list the destinations for which you want to disable
-    ECN (Explicit Congestion Notification).</para>
+    ECN (Explicit Congestion Notification). Use of this file is deprecated in
    favor of ECN rules in <ulink
    url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(8).</para>
    <para>The columns in the file are as follows.</para>
@@ -65,14 +69,6 @@
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-exclusion.xml
+++ b/Shorewall/manpages/shorewall-exclusion.xml
@@ -49,9 +49,10 @@
    <para>Beginning in Shorewall 4.4.13, the second form of exclusion is
    allowed after <emphasis role="bold">all</emphasis> and <emphasis
-    role="bold">any</emphasis> in the SOURCE and DEST columns of
+    role="bold">any</emphasis> in the SOURCE and DEST columns of <ulink
-    /etc/shorewall/rules. It allows you to omit arbitrary zones from the list
+    url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5). It allows
-    generated by those key words.</para>
+    you to omit arbitrary zones from the list generated by those key
    words.</para>
    <warning>
      <para>If you omit a sub-zone and there is an explicit or explicit
@@ -117,7 +118,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
    <variablelist>
      <varlistentry>
-        <term>Example 1 - All IPv4 addresses except 192.168.3.4</term>
+        <term>IPv4 Example 1 - All IPv4 addresses except 192.168.3.4</term>
        <listitem>
          <para>!192.168.3.4</para>
@@ -125,8 +126,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
      </varlistentry>
      <varlistentry>
-        <term>Example 2 - All IPv4 addresses except the network 192.168.1.0/24
+        <term>IPv4 Example 2 - All IPv4 addresses except the network
-        and the host 10.2.3.4</term>
+        192.168.1.0/24 and the host 10.2.3.4</term>
        <listitem>
          <para>!192.168.1.0/24,10.1.3.4</para>
@@ -134,7 +135,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
      </varlistentry>
      <varlistentry>
-        <term>Example 3 - All IPv4 addresses except the range
+        <term>IPv4 Example 3 - All IPv4 addresses except the range
        192.168.1.3-192.168.1.12 and the network 10.0.0.0/8</term>
        <listitem>
@@ -143,8 +144,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
      </varlistentry>
      <varlistentry>
-        <term>Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
+        <term>IPv4 Example 4 - The network 192.168.1.0/24 except hosts
-        and 192.168.1.9</term>
+        192.168.1.3 and 192.168.1.9</term>
        <listitem>
          <para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>
@@ -176,14 +177,6 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/hosts</command>
+      <command>/etc/shorewall[6]/hosts</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -270,6 +270,8 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    <title>FILES</title>
    <para>/etc/shorewall/hosts</para>
    <para>/etc/shorewall6/hosts</para>
  </refsect1>
  <refsect1>
@@ -278,14 +280,6 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-init.xml
+++ b/Shorewall/manpages/shorewall-init.xml
@@ -165,14 +165,6 @@
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/interfaces</command>
+      <command>/etc/shorewall[6]/interfaces</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -104,9 +104,7 @@ loc     eth2            -</programlisting>
          <para>You may use wildcards here by specifying a prefix followed by
          the plus sign ("+"). For example, if you want to make an entry that
          applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
-          ppp1, ppp2, … Please note that the '+' means '<emphasis
+          ppp1, ppp2, …</para>
          role="bold">one</emphasis> or more additional characters' so 'ppp'
          does not match 'ppp+'.</para>
          <para>When using Shorewall versions before 4.1.4, care must be
          exercised when using wildcards where there is another zone that uses
@@ -199,11 +197,12 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
              <listitem>
-                <para>If specified, this interface will only respond to ARP
+                <para>IPv4 only. If specified, this interface will only
-                who-has requests for IP addresses configured on the interface.
+                respond to ARP who-has requests for IP addresses configured on
-                If not specified, the interface can respond to ARP who-has
+                the interface. If not specified, the interface can respond to
-                requests for IP addresses on any of the firewall's interface.
+                ARP who-has requests for IP addresses on any of the firewall's
-                The interface must be up when Shorewall is started.</para>
+                interface. The interface must be up when Shorewall is
                started.</para>
                <para>Only those interfaces with the
                <option>arp_filter</option> option will have their setting
@@ -225,8 +224,8 @@ loc     eth2            -</programlisting>
              role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>
              <listitem>
-                <para>If specified, this interface will respond to arp
+                <para>IPv4 only. If specified, this interface will respond to
-                requests based on the value of <emphasis>number</emphasis>
+                arp requests based on the value of <emphasis>number</emphasis>
                (defaults to 1).</para>
                <para>1 - reply only if the target IP address is local address
@@ -411,8 +410,8 @@ loc     eth2            -</programlisting>
                  <listitem>
                    <para>the interface is a <ulink
-                    url="/SimpleBridge.html">simple bridge</ulink> with a
+                    url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
-                    DHCP server on one port and DHCP clients on another
+                    server on one port and DHCP clients on another
                    port.</para>
                    <note>
@@ -467,15 +466,15 @@ loc     eth2            -</programlisting>
              role="bold">logmartians[={0|1}]</emphasis></term>
              <listitem>
-                <para>Turn on kernel martian logging (logging of packets with
+                <para>IPv4 only. Turn on kernel martian logging (logging of
-                impossible source addresses. It is strongly suggested that if
+                packets with impossible source addresses. It is strongly
-                you set <emphasis role="bold">routefilter</emphasis> on an
+                suggested that if you set <emphasis
-                interface that you also set <emphasis
+                role="bold">routefilter</emphasis> on an interface that you
-                role="bold">logmartians</emphasis>. Even if you do not specify
+                also set <emphasis role="bold">logmartians</emphasis>. Even if
-                the <option>routefilter</option> option, it is a good idea to
+                you do not specify the <option>routefilter</option> option, it
-                specify <option>logmartians</option> because your distribution
+                is a good idea to specify <option>logmartians</option> because
-                may have enabled route filtering without you knowing
+                your distribution may have enabled route filtering without you
-                it.</para>
+                knowing it.</para>
                <para>Only those interfaces with the
                <option>logmartians</option> option will have their setting
@@ -576,8 +575,8 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">nosmurfs</emphasis></term>
              <listitem>
-                <para>Filter packets for smurfs (packets with a broadcast
+                <para>IPv4 only. Filter packets for smurfs (packets with a
-                address as the source).</para>
+                broadcast address as the source).</para>
                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
@@ -596,9 +595,9 @@ loc     eth2            -</programlisting>
                <itemizedlist>
                  <listitem>
                    <para>a <filename
-                    class="directory">/proc/sys/net/ipv4/conf/</filename>
+                    class="directory">/proc/sys/net/ipv[46]/conf/</filename>
                    entry for the interface cannot be modified (including for
-                    proxy ARP).</para>
+                    proxy ARP or proxy NDP).</para>
                  </listitem>
                  <listitem>
@@ -638,7 +637,7 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
              <listitem>
-                <para>Sets
+                <para>IPv4 only. Sets
                /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
                Do NOT use this option if you are employing Proxy ARP through
                entries in <ulink
@@ -659,6 +658,24 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
              <listitem>
                <para>IPv6 only. Sets
                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
                <para><emphasis role="bold">Note</emphasis>: This option does
                not work with a wild-card <replaceable>interface</replaceable>
                name (e.g., eth0.+) in the INTERFACE column.</para>
                <para>Only those interfaces with the <option>proxyndp</option>
                option will have their setting changed; the value assigned to
                the setting will be the value specified (if any) or 1 if no
                value is given.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">required</emphasis></term>
@@ -700,8 +717,8 @@ loc     eth2            -</programlisting>
              role="bold">routefilter[={0|1|2}]</emphasis></term>
              <listitem>
-                <para>Turn on kernel route filtering for this interface
+                <para>IPv4 only. Turn on kernel route filtering for this
-                (anti-spoofing measure).</para>
+                interface (anti-spoofing measure).</para>
                <para>Only those interfaces with the
                <option>routefilter</option> option will have their setting
@@ -886,10 +903,13 @@ loc     eth2            -</programlisting>
                      role="bold">routefilter</emphasis></member>
                      <member><emphasis
-                      role="bold">sourceroute</emphasis></member>
+                      role="bold">proxyarp</emphasis></member>
                      <member><emphasis
-                      role="bold">proxyndp</emphasis></member>
+                      role="bold">proxyudp</emphasis></member>
                      <member><emphasis
                      role="bold">sourceroute</emphasis></member>
                    </simplelist>
                  </listitem>
                </itemizedlist>
@@ -902,7 +922,9 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Incoming requests from this interface may be remapped
                via UPNP (upnpd). See <ulink
-                url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
+                url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.
                Supported in IPv4 and in IPv6 in Shorewall 5.1.4 and
                later.</para>
              </listitem>
            </varlistentry>
@@ -916,7 +938,8 @@ loc     eth2            -</programlisting>
                causes Shorewall to detect the default gateway through the
                interface and to accept UDP packets from that gateway. Note
                that, like all aspects of UPnP, this is a security hole so use
-                this option at your own risk.</para>
+                this option at your own risk. Supported in IPv4 and in IPv6 in
                Shorewall 5.1.4 and later.</para>
              </listitem>
            </varlistentry>
@@ -943,7 +966,7 @@ loc     eth2            -</programlisting>
    <variablelist>
      <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
        <listitem>
          <para>Suppose you have eth0 connected to a DSL modem and eth1
@@ -956,7 +979,7 @@ loc     eth2            -</programlisting>
          <para>Your entries for this setup would look like:</para>
-          <programlisting>FORMAT 1
+          <programlisting>?FORMAT 1
 #ZONE   INTERFACE BROADCAST        OPTIONS
 net     eth0      206.191.149.223  dhcp
 loc     eth1      192.168.1.255
@@ -971,7 +994,7 @@ dmz     eth2      192.168.2.255</programlisting>
          <para>The same configuration without specifying broadcast addresses
          is:</para>
-          <programlisting>FORMAT 2
+          <programlisting>?FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     eth0      dhcp
 loc     eth1      
@@ -986,7 +1009,7 @@ dmz     eth2</programlisting>
          <para>You have a simple dial-in system with no Ethernet
          connections.</para>
-          <programlisting>FORMAT 2
+          <programlisting>?FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     ppp0      -</programlisting>
        </listitem>
@@ -999,7 +1022,7 @@ net     ppp0      -</programlisting>
          <para>You have a bridge with no IP address and you want to allow
          traffic through the bridge.</para>
-          <programlisting>FORMAT 2
+          <programlisting>?FORMAT 2
 #ZONE   INTERFACE OPTIONS
 -       br0       bridge</programlisting>
        </listitem>
@@ -1011,6 +1034,8 @@ net     ppp0      -</programlisting>
    <title>FILES</title>
    <para>/etc/shorewall/interfaces</para>
    <para>/etc/shorewall6/interfaces</para>
  </refsect1>
  <refsect1>
@@ -1019,13 +1044,6 @@ net     ppp0      -</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@@ -251,34 +251,44 @@
    <para>/etc/shorewall/accounting</para>
    <para>/etc/shorewall6/accounting</para>
    <para>/etc/shorewall/blrules</para>
    <para>/etc/shorewall6/blrules</para>
    <para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis>
    Multiple matches enclosed in +[...] may not be used in this file.</para>
    <para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis>
    Multiple matches enclosed in +[...] may not be used in this file.</para>
    <para>/etc/shorewall/maclist -- <emphasis role="bold">Note:</emphasis>
    Multiple matches enclosed in +[...] may not be used in this file.</para>
-    <para>/etc/shorewall/masq</para>
+    <para>/etc/shorewall6/maclist -- <emphasis role="bold">Note:</emphasis>
    Multiple matches enclosed in +[...] may not be used in this file.</para>
    <para>/etc/shorewall/rules</para>
    <para>/etc/shorewall6/rules</para>
    <para>/etc/shorewall/secmarks</para>
    <para>/etc/shorewall6/secmarks</para>
    <para>/etc/shorewall/mangle</para>
    <para>/etc/shorewall6/mangle</para>
    <para>/etc/shorewall/snat</para>
    <para>/etc/shorewall6/snat</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-maclist.xml
+++ b/Shorewall/manpages/shorewall-maclist.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/maclist</command>
+      <command>/etc/shorewall[6]/maclist</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -97,6 +97,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/maclist</para>
    <para>/etc/shorewall6/maclist</para>
  </refsect1>
  <refsect1>
@@ -108,14 +110,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -18,31 +18,17 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/mangle</command>
+      <command>/etc/shorewall[6]/mangle</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
-    <para>This file was introduced in Shorewall 4.6.0 and is intended to
+    <para>This file was introduced in Shorewall 4.6.0 and replaces <ulink
    replace <ulink
    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
    file is only processed by the compiler if:</para>
    <orderedlist numeration="loweralpha">
      <listitem>
        <para>No file named 'tcrules' exists on the current CONFIG_PATH (see
        <ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>);
        or</para>
      </listitem>
      <listitem>
        <para>The first file named 'tcrules' found on the CONFIG_PATH contains
        no non-commentary entries.</para>
      </listitem>
    </orderedlist>
    <para>Entries in this file cause packets to be marked as a means of
    classifying them for traffic control or policy routing.</para>
@@ -117,9 +103,7 @@
          SOURCE is $FW, the generated rule is always placed in the OUTPUT
          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
          Additionally, a <replaceable>chain-designator</replaceable> may not
-          be specified in an action body unless the action is declared as
+          be specified in an action body.</para>
          <option>inline</option> in <ulink
          url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -365,8 +349,9 @@ DIVERTHA        -               -               tcp</programlisting>
              <listitem>
                <para>Added in Shorewall 5.0.6 as an alternative to entries in
-                <ulink url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
+                <ulink
-                PROTO is specified, it must be 'tcp' (6). If no PROTO is
+                url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>.
                If a PROTO is specified, it must be 'tcp' (6). If no PROTO is
                supplied, TCP is assumed. This action causes all ECN bits in
                the TCP header to be cleared.</para>
              </listitem>
@@ -915,7 +900,8 @@ Normal-Service       =&gt; 0x00</programlisting>
                Matches packets leaving the firewall through the named
                interface. May not be used in the PREROUTING chain (:P in the
                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
-                in <ulink url="/manpages/shorewall.conf">shorewall.conf</ulink>
+                in <ulink
                url="/manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
@@ -1543,7 +1529,7 @@ Normal-Service       =&gt; 0x00</programlisting>
    <variablelist>
      <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
        <listitem>
          <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
@@ -1572,7 +1558,7 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>
      <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -1584,12 +1570,41 @@ Normal-Service       =&gt; 0x00</programlisting>
       #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
       CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
-/etc/shorewall/masq:
+/etc/shorewall/snat:
-       #INTERFACE SOURCE         ADDRESS     ...
+       #ACTION          SOURCE              DEST     ...
-       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
+       SNAT(1.1.1.1)    eth0:192.168.1.0/24 - { mark=1:C }
-       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
+       SNAT(1.1.1.3)    eth0:192.168.1.0/24 - { mark=2:C }
-       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
+       SNAT(1.1.1.4)    eth0:192.168.1.0/24 - { mark=3:C }</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 1:</term>
        <listitem>
          <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
          to peer traffic with packet mark 4.</para>
          <para>This is a little more complex than otherwise expected. Since
          the ipp2p module is unable to determine all packets in a connection
          are P2P packets, we mark the entire connection as P2P if any of the
          packets are determined to match.</para>
          <para>We assume packet/connection mark 0 means unclassified.</para>
          <programlisting>       #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
       MARK(1):T  ::/0      ::/0         icmp    echo-request
       MARK(1):T  ::/0      ::/0         icmp    echo-reply
       RESTORE:T  ::/0      ::/0         all     -             -       -       0
       CONTINUE:T ::/0      ::/0         all     -             -       -       !0
       MARK(4):T  ::/0      ::/0         ipp2p:all
       SAVE:T     ::/0      ::/0         all     -             -       -       !0</programlisting>
          <para>If a packet hasn't been classified (packet mark is 0), copy
          the connection mark to the packet mark. If the packet mark is set,
          we're done. If the packet is P2P, set the packet mark to 4. If the
          packet mark has been set, save it to the connection mark.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -1599,6 +1614,8 @@ Normal-Service       =&gt; 0x00</programlisting>
    <title>FILES</title>
    <para>/etc/shorewall/mangle</para>
    <para>/etc/shorewall6/mangle</para>
  </refsect1>
  <refsect1>
@@ -1616,14 +1633,6 @@ Normal-Service       =&gt; 0x00</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/masq</command>
+      <command>/etc/shorewall[6]/masq</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -579,7 +579,7 @@
    <variablelist>
      <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
        <listitem>
          <para>You have a simple masquerading setup where eth0 connects to a
@@ -594,7 +594,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
        <listitem>
          <para>You add a router to your local network to connect subnet
@@ -607,7 +607,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 3:</term>
+        <term>IPv4 Example 3:</term>
        <listitem>
          <para>You have an IPSEC tunnel through ipsec0 and you want to
@@ -620,7 +620,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 4:</term>
+        <term>IPv4 Example 4:</term>
        <listitem>
          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@@ -634,7 +634,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 5:</term>
+        <term>IPv4 Example 5:</term>
        <listitem>
          <para>You want all outgoing SMTP traffic entering the firewall from
@@ -654,7 +654,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 6:</term>
+        <term>IPv4 Example 6:</term>
        <listitem>
          <para>Connections leaving on eth0 and destined to any host defined
@@ -667,7 +667,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 7:</term>
+        <term>IPv4 Example 7:</term>
        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -689,7 +689,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 8:</term>
+        <term>IPv4 Example 8:</term>
        <listitem>
          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
@@ -716,6 +716,49 @@
 </programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 1:</term>
        <listitem>
          <para>You have a simple 'masquerading' setup where eth0 connects to
          a DSL or cable modem and eth1 connects to your local network with
          subnet 2001:470:b:787::0/64</para>
          <para>Your entry in the file will be:</para>
          <programlisting>        #INTERFACE   SOURCE                  ADDRESS
        eth0         2001:470:b:787::0/64    -</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 2:</term>
        <listitem>
          <para>Your sit1 interface has two public IP addresses:
          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
          iptables statistics match to masquerade outgoing connections evenly
          between these two addresses.</para>
          <programlisting>/etc/shorewall/masq:
       #INTERFACE    SOURCE         ADDRESS 
       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
       sit1          ::/0           2001:470:a:227::2 
 </programlisting>
          <para>If INLINE_MATCHES=Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
          then these rules may be specified as follows:</para>
          <programlisting>/etc/shorewall/masq:
       #INTERFACE    SOURCE         ADDRESS 
       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
       sit1          ::/0           2001:470:a:227::2</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@@ -723,6 +766,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/masq</para>
    <para>/etc/shorewall6/masq</para>
  </refsect1>
  <refsect1>
@@ -731,14 +776,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-modules.xml
+++ b/Shorewall/manpages/shorewall-modules.xml
@@ -18,11 +18,11 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/usr/share/shorewall/modules</command>
+      <command>/usr/share/shorewall[6]/modules</command>
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>/usr/share/shorewall/helpers</command>
+      <command>/usr/share/shorewall[6]/helpers</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -51,7 +51,7 @@
    <para>The <replaceable>modulename</replaceable> names a kernel module
    (without suffix). Shorewall will search for modules based on your
-    MODULESDIR and MODULE_SUFFIX settings in <ulink
+    MODULESDIR setting in <ulink
    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(8). The
    <replaceable>moduleoption</replaceable>s are passed to modprobe (if
    installed) or to insmod.</para>
@@ -82,19 +82,19 @@
    <para>/etc/shorewall/modules</para>
    <para>/etc/shorewall/helpers</para>
    <para>/usr/share/shorewall6/modules</para>
    <para>/usr/share/shorewall6/helpers</para>
    <para>/etc/shorewall6/modules</para>
    <para>/etc/shorewall6/helpers</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-nat.xml
+++ b/Shorewall/manpages/shorewall-nat.xml
@@ -34,6 +34,8 @@
      url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also,
      in many cases, Proxy ARP (<ulink
      url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
      or Proxy-NDP(<ulink
      url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
      is a better solution that one-to-one NAT.</para>
    </warning>
@@ -208,6 +210,8 @@ all		all		REJECT		info
    <title>FILES</title>
    <para>/etc/shorewall/nat</para>
    <para>/etc/shorewall6/nat</para>
  </refsect1>
  <refsect1>
@@ -219,14 +223,6 @@ all		all		REJECT		info
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-nesting.xml
+++ b/Shorewall/manpages/shorewall-nesting.xml
@@ -200,6 +200,16 @@
    <para>/etc/shorewall/policy</para>
    <para>/etc/shorewall/rules</para>
    <para>/etc/shorewall6/zones</para>
    <para>/etc/shorewall6/interfaces</para>
    <para>/etc/shorewall6/hosts</para>
    <para>/etc/shorewall6/policy</para>
    <para>/etc/shorewall6/rules</para>
  </refsect1>
  <refsect1>
--- a/Shorewall/manpages/shorewall-netmap.xml
+++ b/Shorewall/manpages/shorewall-netmap.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/netmap</command>
+      <command>/etc/shorewall[6]/netmap</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -44,8 +44,6 @@
        role="bold">SNAT}</emphasis></term>
        <listitem>
          <para>Must be DNAT or SNAT</para>
          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
          its destination address rewritten to the corresponding address in
          NET2.</para>
@@ -169,6 +167,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/netmap</para>
    <para>/etc/shorewall6/netmap</para>
  </refsect1>
  <refsect1>
@@ -180,14 +180,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-params.xml
+++ b/Shorewall/manpages/shorewall-params.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/params</command>
+      <command>/etc/shorewall[6]/params</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -107,7 +107,7 @@
    <programlisting>NET_IF=eth0
 NET_BCAST=130.252.100.255
-NET_OPTIONS=routefilter,norfc1918</programlisting>
+NET_OPTIONS=routefilter</programlisting>
    <para>Example <ulink
    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
@@ -119,13 +119,15 @@ net     $NET_IF         $NET_BCAST      $NET_OPTIONS</programlisting>
    <para>This is the same as if the interfaces file had contained:</para>
    <programlisting>ZONE    INTERFACE       BROADCAST       OPTIONS
-net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
+net     eth0            130.252.100.255 routefilter</programlisting>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall/params</para>
    <para>/etc/shorewall6/params</para>
  </refsect1>
  <refsect1>
@@ -134,14 +136,6 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/policy</command>
+      <command>/etc/shorewall[6]/policy</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -33,25 +33,30 @@
      <para>The order of entries in this file is important</para>
      <para>This file determines what to do with a new connection request if
-      we don't get a match from the /etc/shorewall/rules file . For each
+      we don't get a match from the <ulink
-      source/destination pair, the file is processed in order until a match is
+      url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink>(5) or
-      found ("all" will match any source or destination).</para>
+      <ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5)
      files. For each source/destination pair, the file is processed in order
      until a match is found ("all" will match any source or
      destination).</para>
    </important>
    <important>
      <para>Intra-zone policies are pre-defined</para>
-      <para>For $FW and for all of the zones defined in /etc/shorewall/zones,
+      <para>For $FW and for all of the zones defined in <ulink
-      the POLICY for connections from the zone to itself is ACCEPT (with no
+      url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), the
      POLICY for connections from the zone to itself is ACCEPT (with no
      logging or TCP connection rate limiting) but may be overridden by an
      entry in this file. The overriding entry must be explicit (specifying
      the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall
      4.5.17 or later).</para>
-      <para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
+      <para>Similarly, if you have IMPLICIT_CONTINUE=Yes in <ulink
-      then the implicit policy to/from any sub-zone is CONTINUE. These
+      url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then the
-      implicit CONTINUE policies may also be overridden by an explicit entry
+      implicit policy to/from any sub-zone is CONTINUE. These implicit
-      in this file.</para>
+      CONTINUE policies may also be overridden by an explicit entry in this
      file.</para>
    </important>
    <para>The columns in the file are as follows (where the column name is
@@ -396,6 +401,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/policy</para>
    <para>/etc/shorewall6/policy</para>
  </refsect1>
  <refsect1>
@@ -404,14 +411,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -82,14 +82,11 @@
          url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
          file to direct packets to this provider.</para>
-          <para>If HIGH_ROUTE_MARKS=Yes in <ulink
+          <para>If PROVIDER_OFFSET is non-zero in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          the value must be a multiple of 256 between 256 and 65280 or their
+          the value must be a mutiple of 2^^PROVIDER_OFFSET. In all cases, the
-          hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
+          number of significant bits may not exceed PROVIDER_OFFSET +
-          of the value being zero). Otherwise, the value must be between 1 and
+          PROVIDER_BITS.</para>
          255. Each provider must be assigned a unique mark value. This column
          may be omitted if you don't use packet marking to direct connections
          to a particular provider.</para>
        </listitem>
      </varlistentry>
@@ -116,9 +113,9 @@
          listed in <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
          In general, that interface should not have the
-          <option>proxyarp</option> option specified unless
+          <option>proxyarp</option> or <option>proxyndp</option> option
-          <option>loose</option> is given in the OPTIONS column of this
+          specified unless <option>loose</option> is given in the OPTIONS
-          entry.</para>
+          column of this entry.</para>
          <para>Where more than one provider is serviced through a single
          interface, the <emphasis>interface</emphasis> must be followed by a
@@ -217,7 +214,14 @@
                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
                unless the <option>fallback</option>, <option>loose</option>,
                <option>load</option> or <option>tproxy</option> option is
-                specified.</para>
+                specified.I</para>
                <caution>
                  <para>In IPV6, the <option>balance</option> option does not
                  cause balanced default routes to be created; it rather
                  causes a sequence of default routes with different metrics
                  to be created.</para>
                </caution>
              </listitem>
            </varlistentry>
@@ -340,6 +344,14 @@
                <para>Prior to Shorewall 4.4.24, the option is ignored with a
                warning message if USE_DEFAULT_RT=Yes in
                <filename>shorewall.conf</filename>.</para>
                <caution>
                  <para>In IPV6, specifying the <option>fallback</option>
                  option on multiple providers does not cause balanced
                  fallback routes to be created; it rather causes a sequence
                  of fallback routes with different metrics to be
                  created.</para>
                </caution>
              </listitem>
            </varlistentry>
@@ -426,6 +438,14 @@
                  <command>enable</command> and <command>reenable</command>
                  commands can reenable the provider.</para>
                </note>
                <important>
                  <para>RESTORE_DEFAULT_OPTION=Yes in shorewall[6].conf is not
                  recommended when the <option>persistent</option> option is
                  used, as restoring default routes to the main routing table
                  can prevent link status monitors such as foolsm from
                  correctly detecting non-working providers.</para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -461,7 +481,7 @@
    <variablelist>
      <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
        <listitem>
          <para>You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
@@ -473,7 +493,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
        <listitem>
          <para>eth0 connects to ISP 1. The IP address of eth0 is
@@ -491,6 +511,36 @@
        ISP2  2       2    main      eth1      130.252.99.254  track,balance      eth2</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 1:</term>
        <listitem>
          <para>You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2.
          Your DMZ interface is eth2</para>
          <programlisting>        #NAME   NUMBER  MARK DUPLICATE  INTERFACE GATEWAY              OPTIONS
        Squid   1       1    -          eth2      2002:ce7c:92b4:1::2  -</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 2:</term>
        <listitem>
          <para>eth0 connects to ISP 1. The ISP's gateway router has IP
          address 2001:ce7c:92b4:1::2.</para>
          <para>eth1 connects to ISP 2. The ISP's gateway router has IP
          address 2001:d64c:83c9:12::8b.</para>
          <para>eth2 connects to a local network.</para>
          <programlisting>        #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY               OPTIONS    COPY
        ISP1  1       1    main      eth0     2001:ce7c:92b4:1::2   track      eth2
        ISP2  2       2    main      eth1     2001:d64c:83c9:12::8b track      eth2</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@@ -498,6 +548,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/providers</para>
    <para>/etc/shorewall6/providers</para>
  </refsect1>
  <refsect1>
@@ -509,14 +561,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-proxyarp.xml
+++ b/Shorewall/manpages/shorewall-proxyarp.xml
@@ -25,6 +25,8 @@
  <refsect1>
    <title>Description</title>
    <para>IPv4 only.</para>
    <para>This file is used to define Proxy ARP. There is one entry in this
    file for each IP address to be proxied.</para>
@@ -139,14 +141,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-proxyndp.xml
+++ b/Shorewall6/manpages/shorewall6-proxyndp.xml
--- a/Shorewall/manpages/shorewall-routes.xml
+++ b/Shorewall/manpages/shorewall-routes.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/routes</command>
+      <command>/etc/shorewall[6]/routes</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -109,6 +109,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/routes</para>
    <para>/etc/shorewall6/routes</para>
  </refsect1>
  <refsect1>
@@ -117,14 +119,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-rtrules.xml
+++ b/Shorewall/manpages/shorewall-rtrules.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/rtrules</command>
+      <command>/etc/shorewall[6]/rtrules</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -177,7 +177,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
        <listitem>
          <para>You use OpenVPN (routed setup /tunX) in combination with
@@ -199,6 +199,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/rtrules</para>
    <para>/etc/shorewall6/rtrules</para>
  </refsect1>
  <refsect1>
@@ -210,14 +212,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/rules</command>
+      <command>/etc/shorewall[6]/rules</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -54,7 +54,8 @@
        <listitem>
          <para>This section was added in Shorewall 4.4.23. Rules in this
          section are applied, regardless of the connection tracking state of
-          the packet.</para>
+          the packet and are applied before rules in the other
          sections.</para>
        </listitem>
      </varlistentry>
@@ -211,7 +212,8 @@
                role="bold">DNAT</emphasis>[<emphasis
                role="bold">-</emphasis>] or <emphasis
                role="bold">REDIRECT</emphasis>[<emphasis
-                role="bold">-</emphasis>] rules.</para>
+                role="bold">-</emphasis>] rules. Use with IPv6 requires
                Shorewall 4.5.14 or later.</para>
              </listitem>
            </varlistentry>
@@ -232,7 +234,7 @@
                <para>The name of an <emphasis>action</emphasis> declared in
                <ulink
                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
-                or in /usr/share/shorewall/actions.std.</para>
+                or in /usr/share/shorewall[6]/actions.std.</para>
              </listitem>
            </varlistentry>
@@ -286,7 +288,8 @@
              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
                ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support
-                in the kernel and iptables.</para>
+                in the kernel and iptables. A_ACCEPT+ with IPv6 requires
                Shorewall 4.5.14 or later.</para>
              </listitem>
            </varlistentry>
@@ -401,7 +404,8 @@
              <listitem>
                <para>Forward the request to another system (and optionally
-                another port).</para>
+                another port). Use with IPv6 requires Shorewall 4.5.14 or
                later.</para>
              </listitem>
            </varlistentry>
@@ -414,7 +418,8 @@
                <para>Like <emphasis role="bold">DNAT</emphasis> but only
                generates the <emphasis role="bold">DNAT</emphasis> iptables
                rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule.</para>
+                role="bold">ACCEPT</emphasis> rule. Use with IPv6 requires
                Shorewall 4.5.14 or later.</para>
              </listitem>
            </varlistentry>
@@ -496,11 +501,11 @@
              [<replaceable>option</replaceable> ...])</term>
              <listitem>
-                <para>This action allows you to specify an iptables target
+                <para>IPv4 only. This action allows you to specify an iptables
-                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
+                target with options (e.g., 'IPTABLES(MARK --set-xmark
-                the <replaceable>iptables-target</replaceable> is not one
+                0x01/0xff)'. If the <replaceable>iptables-target</replaceable>
-                recognized by Shorewall, the following error message will be
+                is not one recognized by Shorewall, the following error
-                issued:</para>
+                message will be issued:</para>
                <programlisting>    ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
@@ -521,6 +526,39 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">IP6TABLES</emphasis>({<replaceable>ip6tables-target</replaceable>
              [<replaceable>option</replaceable> ...])</term>
              <listitem>
                <para>IPv6 only. This action allows you to specify an
                ip6tables target with options (e.g., 'IPTABLES(MARK
                --set-xmark 0x01/0xff)'. If the
                <replaceable>ip6tables-target</replaceable> is not one
                recognized by Shorewall, the following error message will be
                issued:</para>
                <programlisting>    ERROR: Unknown target (<replaceable>ip6tables-target</replaceable>)</programlisting>
                <para>This error message may be eliminated by adding
                the<replaceable>
                ip6tables-</replaceable><replaceable>target</replaceable> as a
                builtin action in <ulink
                url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
                <important>
                  <para>If you specify REJECT as the
                  <replaceable>ip6tables-target</replaceable>, the target of
                  the rule will be the i6ptables REJECT target and not
                  Shorewall's builtin 'reject' chain which is used when REJECT
                  (see below) is specified as the
                  <replaceable>target</replaceable> in the ACTION
                  column.</para>
                </important>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
@@ -673,7 +711,8 @@
                <para>Excludes the connection from any subsequent <emphasis
                role="bold">DNAT</emphasis>[-] or <emphasis
                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
-                a rule to accept the traffic.</para>
+                a rule to accept the traffic. Use with IPv6 requires Shorewall
                4.5.14 or later.</para>
              </listitem>
            </varlistentry>
@@ -708,7 +747,7 @@
                <para>Beginning with Shorewall 5.0.8, the type of reject may
                be specified in the <replaceable>option</replaceable>
-                paramater. Valid <replaceable>option</replaceable> values
+                paramater. Valid IPv4 <replaceable>option</replaceable> values
                are:</para>
                <simplelist>
@@ -731,6 +770,28 @@
                  option may also be specified as
                  <option>tcp-reset</option>.</member>
                </simplelist>
                <para>Valid IPv6 <replaceable>option</replaceable> values
                are:</para>
                <simplelist>
                  <member><option>icmp6-no-route</option></member>
                  <member><option>no-route</option></member>
                  <member><option>i</option><option>cmp6-adm-prohibited</option></member>
                  <member><option>adm-prohibited</option></member>
                  <member><option>icmp6-addr-unreachable</option></member>
                  <member><option>addr-unreach</option></member>
                  <member><option>icmp6-port-unreachable</option></member>
                  <member><option>tcp-reset</option> (the PROTO column must
                  specify TCP)</member>
                </simplelist>
              </listitem>
            </varlistentry>
@@ -749,7 +810,8 @@
              <listitem>
                <para>Redirect the request to a server running on the
-                firewall.</para>
+                firewall. Use with IPv6 requires Shorewall 4.5.14 or
                later.</para>
              </listitem>
            </varlistentry>
@@ -762,7 +824,8 @@
                <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
                generates the <emphasis role="bold">REDIRECT</emphasis>
                iptables rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule.</para>
+                role="bold">ACCEPT</emphasis> rule. Use with IPv6 requires
                Shorewall 4.5.14 or later.</para>
              </listitem>
            </varlistentry>
@@ -842,9 +905,9 @@
              role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
              <listitem>
-                <para>Added in Shorewall 4.5.10. Queues matching packets to a
+                <para>IPv4 only. Added in Shorewall 4.5.10. Queues matching
-                back end logging daemon via a netlink socket then continues to
+                packets to a back end logging daemon via a netlink socket then
-                the next rule. See <ulink
+                continues to the next rule. See <ulink
                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
                <para>Similar to<emphasis role="bold">
@@ -889,10 +952,10 @@
            </listitem>
          </itemizedlist>
-          <para>You may also specify <emphasis role="bold">ULOG</emphasis> or
+          <para>You may also specify <emphasis role="bold">ULOG</emphasis>
-          <emphasis role="bold">NFLOG</emphasis> (must be in upper case) as a
+          (IPv4 only) or <emphasis role="bold">NFLOG</emphasis> (must be in
-          log level.This will log to the ULOG or NFLOG target for routing to a
+          upper case) as a log level.This will log to the ULOG or NFLOG target
-          separate log through use of ulogd (<ulink
+          for routing to a separate log through use of ulogd (<ulink
          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
          <para>Actions specifying logging may be followed by a log tag (a
@@ -922,9 +985,9 @@
              <listitem>
                <para>The name of a zone defined in <ulink
-                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). When
+                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).
-                only the zone name is specified, the packet source may be any
+                When only the zone name is specified, the packet source may be
-                host in that zone.</para>
+                any host in that zone.</para>
                <para>zone may also be one of the following:</para>
@@ -991,9 +1054,10 @@
                <replaceable>zone</replaceable> in either <ulink
                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
                or <ulink
-                url="/manpages/shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
+                url="/manpages/shorewall.hosts.html">shorewall-hosts</ulink>(5).
-                packets from hosts in the <replaceable>zone</replaceable> that
+                Only packets from hosts in the <replaceable>zone</replaceable>
-                arrive through the named interface will match the rule.</para>
+                that arrive through the named interface will match the
                rule.</para>
              </listitem>
            </varlistentry>
@@ -1208,6 +1272,49 @@
                of the net zone.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>dmz:[2002:ce7c:2b4:1::2]</term>
              <listitem>
                <para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>net:2001:4d48:ad51:24::/64</term>
              <listitem>
                <para>Subnet 2001:4d48:ad51:24::/64 on the Internet</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
              <listitem>
                <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
                local zone.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>loc:~00-A0-C9-15-39-78</term>
              <listitem>
                <para>Host in the local zone with MAC address
                00:A0:C9:15:39:78.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80</term>
              <listitem>
                <para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
                2001:4d48:ad51:24:6::/80.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -1229,9 +1336,9 @@
              <listitem>
                <para>The name of a zone defined in <ulink
-                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). When
+                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).
-                only the zone name is specified, the packet destination may be
+                When only the zone name is specified, the packet destination
-                any host in that zone.</para>
+                may be any host in that zone.</para>
                <para>zone may also be one of the following:</para>
@@ -1298,9 +1405,9 @@
                <replaceable>zone</replaceable> in either <ulink
                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
                or <ulink
-                url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5). Only
+                url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
-                packets to hosts in the <replaceable>zone</replaceable> that
+                Only packets to hosts in the <replaceable>zone</replaceable>
-                are sent through the named interface will match the
+                that are sent through the named interface will match the
                rule.</para>
              </listitem>
            </varlistentry>
@@ -2082,12 +2189,100 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">HEADERS</emphasis></term>
+        <term><emphasis role="bold">HEADERS -
        [!][any:|exactly:]</emphasis><replaceable>header-list
        </replaceable>(Optional - Added in Shorewall 4.4.15)</term>
        <listitem>
-          <para>Added in Shorewall 4.4.15. Not used in IPv4 configurations. If
+          <para>This column is only used in IPv6. In IPv4, supply "-" in this
-          you with to supply a value for one of the later columns, enter '-'
+          column if you with to place a value in one of the following
-          in this column.</para>
+          columns.</para>
          <para>The <replaceable>header-list</replaceable> consists of a
          comma-separated list of headers from the following list.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">auth</emphasis>, <emphasis
              role="bold">ah</emphasis>, or <emphasis
              role="bold">51</emphasis></term>
              <listitem>
                <para><firstterm>Authentication Headers</firstterm> extension
                header.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">esp</emphasis>, or <emphasis
              role="bold">50</emphasis></term>
              <listitem>
                <para><firstterm>Encrypted Security Payload</firstterm>
                extension header.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">hop</emphasis>, <emphasis
              role="bold">hop-by-hop</emphasis> or <emphasis
              role="bold">0</emphasis></term>
              <listitem>
                <para>Hop-by-hop options extension header.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">route</emphasis>, <emphasis
              role="bold">ipv6-route</emphasis> or <emphasis
              role="bold">43</emphasis></term>
              <listitem>
                <para>IPv6 Route extension header.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">frag</emphasis>, <emphasis
              role="bold">ipv6-frag</emphasis> or <emphasis
              role="bold">44</emphasis></term>
              <listitem>
                <para>IPv6 fragmentation extension header.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">none</emphasis>, <emphasis
              role="bold">ipv6-nonxt</emphasis> or <emphasis
              role="bold">59</emphasis></term>
              <listitem>
                <para>No next header</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">proto</emphasis>, <emphasis
              role="bold">protocol</emphasis> or <emphasis
              role="bold">255</emphasis></term>
              <listitem>
                <para>Any protocol header.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>If <emphasis role="bold">any:</emphasis> is specified, the
          rule will match if any of the listed headers are present. If
          <emphasis role="bold">exactly:</emphasis> is specified, the will
          match packets that exactly include all specified headers. If neither
          is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
          <para>If <emphasis role="bold">!</emphasis> is entered, the rule
          will match those packets which would not be matched when <emphasis
          role="bold">!</emphasis> is omitted.</para>
        </listitem>
      </varlistentry>
@@ -2413,6 +2608,20 @@
        SECCTX             builtin</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 15:</term>
        <listitem>
          <para>You want to accept SSH connections to your firewall only from
          internet IP addresses 2002:ce7c::92b4:1::2 and
          2002:ce7c::92b4:1::22</para>
          <programlisting>        #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
        ACCEPT   net:&lt;2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22&gt; \
                        $FW              tcp     22</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@@ -2420,6 +2629,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/rules</para>
    <para>/etc/shorewall6/rules</para>
  </refsect1>
  <refsect1>
@@ -2434,14 +2645,6 @@
    <para><ulink
    url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-blrules(5), shorewall-hosts(5),
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-secmarks.xml
+++ b/Shorewall/manpages/shorewall-secmarks.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/secmarks</command>
+      <command>/etc/shorewall[6]/secmarks</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -404,6 +404,8 @@ RESTORE                               I:ER</programlisting>
    <title>FILES</title>
    <para>/etc/shorewall/secmarks</para>
    <para>/etc/shorewall6/secmarks</para>
  </refsect1>
  <refsect1>
@@ -415,14 +417,6 @@ RESTORE                               I:ER</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/snat</command>
+      <command>/etc/shorewall[6]/snat</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -86,7 +86,7 @@
                ADD_SNAT_ALIASES is set to Yes or yes in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                then Shorewall will automatically add this address to the
-                INTERFACE named in the first column.</para>
+                INTERFACE named in the first column (IPv4 only).</para>
                <para>You may also specify a range of up to 256 IP addresses
                if you want the SNAT address to be assigned from that range in
@@ -105,9 +105,7 @@
                role="bold">:random</emphasis>) with <emphasis
                role="bold">:persistent</emphasis>. This is only useful when
                an address range is specified and causes a client to be given
-                the same source/destination IP pair. This feature replaces the
+                the same source/destination IP pair.</para>
                SAME modifier which was removed from Shorewall in version
                4.4.0.</para>
                <para>You may also use the special value
                <option>detect</option> which causes Shorewall to determine
@@ -150,8 +148,8 @@
              <listitem>
                <para>where <replaceable>action</replaceable> is an action
                declared in <ulink
-                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink> with
+                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>
-                the <option>nat</option> option. See <ulink
+                with the <option>nat</option> option. See <ulink
                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
                further information.</para>
              </listitem>
@@ -257,7 +255,8 @@
        <listitem>
          <para>If you wish to restrict this entry to a particular protocol
          then enter the protocol name (from protocols(5)) or number here. See
-          <ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
+          <ulink
          url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
          details.</para>
          <para>Beginning with Shorewall 4.5.12, this column can accept a
@@ -599,7 +598,7 @@
    <variablelist>
      <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
        <listitem>
          <para>You have a simple masquerading setup where eth0 connects to a
@@ -614,7 +613,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
        <listitem>
          <para>You add a router to your local network to connect subnet
@@ -628,7 +627,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 3:</term>
+        <term>IPv4 Example 3:</term>
        <listitem>
          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@@ -642,7 +641,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 4:</term>
+        <term>IPv4 Example 4:</term>
        <listitem>
          <para>You want all outgoing SMTP traffic entering the firewall from
@@ -666,7 +665,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 5:</term>
+        <term>IPv4 Example 5:</term>
        <listitem>
          <para>Connections leaving on eth0 and destined to any host defined
@@ -674,12 +673,12 @@
          address changed to 206.124.146.177.</para>
          <programlisting>        #ACTION                 SOURCE          DEST
-        SNAT(206.124.146.177)   -               eth0+myset[dst]</programlisting>
+        SNAT(206.124.146.177)   -               eth0:+myset[dst]</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term>Example 6:</term>
+        <term>IPv4 Example 6:</term>
        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -701,19 +700,34 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 7:</term>
+        <term>IPv6 Example 1:</term>
        <listitem>
-          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
+          <para>You have a simple 'masquerading' setup where eth0 connects to
-          70.90.191.123. You want to use the iptables statistics match to
+          a DSL or cable modem and eth1 connects to your local network with
-          masquerade outgoing connections evenly between these two
+          subnet 2001:470:b:787::0/64</para>
-          addresses.</para>
+
          <para>Your entry in the file will be:</para>
          <programlisting>        #ACTION      SOURCE                  DEST
        MASQUERADE   2001:470:b:787::0/64    eth0</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 2:</term>
        <listitem>
          <para>Your sit1 interface has two public IP addresses:
          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
          iptables statistics match to masquerade outgoing connections evenly
          between these two addresses.</para>
          <programlisting>/etc/shorewall/snat:
       #ACTION                      SOURCE     DEST
-       SNAT(70.90.191.121)     -                eth1 { probability=.50 }
+       SNAT(2001:470:a:227::1)      ::/0       sit1              { probability=0.50 }
-       SNAT(70.90.191.123)     -                eth1</programlisting>
+       SNAT(2001:470:a:227::2)      ::/0       sit</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -723,6 +737,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/snat</para>
    <para>/etc/shorewall6/snat</para>
  </refsect1>
  <refsect1>
@@ -731,14 +747,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-stoppedrules.xml
+++ b/Shorewall/manpages/shorewall-stoppedrules.xml
@@ -19,7 +19,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/stoppedrules</command>
+      <command>/etc/shorewall[6]/stoppedrules</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -153,6 +153,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/stoppedrules</para>
    <para>/etc/shorewall6/stoppedrules</para>
  </refsect1>
  <refsect1>
@@ -164,14 +166,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/tcclasses</command>
+      <command>/etc/shorewall[6]/tcclasses</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -763,6 +763,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/tcclasses</para>
    <para>/etc/shorewall6/tcclasses</para>
  </refsect1>
  <refsect1>
@@ -778,14 +780,6 @@
    <para>tc-red(8)</para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/tcdevices</command>
+      <command>/etc/shorewall[6]/tcdevices</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -276,6 +276,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/tcdevices</para>
    <para>/etc/shorewall6/tcdevices</para>
  </refsect1>
  <refsect1>
@@ -292,14 +294,6 @@
    <para><ulink
    url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/tcfilters</command>
+      <command>/etc/shorewall[6]/tcfilters</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -89,12 +89,12 @@
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="/manpages/shorewall.conf.html">shorewall.conf (5)</ulink>. The
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
-          ipset name may optionally be followed by a number or a comma
+          (5)</ulink>. The ipset name may optionally be followed by a number
-          separated list of src and/or dst enclosed in square brackets
+          or a comma separated list of src and/or dst enclosed in square
-          ([...]). See <ulink
+          brackets ([...]). See <ulink
-          url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
+          url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink>
-          details.</para>
+          for details.</para>
        </listitem>
      </varlistentry>
@@ -108,12 +108,12 @@
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="/manpages/shorewall.conf.html">shorewall.conf (5)</ulink>. The
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
-          ipset name may optionally be followed by a number or a comma
+          (5)</ulink>. The ipset name may optionally be followed by a number
-          separated list of src and/or dst enclosed in square brackets
+          or a comma separated list of src and/or dst enclosed in square
-          ([...]). See <ulink
+          brackets ([...]). See <ulink
-          url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
+          url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink>
-          details.</para>
+          for details.</para>
          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see <ulink
@@ -288,7 +288,7 @@
    <variablelist>
      <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
        <listitem>
          <para>Place all 'ping' traffic on interface 1 in class 10. Note that
@@ -310,7 +310,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
        <listitem>
          <para>Add two filters with priority 10 (Shorewall 4.5.8 or
@@ -324,6 +324,22 @@
       1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-reply      10</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 1:</term>
        <listitem>
          <para>Add two filters with priority 10 (Shorewall 4.5.8 or
          later).</para>
          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DPORT           PRIORITY
       IPV6
       1:10      ::/0      ::/0         icmp    echo-request    10
       1:10      ::/0      ::/0         icmp    echo-reply      10</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@@ -331,6 +347,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/tcfilters</para>
    <para>/etc/shorewall6/tcfilters</para>
  </refsect1>
  <refsect1>
@@ -348,14 +366,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcinterfaces.xml
+++ b/Shorewall/manpages/shorewall-tcinterfaces.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/tcinterfaces</command>
+      <command>/etc/shorewall[6]/tcinterfaces</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -201,7 +201,9 @@
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall/tcinterfaces.</para>
+    <para>/etc/shorewall/tcinterfaces</para>
    <para>/etc/shorewall6/tcinterfaces</para>
  </refsect1>
  <refsect1>
@@ -213,14 +215,6 @@
    <para><ulink
    url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcpri(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcpri.xml
+++ b/Shorewall/manpages/shorewall-tcpri.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/tcpri</command>
+      <command>/etc/shorewall[6]/tcpri</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -148,6 +148,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/tcpri</para>
    <para>/etc/shorewall6/tcpri</para>
  </refsect1>
  <refsect1>
@@ -156,14 +158,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>prio(8), shorewall(8), shorewall-accounting(5),
+    <para>prio(8), shorewall(8)</para>
    shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/tunnels</command>
+      <command>/etc/shorewall[6]/tunnels</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -173,7 +173,7 @@
    <variablelist>
      <varlistentry>
-        <term>Example 1:</term>
+        <term>IPv4 Example 1:</term>
        <listitem>
          <para>IPSec tunnel.</para>
@@ -187,7 +187,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 2:</term>
+        <term>IPv4 Example 2:</term>
        <listitem>
          <para>Road Warrior (LapTop that may connect from anywhere) where the
@@ -199,7 +199,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 3:</term>
+        <term>IPv4 Example 3:</term>
        <listitem>
          <para>Host 4.33.99.124 is a standalone system connected via an ipsec
@@ -211,7 +211,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 4:</term>
+        <term>IPv4 Example 4:</term>
        <listitem>
          <para>Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
@@ -225,7 +225,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 5:</term>
+        <term>IPv4 Example 5:</term>
        <listitem>
          <para>You run the Linux PPTP client on your firewall and connect to
@@ -237,7 +237,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 6:</term>
+        <term>IPv4 Example 6:</term>
        <listitem>
          <para>You run a PPTP server on your firewall.</para>
@@ -260,7 +260,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 8:</term>
+        <term>IPv4 Example 8:</term>
        <listitem>
          <para>You have a tunnel that is not one of the supported types. Your
@@ -273,7 +273,7 @@
      </varlistentry>
      <varlistentry>
-        <term>Example 9:</term>
+        <term>IPv4 Example 9:</term>
        <listitem>
          <para>TINC tunnel where the remote gateways are not specified. If
@@ -284,6 +284,83 @@
        tinc             net     0.0.0.0/0</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 1:</term>
        <listitem>
          <para>IPSec tunnel.</para>
          <para>The remote gateway is 2001:cec792b4:1::44. The tunnel does not
          use the AH protocol</para>
          <programlisting>        #TYPE           ZONE    GATEWAY
        ipsec:noah      net     2002:cec792b4:1::44</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 2:</term>
        <listitem>
          <para>Road Warrior (LapTop that may connect from anywhere) where the
          "gw" zone is used to represent the remote LapTop</para>
          <programlisting>        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
        ipsec           net     ::/0                    gw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 3:</term>
        <listitem>
          <para>Host 2001:cec792b4:1::44 is a standalone system connected via
          an ipsec tunnel to the firewall system. The host is in zone
          gw.</para>
          <programlisting>        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
        ipsec           net     2001:cec792b4:1::44     gw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 4:</term>
        <listitem>
          <para>OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and
          openvpn uses port 7777.</para>
          <programlisting>        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
        openvpn:7777    net     2001:cec792b4:1::44</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 8:</term>
        <listitem>
          <para>You have a tunnel that is not one of the supported types. Your
          tunnel uses UDP port 4444. The other end of the tunnel is
          2001:cec792b4:1::44.</para>
          <programlisting>        #TYPE            ZONE    GATEWAY                GATEWAY ZONES
        generic:udp:4444 net     2001:cec792b4:1::44</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>IPv6 Example 9:</term>
        <listitem>
          <para>TINC tunnel where the remote gateways are not specified. If
          you wish to specify a list of gateways, you can do so in the GATEWAY
          column.</para>
          <programlisting>        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
        tinc             net     ::/0</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@@ -291,6 +368,8 @@
    <title>FILES</title>
    <para>/etc/shorewall/tunnels</para>
    <para>/etc/shorewall6/tunnels</para>
  </refsect1>
  <refsect1>
@@ -299,14 +378,6 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-vardir.xml
+++ b/Shorewall/manpages/shorewall-vardir.xml
@@ -18,7 +18,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/vardir</command>
+      <command>/etc/shorewall[6]/vardir</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -28,7 +28,8 @@
    <para>This file does not exist by default. You may create the file if you
    want to change the directory used by Shorewall to store state information,
    including compiled firewall scripts. By default, the directory used is
-    <filename>/var/lib/shorewall/</filename>.</para>
+    <filename>/var/lib/shorewall/</filename> for IPv4 and /var/lib/shorewall6/
    for IPv6</para>
    <para>The file contains a single variable assignment:</para>
@@ -50,19 +51,13 @@
    <title>FILES</title>
    <para>/etc/shorewall/vardir</para>
    <para>/etc/shorewall6/vardir</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-zones.xml
+++ b/Shorewall/manpages/shorewall-zones.xml
@@ -128,9 +128,9 @@
          <para>Example:</para>
          <programlisting>#ZONE     TYPE     OPTIONS         IN OPTIONS        OUT OPTIONS
-a         ipv4
+a         ip
-b         ipv4
+b         ip
-c:a,b     ipv4</programlisting>
+c:a,b     ip</programlisting>
          <para>Currently, Shorewall uses this information to reorder the zone
          list so that parent zones appear after their subzones in the list.
@@ -140,8 +140,8 @@ c:a,b     ipv4</programlisting>
          <para>Where an <emphasis role="bold">ipsec</emphasis> zone is
          explicitly included as a child of an <emphasis
-          role="bold">ipv4</emphasis> zone, the ruleset allows CONTINUE
+          role="bold">ip</emphasis> zone, the ruleset allows CONTINUE policies
-          policies (explicit or implicit) to work as expected.</para>
+          (explicit or implicit) to work as expected.</para>
          <para>In the future, Shorewall may make additional use of nesting
          information.</para>
@@ -154,7 +154,7 @@ c:a,b     ipv4</programlisting>
        <listitem>
          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">ipv4</emphasis></term>
+              <term><emphasis role="bold">ip</emphasis></term>
              <listitem>
                <para>This is the standard Shorewall zone type and is the
@@ -162,17 +162,22 @@ c:a,b     ipv4</programlisting>
                the column. Communication with some zone hosts may be
                encrypted. Encrypted hosts are designated using the 'ipsec'
                option in <ulink
-                url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).</para>
+                url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
                For clarity, this zone type may be specified as
                <option>ipv4</option> in IPv4 configurations and
                <option>ipv6</option> in IPv6 configurations.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">ipsec</emphasis> (or <emphasis
+              <term><emphasis role="bold">ipsec</emphasis></term>
              role="bold">ipsec4</emphasis>)</term>
              <listitem>
                <para>Communication with all zone hosts is encrypted. Your
-                kernel and iptables must include policy match support.</para>
+                kernel and iptables must include policy match support. For
                clarity, this zone type may be specified as
                <option>ipsec4</option> in IPv4 configurations and
                <option>ipsec6</option> in IPv6 configurations.</para>
              </listitem>
            </varlistentry>
@@ -190,12 +195,13 @@ c:a,b     ipv4</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">bport</emphasis> (or <emphasis
+              <term><emphasis role="bold">bport</emphasis></term>
              role="bold">bport4</emphasis>)</term>
              <listitem>
                <para>The zone is associated with one or more ports on a
-                single bridge.</para>
+                single bridge. For clarity, this zone type may be specified as
                <option>bport4</option> in IPv4 configurations and
                <option>bport6</option> in IPv6 configurations.</para>
              </listitem>
            </varlistentry>
@@ -424,6 +430,8 @@ c:a,b     ipv4</programlisting>
    <title>FILES</title>
    <para>/etc/shorewall/zones</para>
    <para>/etc/shorewall6/zones</para>
  </refsect1>
  <refsect1>
@@ -435,13 +443,6 @@ c:a,b     ipv4</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-nesting(8), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -20,15 +20,24 @@
    <cmdsynopsis>
      <command>/etc/shorewall/shorewall.conf</command>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>/etc/shorewall6/shorewall6.conf</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
-    <para>This file sets options that apply to Shorewall as a whole.</para>
+    <para>The IPv4 and IPv6 environments each have their own configuration.
    The IPv4 configuration resides in /etc/shorewall/ while the IPv6
    configuration resides in /etc/shorewall6/.</para>
-    <para>The file consists of Shell comments (lines beginning with '#'),
+    <para>The .conf files set options that apply to Shorewall and Shorewall6
-    blank lines and assignment statements
+    as a whole.</para>
    <para>The .conf files consist of Shell comments (lines beginning with
    '#'), blank lines and assignment statements
    (<emphasis>variable</emphasis>=<emphasis>value</emphasis>). If the
    <emphasis>value</emphasis> contains shell meta characters or white-space,
    then it must be enclosed in quotes. Example:
@@ -65,16 +74,13 @@
    level to choose, 6 (info) is a safe bet. You may specify levels by name or
    by number.</para>
-    <para>If you have built your kernel with ULOG and/or NFLOG target support,
+    <para>If you have built your kernel with ULOG (IPv4 only) and/or NFLOG
-    you may also specify a log level of ULOG and/or NFLOG (must be all caps).
+    target support, you may also specify a log level of ULOG and/or NFLOG
-    Rather than log its messages to syslogd, Shorewall will direct netfilter
+    (must be all caps). Rather than log its messages to syslogd, Shorewall
-    to log the messages via the ULOG or NFLOG target which will send them to a
+    will direct netfilter to log the messages via the ULOG or NFLOG target
-    process called 'ulogd'. ulogd is available with most Linux distributions
+    which will send them to a process called 'ulogd'. ulogd is available with
-    (although it probably isn't installed by default). Ulogd is also available
+    most Linux distributions (although it probably isn't installed by
-    from <ulink
+    default).</para>
    url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
    and can be configured to log all Shorewall messages to their own log
    file.</para>
    <note>
      <para>If you want to specify parameters to ULOG or NFLOG (e.g.,
@@ -82,7 +88,7 @@
      <para>Example:</para>
-      <programlisting>MACLIST_LOG_LEVEL="NFLOG(1,0,1)"</programlisting>
+      <programlisting>LOG_LEVEL="NFLOG(1,0,1)"</programlisting>
    </note>
    <para>Beginning with Shorewall 5.0.0, the log level may be followed by a
@@ -265,8 +271,9 @@
        <listitem>
          <para>This parameter determines whether Shorewall automatically adds
          the external address(es) in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5). If the
+          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5), and is
-          variable is set to <emphasis role="bold">Yes</emphasis> or <emphasis
+          only available in IPv4 configurations. If the variable is set to
          <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis> then Shorewall automatically adds these
          aliases. If it is set to <emphasis role="bold">No</emphasis> or
          <emphasis role="bold">no</emphasis>, you must add these aliases
@@ -293,13 +300,14 @@
        <listitem>
          <para>This parameter determines whether Shorewall automatically adds
          the SNAT ADDRESS in <ulink
-          url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5). If
+          url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5), and
-          the variable is set to <emphasis role="bold">Yes</emphasis> or
+          is only available in IPv4 configurations. If the variable is set to
-          <emphasis role="bold">yes</emphasis> then Shorewall automatically
+          <emphasis role="bold">Yes</emphasis> or <emphasis
-          adds these addresses. If it is set to <emphasis
+          role="bold">yes</emphasis> then Shorewall automatically adds these
-          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
+          addresses. If it is set to <emphasis role="bold">No</emphasis> or
-          you must add these addresses yourself using your distribution's
+          <emphasis role="bold">no</emphasis>, you must add these addresses
-          network configuration tools.</para>
+          yourself using your distribution's network configuration
          tools.</para>
          <para>If this variable is not set or is given an empty value
          (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.</para>
@@ -379,10 +387,10 @@
        role="bold">ARPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
        <listitem>
-          <para>Added in Shorewall 4.5.12. This parameter names the arptables
+          <para>Added in Shorewall 4.5.12 and available in IPv4 only. This
-          executable to be used by Shorewall. If not specified or if specified
+          parameter names the arptables executable to be used by Shorewall. If
-          as a null value, then the arptables executable located using the
+          not specified or if specified as a null value, then the arptables
-          PATH option is used.</para>
+          executable located using the PATH option is used.</para>
          <para>Regardless of how the arptables utility is located (specified
          via arptables= or located via PATH), Shorewall uses the
@@ -398,8 +406,9 @@
        <listitem>
          <para>Formerly named AUTO_COMMENT. If set, if there is not a current
          comment when a macro is invoked, the behavior is as if the first
-          line of the macro file was "COMMENT &lt;macro name&gt;". The
+          line of the macro file was "COMMENT &lt;macro name&gt;". If not
-          AUTO_COMMENT option has a default value of 'Yes'.</para>
+          specified, the AUTO_COMMENT option has a default value of
          'Yes'.</para>
        </listitem>
      </varlistentry>
@@ -465,7 +474,7 @@
          command, then the compilation step is skipped and the compiled
          script that executed the last <command>start</command>, <emphasis
          role="bold">reload</emphasis> or <command>restart</command> command
-          is used. The default is AUTOMAKE=No.</para>
+          is used. If not specified, the default is AUTOMAKE=No.</para>
          <para>The setting of the AUTOMAKE option is ignored if the
          <command>start</command>, <emphasis role="bold">reload</emphasis> or
@@ -483,8 +492,8 @@
          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
          determines whether the <option>balance</option> provider option (see
          <ulink
-          url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>) is
+          url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>)
-          the default. When BALANCE_PROVIDERS=Yes, then the
+          is the default. When BALANCE_PROVIDERS=Yes, then the
          <option>balance</option> option is assumed unless the
          <option>fallback</option>, <option>loose</option>,
          <option>load</option> or <option>tproxy</option> option is
@@ -500,8 +509,8 @@
        <listitem>
          <para>Added in Shorewall-4.6.0. When set to <emphasis
          role="bold">Yes</emphasis>, causes entries in <ulink
-          url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
+          url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>
-          generate a basic filter rather than a u32 filter. This setting
+          to generate a basic filter rather than a u32 filter. This setting
          requires the <firstterm>Basic Ematch</firstterm> capability in your
          kernel and iptables.</para>
@@ -624,6 +633,11 @@
          marking defined in <ulink
          url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
          If not specified, CLEAR_TC=Yes is assumed.</para>
          <warning>
            <para>When you specify TC_ENABLED=shared (see below), then you
            should also specify CLEAR_TC=No.</para>
          </warning>
        </listitem>
      </varlistentry>
@@ -662,17 +676,17 @@
        role="bold">CONFIG_PATH</emphasis>=[<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term>
        <listitem>
-          <para>Specifies where configuration files other than shorewall.conf
+          <para>Specifies where configuration files other than
-          may be found. CONFIG_PATH is specifies as a list of directory names
+          shorewall[6].conf may be found. CONFIG_PATH is specifies as a list
-          separated by colons (":"). When looking for a configuration
+          of directory names separated by colons (":"). When looking for a
-          file:</para>
+          configuration file:</para>
          <itemizedlist>
            <listitem>
              <para>If the command is "try" or a "&lt;configuration
              directory&gt;" was specified in the command (e.g.,
-              <command>shorewall check ./gateway</command>) then the directory
+              <command>shorewall [-6] check ./gateway</command>) then the
-              given in the command is searched first.</para>
+              directory given in the command is searched first.</para>
            </listitem>
            <listitem>
@@ -697,8 +711,8 @@
        <listitem>
          <para>Added in Shorewall 4.5.12. When set to 'Yes' (the default),
          DNS names are validated in the compiler and then passed on to the
-          generated script where they are resolved by iptables-restore. This
+          generated script where they are resolved by ip[6]tables-restore.
-          is an advantage if you use AUTOMAKE=Yes and the IP address
+          This is an advantage if you use AUTOMAKE=Yes and the IP address
          associated with the DNS name is subject to change. When
          DEFER_DNS_RESOLUTION=No, DNS names are converted into IP addresses
          by the compiler. This has the advantage that when AUTOMAKE=Yes, the
@@ -715,7 +729,7 @@
        <listitem>
          <para>If set to Yes (the default value), entries in the
-          /etc/shorewall/rtrules files cause an 'ip rule del' command to be
+          /etc/shorewall[6]/rtrules files cause an 'ip rule del' command to be
          generated in addition to an 'ip rule add' command. Setting this
          option to No, causes the 'ip rule del' command to be omitted.</para>
        </listitem>
@@ -726,6 +740,8 @@
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>IPv4 only.</para>
          <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, Shorewall will detect the first IP
          address of the interface to the source zone and will include this
@@ -742,6 +758,8 @@
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>IPv4 only.</para>
          <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, IPv6 traffic to, from and through the
          firewall system is disabled. If set to <emphasis
@@ -761,7 +779,8 @@
            </listitem>
            <listitem>
-              <para>Change DISABLE_IPV6=Yes to DISABLE_IPV6=No</para>
+              <para>Change DISABLE_IPV6=Yes to DISABLE_IPV6=No in
              <filename>/etc/shorewall/shorewall.conf</filename>.</para>
            </listitem>
            <listitem>
@@ -807,20 +826,21 @@
        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          chain-based dynamic blacklisting using <command>shorewall
+          chain-based dynamic blacklisting using <command>shorewall [-6] [-l]
-          drop</command>, <command>shorewall reject</command>,
+          drop</command>, <command>shorewall [-6] [-l] reject</command>,
-          <command>shorewall logdrop</command> and <command>shorewall
+          <command>shorewall logdrop</command> and <command>shorewall [-6]
-          logreject</command> is disabled. Default is <emphasis
+          [-l] logreject</command> is disabled. Default is <emphasis
          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
          ipset-based dynamic blacklisting using the <command>shorewall
          blacklist</command> command is also supported. The name of the set
          (<replaceable>setname</replaceable>) and the level
          (<replaceable>log_level</replaceable>), if any, at which blacklisted
-          traffic is to be logged may also be specified. The default set name
+          traffic is to be logged may also be specified. The default IPv4 set
-          is SW_DBL4 and the default log level is <option>none</option> (no
+          name is SW_DBL4 and the default IPv6 set name is SW_DBL6. The
-          logging). If <option>ipset-only</option> is given, then chain-based
+          default log level is <option>none</option> (no logging). If
-          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
+          <option>ipset-only</option> is given, then chain-based dynamic
-          had been specified.</para>
+          blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
          specified.</para>
          <para>Possible <replaceable>option</replaceable>s are:</para>
@@ -866,9 +886,9 @@
                <important>
                  <para>Once the dynamic blacklisting ipset has been created,
                  changing this option setting requires a complete restart of
-                  the firewall; <command>shorewall restart</command> if
+                  the firewall; <command>shorewall [-6] restart</command> if
-                  RESTART=restart, otherwise <command>shorewall stop
+                  RESTART=restart, otherwise <command>shorewall [-6] [-l] stop
-                  &amp;&amp; shorewall start</command></para>
+                  &amp;&amp; shorewall [-6] [-l] start</command></para>
                </important>
              </listitem>
            </varlistentry>
@@ -910,13 +930,15 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        <listitem>
          <para>Added in Shorewall 4.4.17. When set to Yes when compiling for
-          use by Shorewall Lite (<command>shorewall load</command>,
+          use by Shorewall Lite (<command>shorewall [-6]
-          <command>shorewall reload </command>or <command>shorewall
+          remote-start</command>, <command>shorewall [-6] remote-reload,
          shorewall [-6] remote-restart </command>or <command>shorewall [-6]
          export</command> commands), the compiler will copy the modules or
          helpers file from the administrative system into the script. When
          set to No or not specified, the compiler will not copy the modules
-          or helpers file from <filename>/usr/share/shorewall</filename> but
+          or helpers file from <filename>/usr/share/shorewall[6]</filename>
-          will copy those found in another location on the CONFIG_PATH.</para>
+          but will copy those found in another location on the
          CONFIG_PATH.</para>
          <para>When compiling for direct use by Shorewall, causes the
          contents of the local module or helpers file to be copied into the
@@ -1114,10 +1136,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
          specified, the specifications on the right are interpreted as if
          INLINE had been specified in the ACTION column. This also applies to
-          <ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink> and
+          <ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink>
-          <ulink url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>) which
+          and <ulink
-          also support INLINE. If not specified or if specified as the empty
+          url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>)
-          value, the value 'No' is assumed for backward compatibility.</para>
+          which also support INLINE. If not specified or if specified as the
          empty value, the value 'No' is assumed for backward
          compatibility.</para>
          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
          set INLINE_MATCHES=Yes in order to be able to specify your own
@@ -1176,9 +1200,13 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">Keep</emphasis>]</term>
        <listitem>
-          <para>This parameter determines whether Shorewall enables or
+          <para>This IPv4 parameter determines whether Shorewall enables or
-          disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward).
+          disables IPv4 Packet Forwarding
-          Possible values are:</para>
+          (<filename>/proc/sys/net/ipv4/ip_forward</filename>). In an IPv6
          configuration, this parameter determines the setting of
          <filename>/proc/sys/net/ipv6/config/all/ip_forwarding</filename>.</para>
          <para>Possible values are:</para>
          <variablelist>
            <varlistentry>
@@ -1210,12 +1238,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            </varlistentry>
          </variablelist>
          <para/>
          <blockquote>
          <para>If this variable is not set or is given an empty value
          (IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
          </blockquote>
        </listitem>
      </varlistentry>
@@ -1258,6 +1282,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
        <listitem>
          <para>IPv4 only.</para>
          <para>This parameter names the iptables executable to be used by
          Shorewall. If not specified or if specified as a null value, then
          the iptables executable located using the PATH option is
@@ -1270,22 +1296,71 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">IP6TABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
        <listitem>
          <para>IPv6 only.</para>
          <para>This parameter names the ip6tables executable to be used by
          Shorewall6. If not specified or if specified as a null value, then
          the ip6tables executable located using the PATH option is
          used.</para>
          <para>Regardless of how the ip6tables utility is located (specified
          via IP6TABLES= or located via PATH), Shorewall6 uses the
          ip6tables-restore and ip6tables-save utilities from that same
          directory.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
          <para>IPv4:</para>
          <blockquote>
            <para>When set to <option>Yes</option>, this option prevents
-          generated scripts from altering the /etc/iproute2/rt_tables database
+            generated scripts from altering the /etc/iproute2/rt_tables
-          when there are entries in
+            database when there are entries in
            <filename>/etc/shorewall/providers</filename>. If you set this
            option to <option>Yes</option> while Shorewall (Shorewall-lite) is
            running, you should remove the file
            <filename>/var/lib/shorewall/rt_tables</filename>
-          (<filename>/var/lib/shorewall-lite/rt_tables</filename>) before your
+            (<filename>/var/lib/shorewall-lite/rt_tables</filename>) before
-          next <command>stop</command>, <command>refresh</command>,
+            your next <command>stop</command>, <command>refresh</command>,
-          <command>restore</command>, <emphasis role="bold">reload</emphasis>
+            <command>restore</command>, <emphasis
-          or <command>restart</command> command.</para>
+            role="bold">reload</emphasis> or <command>restart</command>
            command.</para>
          </blockquote>
          <para>IPv6:</para>
          <blockquote>
            <para>When set to <option>Yes</option>, this option prevents
            scripts generated by Shorewall6 from altering the
            /etc/iproute2/rt_tables database when there are entries in
            <filename>/etc/shorewall6/providers</filename>. If you set this
            option to <option>Yes</option> while Shorewall6 (Shorewall6-lite)
            is running, you should remove the file
            <filename>/var/lib/shorewall6/rt_tables</filename>
            (<filename>/var/lib/shorewall6-lite/rt_tables</filename>) before
            your next <command>stop</command>, <command>refresh</command>,
            <command>restore</command>, <emphasis
            role="bold">reload</emphasis> or <command>restart</command>
            command.</para>
          </blockquote>
          <important>
            <para>When both IPv4 and IPv6 Shorewall configurations are
            present, KEEP_RT_TABLES=No should be specified in only one of the
            two configurations unless the two provider configurations are
            identical with respect to interface and provider names and
            numbers.</para>
          </important>
          <para>The default is KEEP_RT_TABLES=No.</para>
        </listitem>
@@ -1298,9 +1373,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        <listitem>
          <para>Added in Shorewall 4.4.7. When set to Yes, restricts the set
          of modules loaded by shorewall to those listed in
-          /var/lib/shorewall/helpers and those that are actually used. When
+          <filename>/var/lib/shorewall[6]/helpers</filename> and those that
-          not set, or set to the empty value, LOAD_HELPERS_ONLY=No is
+          are actually used. When not set, or set to the empty value,
-          assumed.</para>
+          LOAD_HELPERS_ONLY=No is assumed.</para>
        </listitem>
      </varlistentry>
@@ -1309,11 +1384,11 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">LOCKFILE</emphasis>=[<emphasis>pathname</emphasis>]</term>
        <listitem>
-          <para>Specifies the name of the Shorewall lock file, used to prevent
+          <para>Specifies the name of the Shorewall[6] lock file, used to
-          simultaneous state-changing commands. If not specified,
+          prevent simultaneous state-changing commands. If not specified,
-          ${VARDIR}/shorewall/lock is assumed (${VARDIR} is normally /var/lib
+          ${VARDIR}/shorewall[6]/lock is assumed (${VARDIR} is normally
-          but can be changed when Shorewall-core is installed -- see the
+          /var/lib but can be changed when Shorewall-core is installed -- see
-          output of <command>shorewall show vardir</command>).</para>
+          the output of <command>shorewall show vardir</command>).</para>
        </listitem>
      </varlistentry>
@@ -1341,6 +1416,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
              <term>ULOG</term>
              <listitem>
                <para>IPv4 only.</para>
                <para>Use ULOG logging to ulogd.</para>
              </listitem>
            </varlistentry>
@@ -1365,8 +1442,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          sample configurations use this as the default log level and changing
          it will change all packet logging done by the configuration. In any
          configuration file (except <ulink
-          url="/manpages/shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
+          url="/manpages/shorewall-params.html">shorewall-params(5)</ulink>),
-          will expand to this value.</para>
+          $LOG_LEVEL will expand to this value.</para>
        </listitem>
      </varlistentry>
@@ -1376,6 +1453,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">No</emphasis>|Keep]</term>
        <listitem>
          <para>IPv4 only.</para>
          <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, sets
          <filename>/proc/sys/net/ipv4/conf/*/log_martians</filename> to 1
@@ -1523,7 +1602,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          <caution>
            <para>Beginning with Shorewall 5.1.0, the default and sample
-            shorewall.conf files set LOGFORMAT="%s %s ". Shorewall log
+            shorewall[6].conf files set LOGFORMAT="%s %s ".</para>
            <para>Regardless of the LOGFORMAT setting, Shorewall IPv4 log
            messages that use this LOGFORMAT can be uniquely identified using
            the following regular expression:</para>
@@ -1531,8 +1612,15 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
              <member>'IN=.* OUT=.* SRC=.*\..* DST='</member>
            </simplelist>
-            <para>To match all Netfilter log messages (Both IPv4 and IPv6),
+            <para>and Shorewall IPv6 log messages can be uniquely identified
-            use:</para>
+            using the following regular expression:</para>
            <simplelist>
              <member>'IN=.* OUT=.* SRC=.*:.* DST='</member>
            </simplelist>
            <para>To match all Netfilter log messages (Both IPv4 and IPv6 and
            regardless of the LOGFORMAT setting), use:</para>
            <simplelist>
              <member>'IN=.* OUT=.* SRC=.* DST='</member>
@@ -1625,7 +1713,7 @@ LOG:info:,bar                        net                    fw</programlisting>
          <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
          respectively and were added in Shorewall 4.4.20. They require
-          AUDIT_TARGET in the kernel and iptables.</para>
+          AUDIT_TARGET in the kernel and ip[6]tables.</para>
        </listitem>
      </varlistentry>
@@ -1668,7 +1756,7 @@ LOG:info:,bar                        net                    fw</programlisting>
          entries in <ulink
          url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5)
          can be improved by setting the MACLIST_TTL variable in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall[6].conf</ulink>(5).</para>
          <para>If your iptables and kernel support the "Recent Match" (see
          the output of "shorewall check" near the top), you can cache the
@@ -1710,6 +1798,8 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>IPv4 only.</para>
          <para>This option is included for compatibility with old Shorewall
          configuration. New installs should always have
          MAPOLDACTIONS=No.</para>
@@ -1740,11 +1830,11 @@ LOG:info:,bar                        net                    fw</programlisting>
          PREROUTING chain. This permits you to mark inbound traffic based on
          its destination address when DNAT is in use. To determine if your
          kernel has a FORWARD chain in the mangle table, use the <emphasis
-          role="bold">shorewall show mangle</emphasis> command; if a FORWARD
+          role="bold">shorewall [-6] show mangle</emphasis> command; if a
-          chain is displayed then your kernel will support this option. If
+          FORWARD chain is displayed then your kernel will support this
-          this option is not specified or if it is given the empty value
+          option. If this option is not specified or if it is given the empty
-          (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is
+          value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
-          assumed.</para>
+          is assumed.</para>
        </listitem>
      </varlistentry>
@@ -1802,18 +1892,6 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">MODULE_SUFFIX=</emphasis>[<emphasis
        role="bold">"</emphasis><emphasis>extension</emphasis> ...<emphasis
        role="bold">"</emphasis>]</term>
        <listitem>
          <para>The value of this option determines the possible file
          extensions of kernel modules. The default value is "ko ko.gz ko.xz o
          o.gz o.xz gz xz".</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
@@ -1826,7 +1904,8 @@ LOG:info:,bar                        net                    fw</programlisting>
          "/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
-          role="bold">g_family</emphasis> holds '4'.</para>
+          role="bold">g_family</emphasis> holds '4' in IPv4 configurations and
          '6' in IPv6 configurations.</para>
          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
          causes the listed pathnames to be appended to the default list
@@ -1839,6 +1918,8 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>IPv4 only.</para>
          <para>This option will normally be set to 'No' (the default). It
          should be set to 'Yes' under the following circumstances:</para>
@@ -1865,17 +1946,18 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>The value of this variable determines the number of seconds
-          that programs will wait for exclusive access to the Shorewall lock
+          that programs will wait for exclusive access to the Shorewall[6]
-          file. After the number of seconds corresponding to the value of this
+          lock file. After the number of seconds corresponding to the value of
-          variable, programs will assume that the last program to hold the
+          this variable, programs will assume that the last program to hold
-          lock died without releasing the lock.</para>
+          the lock died without releasing the lock.</para>
          <para>If not set or set to the empty value, a value of 60 (60
          seconds) is assumed.</para>
          <para>An appropriate value for this parameter would be twice the
          length of time that it takes your firewall system to process a
-          <emphasis role="bold">shorewall restart</emphasis> command.</para>
+          <emphasis role="bold">shorewall [-6] restart</emphasis>
          command.</para>
        </listitem>
      </varlistentry>
@@ -1899,6 +1981,8 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">prohibit</emphasis>]</term>
        <listitem>
          <para>IPv4 only.</para>
          <para>When set to Yes, causes Shorewall to null-route the IPv4
          address ranges reserved by RFC1918. The default value is
          'No'.</para>
@@ -1935,12 +2019,11 @@ LOG:info:,bar                        net                    fw</programlisting>
          <itemizedlist>
            <listitem>
              <para>Optimization category 1 - Traditionally, Shorewall has
-              created rules for the complete matrix of
+              created rules for the complete matrix of host groups defined by
-              host groups defined by the zones, interfaces and hosts
+              the zones, interfaces and hosts files. Any traffic that didn't
-              files. Any traffic that didn't correspond to an element
+              correspond to an element of that matrix was rejected in one of
-              of that matrix was rejected in one of the built-in chains. When
+              the built-in chains. When the matrix is sparse, this results in
-              the matrix is sparse, this results in lots of largely useless
+              lots of largely useless rules.</para>
              rules.</para>
              <para>These extra rules can be eliminated by setting the 1 bit
              in OPTIMIZE.</para>
@@ -2118,8 +2201,9 @@ LOG:info:,bar                        net                    fw</programlisting>
            </listitem>
          </itemizedlist>
-          <para>The default value is zero which disables all
+          <para>In versions prior to 5.1.0, the default value is zero which
-          optimizations.</para>
+          disables all optimizations. Beginning with Shorewall 5.1.0, the
          default value is All which enables all optimizations.</para>
        </listitem>
      </varlistentry>
@@ -2316,7 +2400,7 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
            <listitem>
              <para>if the protocol is UDP (17) then the packet is rejected
-              with an 'port-unreachable' ICMP (ICMP6).</para>
+              with an 'port-unreachable' ICMP.</para>
            </listitem>
            <listitem>
@@ -2324,6 +2408,11 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
              with a 'host-unreachable' ICMP.</para>
            </listitem>
            <listitem>
              <para>if the protocol is ICMP6 (1) then the packet is rejected
              with a 'icmp6-addr-unreachable' ICMP6.</para>
            </listitem>
            <listitem>
              <para>otherwise, the packet is rejected with a 'host-prohibited'
              ICMP.</para>
@@ -2333,11 +2422,12 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
          <para>You can modify this behavior by implementing your own
          <replaceable>action</replaceable> that handles REJECT and specifying
          it's name in this option. The <emphasis role="bold">nolog</emphasis>
-          and <emphasis role="bold">inline</emphasis> options will
+          and <emphasis role="bold">noinline</emphasis> options will
          automatically be assumed for the specified
          <replaceable>action</replaceable>.</para>
-          <para>The following action implements the standard behavior:</para>
+          <para>The following action implements the default reject
          action:</para>
          <programlisting>?format 2
 #TARGET         SOURCE  DEST    PROTO
@@ -2437,10 +2527,10 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Specifies the simple name of a file in /var/lib/shorewall to
          be used as the default restore script in the <emphasis
-          role="bold">shorewall save</emphasis>, <emphasis
+          role="bold">shorewall [-6] save</emphasis>, <emphasis
-          role="bold">shorewall restore</emphasis>, <emphasis
+          role="bold">shorewall [-6] restore</emphasis>, <emphasis
-          role="bold">shorewall forget </emphasis>and <emphasis
+          role="bold">shorewall [-6] forget </emphasis>and <emphasis
-          role="bold">shorewall -f start</emphasis> commands.</para>
+          role="bold">shorewall [6] -f start</emphasis> commands.</para>
        </listitem>
      </varlistentry>
@@ -2449,6 +2539,8 @@ INLINE          -       -       -       ;; -j REJECT
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
          <para>IPv4 only.</para>
          <para>During <emphasis role="bold">shorewall star</emphasis>t, IP
          addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
          ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
@@ -2461,7 +2553,7 @@ INLINE          -       -       -       ;; -j REJECT
          not be deleted. Regardless of the setting of RETAIN_ALIASES,
          addresses added during <emphasis role="bold">shorewall
          start</emphasis> are still deleted at a subsequent <emphasis
-          role="bold">shorewall stop</emphasis>, <emphasis
+          role="bold">shorewall [stop</emphasis>, <emphasis
          role="bold">shorewall reload</emphasis> or <emphasis
          role="bold">shorewall restart</emphasis>.</para>
        </listitem>
@@ -2981,6 +3073,40 @@ INLINE          -       -       -       ;; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">USE_NFLOG_SIZE=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.1.5. The second parameter to the NFLOG
          target specifies how many bytes of the packet to copy to the log; if
          omitted or if supplied as zero, the entire packet is copied. This
          feature has traditionally been implemented using the --nflog-range
          option to the NFLOG iptables target. Unfortuntely, the --nflog-range
          option never worked (the entire packet was always copied). To deal
          with this issue, the Netfilter team:</para>
          <itemizedlist>
            <listitem>
              <para>Added a warning message when --nflog-range is used</para>
            </listitem>
            <listitem>
              <para>Added --nflog-size which works like --nflog-range was
              intended to work.</para>
            </listitem>
          </itemizedlist>
          <para>When USE_NFLOG_SIZE=Yes, Shorewall will attempt to use the new
          --nflog-size feature. If that feature is not available in the
          running kernel and ip[6]tables, an error is raised.</para>
          <para>When USE_NFLOG_SIZE is not supplied, USE_NFLOG_SIZE=No is
          assumed. When USE_NFLOG_SIZE is added by shorewall update, it is
          added with setting No.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">USE_PHYSICAL_NAMES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -3150,19 +3276,13 @@ INLINE          -       -       -       ;; -j REJECT
    <title>FILES</title>
    <para>/etc/shorewall/shorewall.conf</para>
    <para>/etc/shorewall6/shorewall6.conf</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall(8)</para>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcinterfaces(5),
    shorewall-tcpri(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,7 +38,6 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
 #        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -8,6 +8,7 @@
 Description=Shorewall IPv6 firewall (lite)
 Wants=network-online.target
 After=network-online.target
 After=shorewall-lite.service
 Conflicts=ip6tables.service firewalld.service
 [Service]
--- a/Shorewall6-lite/shorewall6-lite.service.debian
+++ b/Shorewall6-lite/shorewall6-lite.service.debian
@@ -7,6 +7,7 @@
 Description=Shorewall IPv6 firewall (lite)
 Wants=network-online.target
 After=network-online.target
 After=shorewall-lite.service
 Conflicts=ip6tables.service firewalld.service
 [Service]
--- a/Shorewall6/Makefile-lite
+++ b/Shorewall6/Makefile-lite
@@ -1,82 +0,0 @@
 #     Shorewall6 Packet Filtering Firewall Export Directory Makefile - V4.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 ################################################################################
 # Place this file in each export directory. Modify each copy to set HOST
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
 #
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
 #
 ################################################################################
 #                             V A R I A B L E S
 #
 # Files in the export directory on which the firewall script does not depend
 #
 IGNOREFILES =  firewall% Makefile% trace% %~
 #
 # Remote Firewall system
 #
 HOST = gateway
 #
 # Save some typing
 #
 LITEDIR = /var/lib/shorewall6-lite
 #
 # Set this if the remote system has a non-standard modules directory
 #
 MODULESDIR=
 #
 # Default target is the firewall script
 #
 ################################################################################
 #                                T A R G E T S
 #
 all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
 capabilities:
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall6-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
 # Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
 # 'filter-out' will be presented with the list of files in this directory rather than "*"
 #
 firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
 	shorewall6 compile -e . firewall
 #
 # Only reload on demand.
 #
 install: firewall
 	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
 	ssh root@$(HOST) "/sbin/shorewall6-lite restart"
 #
 # Save running configuration
 #
 save:
 	ssh root@$(HOST) "/sbin/shorewall6-lite save"
 #
 # Remove generated files
 #
 clean:
 	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -190,8 +190,6 @@ MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
 MODULE_SUFFIX="ko ko.xz"
 MUTEX_TIMEOUT=60
 OPTIMIZE=All
@@ -206,6 +204,8 @@ REQUIRE_INTERFACE=Yes
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=Yes
 RESTORE_ROUTEMARKS=Yes
 SAVE_IPSETS=No
@@ -222,6 +222,8 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -191,8 +191,6 @@ MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
 MODULE_SUFFIX="ko ko.xz"
 MUTEX_TIMEOUT=60
 OPTIMIZE=All
@@ -207,6 +205,8 @@ REQUIRE_INTERFACE=No
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=Yes
 RESTORE_ROUTEMARKS=Yes
 SAVE_IPSETS=No
@@ -223,6 +223,8 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -190,8 +190,6 @@ MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
 MODULE_SUFFIX="ko ko.xz"
 MUTEX_TIMEOUT=60
 OPTIMIZE=All
@@ -206,6 +204,8 @@ REQUIRE_INTERFACE=No
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=Yes
 RESTORE_ROUTEMARKS=Yes
 SAVE_IPSETS=No
@@ -222,6 +222,8 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -190,8 +190,6 @@ MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
 MODULE_SUFFIX="ko ko.xz"
 MUTEX_TIMEOUT=60
 OPTIMIZE=All
@@ -206,6 +204,8 @@ REQUIRE_INTERFACE=No
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=Yes
 RESTORE_ROUTEMARKS=Yes
 SAVE_IPSETS=No
@@ -222,6 +222,8 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -21,6 +21,7 @@ BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 Broadcast    noinline      	# Handles Broadcast/Anycast
 Drop		        	# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
 dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
@@ -28,6 +29,7 @@ DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
 FIN	     inline,audit	# Handles ACK,FIN,PSH packets
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 IfEvent      noinline           # Perform an action based on an event
 Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
--- a/Shorewall6/configfiles/disabled
+++ b/Shorewall6/configfiles/disabled
@@ -0,0 +1,12 @@
 #
 # Shorewall6 -- /etc/shorewall6/disabled
 #
 # Add commands below that you want executed when an optional
 # interface is successfully disabled using the 'disable' command
 #
 # When the commands are invoked:
 #
 #  $1 contains the physical name of the interface
 #  $2 contains the logical name of the interface
 #  $3 contains the name of the provider associated with the interface,
      if any
--- a/Shorewall6/configfiles/enabled
+++ b/Shorewall6/configfiles/enabled
@@ -0,0 +1,12 @@
 #
 # Shorewall6 -- /etc/shorewall6/enabled
 #
 # Add commands below that you want executed when an optional
 # interface is successfully enabled using the 'enable' command
 #
 # When the commands are invoked:
 #
 #  $1 contains the physical name of the interface
 #  $2 contains the logical name of the interface
 #  $3 contains the name of the provider associated with the interface,
      if any
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -190,8 +190,6 @@ MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
 MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
 OPTIMIZE=All
@@ -206,6 +204,8 @@ REQUIRE_INTERFACE=No
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=Yes
 RESTORE_ROUTEMARKS=Yes
 SAVE_IPSETS=No
@@ -222,6 +222,8 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -1,851 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall6-accounting</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
    <refname>accounting</refname>
    <refpurpose>Shorewall6 Accounting file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall6/accounting</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>Accounting rules exist simply to count packets and bytes in
    categories that you define in this file. You may display these rules and
    their packet and byte counters using the <command>shorewall6 show
    accounting</command> command.</para>
    <para>Beginning with Shorewall 4.4.18, the accounting structure can be
    created with three root chains:</para>
    <itemizedlist>
      <listitem>
        <para><emphasis role="bold">accountin</emphasis>: Rules that are valid
        in the <emphasis role="bold">INPUT</emphasis> chain (may not specify
        an output interface).</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">accountout</emphasis>: Rules that are
        valid in the OUTPUT chain (may not specify an input interface or a MAC
        address).</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">accounting</emphasis>: Other rules.</para>
      </listitem>
    </itemizedlist>
    <para>The new structure is enabled by sectioning the accounting file in a
    manner similar to the <ulink url="/manpages6/shorewall6-rules.html">rules
    file</ulink>. The sections are <emphasis role="bold">INPUT</emphasis>,
    <emphasis role="bold">OUTPUT</emphasis> and <emphasis
    role="bold">FORWARD</emphasis> and must appear in that order (although any
    of them may be omitted). The first non-commentary record in the accounting
    file must be a section header when sectioning is used.</para>
    <warning>
      <para>If sections are not used, the Shorewall rules compiler cannot
      detect certain violations of netfilter restrictions. These violations
      can result in run-time errors such as the following:</para>
      <blockquote>
        <para><emphasis role="bold">ip6tables-restore v1.4.13: Can't use -o
        with INPUT</emphasis></para>
      </blockquote>
    </warning>
    <para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
    added to shorewall.conf and shorewall6.conf. That setting determines the
    Netfilter table (filter or mangle) where the accounting rules are added.
    When ACCOUNTING_TABLE=mangle is specified, the available sections are
    <emphasis role="bold">PREROUTING</emphasis>, <emphasis
    role="bold">INPUT</emphasis>, <emphasis role="bold">OUTPUT</emphasis>,
    <emphasis role="bold">FORWARD</emphasis> and <emphasis
    role="bold">POSTROUTING</emphasis>.</para>
    <para>Section headers have the form:</para>
    <para><option>[?]SECTION</option>
    <replaceable>section-name</replaceable></para>
    <para>The optional "?" was added in Shorewalll 4.6.0 and is preferred.
    Existing configurations may be converted to use this form using the
    <command>shorewall6 update</command> command.</para>
    <para>When sections are enabled:</para>
    <itemizedlist>
      <listitem>
        <para>A jump to a user-defined accounting chain must appear before
        entries that add rules to that chain. This eliminates loops and
        unreferenced chains.</para>
      </listitem>
      <listitem>
        <para>An output interface may not be specified in the <emphasis
        role="bold">PREROUTING</emphasis> and <emphasis
        role="bold">INPUT</emphasis> sections.</para>
      </listitem>
      <listitem>
        <para>In the <emphasis role="bold">OUTPUT</emphasis> and <emphasis
        role="bold">POSTROUTING</emphasis> sections:</para>
        <itemizedlist>
          <listitem>
            <para>An input interface may not be specified</para>
          </listitem>
          <listitem>
            <para>Jumps to a chain defined in the <emphasis
            role="bold">INPUT</emphasis> or <emphasis
            role="bold">PREROUTING</emphasis> sections that specifies an input
            interface are prohibited</para>
          </listitem>
          <listitem>
            <para>MAC addresses may not be used</para>
          </listitem>
          <listitem>
            <para>Jump to a chain defined in the <emphasis
            role="bold">INPUT</emphasis> or <emphasis
            role="bold">PREROUTING</emphasis> section that specifies a MAC
            address are prohibited.</para>
          </listitem>
        </itemizedlist>
      </listitem>
      <listitem>
        <para>The default value of the CHAIN column is:</para>
        <itemizedlist>
          <listitem>
            <para><emphasis role="bold">accountin</emphasis> in the <emphasis
            role="bold">INPUT</emphasis> section</para>
          </listitem>
          <listitem>
            <para><emphasis role="bold">accountout</emphasis> in the <emphasis
            role="bold">OUTPUT</emphasis> section</para>
          </listitem>
          <listitem>
            <para><emphasis role="bold">accountfwd</emphasis> in the <emphasis
            role="bold">FORWARD</emphasis> section</para>
          </listitem>
          <listitem>
            <para><emphasis role="bold">accountpre</emphasis> in the <emphasis
            role="bold">PREROUTING</emphasis> section</para>
          </listitem>
          <listitem>
            <para><emphasis role="bold">accountpost</emphasis> in the
            <emphasis role="bold">POSTROUTING</emphasis> section</para>
          </listitem>
        </itemizedlist>
      </listitem>
      <listitem>
        <para>Traffic addressed to the firewall goes through the rules defined
        in the INPUT section.</para>
      </listitem>
      <listitem>
        <para>Traffic originating on the firewall goes through the rules
        defined in the OUTPUT section.</para>
      </listitem>
      <listitem>
        <para>Traffic being forwarded through the firewall goes through the
        rules from the FORWARD sections.</para>
      </listitem>
    </itemizedlist>
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
        role="bold">COUNT</emphasis>|<emphasis
        role="bold">DONE</emphasis>|<emphasis>chain</emphasis>[:<emphasis
        role="bold">{COUNT|JUMP}</emphasis>]|[?]COMMENT
        <replaceable>comment</replaceable>}</term>
        <listitem>
          <para>What to do when a matching packet is found.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">COUNT</emphasis></term>
              <listitem>
                <para>Simply count the match and continue with the next
                rule</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DONE</emphasis></term>
              <listitem>
                <para>Count the match and don't attempt to match any other
                accounting rules in the chain specified in the <emphasis
                role="bold">CHAIN</emphasis> column.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>chain</emphasis>[<emphasis
              role="bold">:</emphasis><emphasis
              role="bold">COUNT</emphasis>]</term>
              <listitem>
                <para>Where <emphasis>chain</emphasis> is the name of a chain;
                shorewall6 will create the chain automatically if it doesn't
                already exist. If a second chain is mentioned in the CHAIN
                column, then a jump from this second chain to
                <replaceable>chain</replaceable> is created. If no chain is
                named in the CHAIN column, then a jump from the default chain
                to <replaceable>chain</replaceable> is created. If <emphasis
                role="bold">:COUNT</emphasis> is included, a counting rule
                matching this entry will be added to
                <emphasis>chain</emphasis>. The <emphasis>chain</emphasis> may
                not exceed 29 characters in length and may be composed of
                letters, digits, dash ('-') and underscore ('_').</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>chain</emphasis>:JUMP</term>
              <listitem>
                <para>Like the previous option without the <emphasis
                role="bold">:COUNT</emphasis> part.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">INLINE</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.16. Allows free form ip6tables
                matches to be specified following a ';'. In the generated
                ip6tables rule(s), the free form matches will follow any
                matches that are generated by the column contents.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFACCT</emphasis>({<replaceable>object</replaceable>[!]}[,...])</term>
              <listitem>
                <para>Added in Shorewall 4.5.7. Provides a form of accounting
                that survives <command>shorewall stop/shorewall</command>
                start and <command>shorewall restart</command>. Requires the
                NFaccnt Match capability in your kernel and iptables.
                <replaceable>object</replaceable> names an nfacct object (see
                man nfaccnt(8)). Multiple rules can specify the same
                <replaceable>object</replaceable>; all packets that match any
                of the rules increment the packet and bytes count of the
                object.</para>
                <para>Prior to Shorewall 4.5.16, only one
                <replaceable>object</replaceable> could be specified.
                Beginning with Shorewall 4.5.16, an arbitrary number of
                objects may be given.</para>
                <para>With Shorewall 4.5.16 or later, an nfacct
                <replaceable>object</replaceable> in the list may optionally
                be followed by <emphasis role="bold">!</emphasis> to indicate
                that the nfacct <replaceable>object</replaceable> will be
                incremented unconditionally for each packet. When <emphasis
                role="bold">!</emphasis> is omitted, the
                <replaceable>object</replaceable> will be incremented only if
                all of the matches in the rule succeed.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">NFLOG</emphasis>[(nflog-parameters)]
              - Added in Shorewall-4.4.20.</term>
              <listitem>
                <para>Causes each matching packet to be sent via the currently
                loaded logging back end (usually nfnetlink_log) where it is
                available to accounting daemons through a netlink
                socket.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">?COMMENT</emphasis></term>
              <listitem>
                <para>The remainder of the line is treated as a comment which
                is attached to subsequent rules until another ?COMMENT line is
                found or until the end of the file is reached. To stop adding
                comments to rules, use a line with only the word
                ?COMMENT.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">CHAIN</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis>chain</emphasis>}</term>
        <listitem>
          <para>The name of a <emphasis>chain</emphasis>. If specified as
          <emphasis role="bold">-</emphasis> the <emphasis
          role="bold">accounting</emphasis> chain is assumed when the file is
          un-sectioned. When the file is sectioned, the default is one of
          accountin, accountout, etc. depending on the section. This is the
          chain where the accounting rule is added. The
          <emphasis>chain</emphasis> will be created if it doesn't already
          exist. The <emphasis>chain</emphasis> may not exceed 29 characters
          in length.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
        role="bold">:<option>[</option></emphasis><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
        <listitem>
          <para>Packet Source.</para>
          <para>The name of an <replaceable>interface</replaceable>, an
          <replaceable>address</replaceable> (host or net) or an
          <replaceable>interface</replaceable> name followed by ":" and a host
          or net <replaceable>address</replaceable>. An ipset name is also
          accepted as an <replaceable>address</replaceable>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><option>:[</option><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
        <listitem>
          <para>Packet Destination.</para>
          <para>Format same as <emphasis role="bold">SOURCE</emphasis>
          column.</para>
          <para>This column was formerly labelled DESTINATION.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
        role="bold">ipp2p</emphasis>[<emphasis
        role="bold">:</emphasis>{<emphasis
        role="bold">udp</emphasis>|<emphasis
        role="bold">all</emphasis>}]}</term>
        <listitem>
          <para>A <emphasis>protocol-name</emphasis> (from protocols(5)), a
          <emphasis>protocol-number</emphasis>, <emphasis
          role="bold">ipp2p</emphasis>, <emphasis
          role="bold">ipp2p:udp</emphasis> or <emphasis
          role="bold">ipp2p:all</emphasis></para>
          <para>Beginning with Shorewall 4.5.12, this column can accept a
          comma-separated list of protocols.</para>
          <para>This column was formerly labelled PROTOCOL.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DPORT</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
        <listitem>
          <para>Destination Port number. Service name from services(5) or
          <emphasis>port number</emphasis>. May only be specified if the
          protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
          (136).</para>
          <para>You may place a comma-separated list of port names or numbers
          in this column if your kernel and ip6tables include multi-port match
          support.</para>
          <para>If the PROTOCOL is <emphasis role="bold">ipp2p</emphasis> then
          this column must contain an <emphasis>ipp2p-option</emphasis>
          ("ip6tables -m ipp2p --help") without the leading "--". If no option
          is given in this column, <emphasis role="bold">ipp2p</emphasis> is
          assumed.</para>
          <para>This column was formerly labelled DEST PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SPORT</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
        <listitem>
          <para>Service name from services(5) or <emphasis>port
          number</emphasis>. May only be specified if the protocol is TCP (6),
          UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para>
          <para>You may place a comma-separated list of port numbers in this
          column if your kernel and ip6tables include multi-port match
          support.</para>
          <para>Beginning with Shorewall 4.5.15, you may place '=' in this
          column, provided that the DPORT column is non-empty. This causes the
          rule to match when either the source port or the destination port in
          a packet matches one of the ports specified in DPORT. Use of '='
          requires multi-port match in your iptables and kernel.</para>
          <para>This column was formerly labelled SOURCE PORT(S).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">USER</emphasis> - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
        <listitem>
          <para>This column may only be non-empty if the <emphasis
          role="bold">CHAIN</emphasis> is <emphasis
          role="bold">OUTPUT</emphasis>.</para>
          <para>When this column is non-empty, the rule applies only if the
          program generating the output is running under the effective
          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
          specified (or is NOT running under that id if "!" is given).</para>
          <para>Examples:</para>
          <variablelist>
            <varlistentry>
              <term>joe</term>
              <listitem>
                <para>program must be run by joe</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>:kids</term>
              <listitem>
                <para>program must be run by a member of the 'kids'
                group</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>!:kids</term>
              <listitem>
                <para>program must not be run by a member of the 'kids'
                group</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>+upnpd</term>
              <listitem>
                <para>#program named upnpd</para>
                <important>
                  <para>The ability to specify a program name was removed from
                  Netfilter in kernel version 2.6.14.</para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>This column was formerly labelled USER/GROUP.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
        role="bold">:C</emphasis>]</term>
        <listitem>
          <para>Defines a test on the existing packet or connection mark. The
          rule will match only if the test returns true.</para>
          <para>If you don't want to define a test but need to specify
          anything in the following columns, place a "-" in this field.</para>
          <variablelist>
            <varlistentry>
              <term>!</term>
              <listitem>
                <para>Inverts the test (not equal)</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>value</emphasis></term>
              <listitem>
                <para>Value of the packet or connection mark.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>mask</emphasis></term>
              <listitem>
                <para>A mask to be applied to the mark before testing.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">:C</emphasis></term>
              <listitem>
                <para>Designates a connection mark. If omitted, the packet
                mark's value is tested.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
        (Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
        )</emphasis></term>
        <listitem>
          <para>The option-list consists of a comma-separated list of options
          from the following list. Only packets that will be encrypted or have
          been decrypted via an SA that matches these options will have their
          source address changed. May only be specified when sections are
          used.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis
              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
              <listitem>
                <para>where <emphasis>number</emphasis> is specified using
                setkey(8) using the 'unique:<emphasis>number</emphasis> option
                for the SPD level.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
              <listitem>
                <para>where <emphasis>number</emphasis> is the SPI of the SA
                used to encrypt/decrypt packets.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">proto=</emphasis><emphasis
              role="bold">ah</emphasis>|<emphasis
              role="bold">esp</emphasis>|<emphasis
              role="bold">ipcomp</emphasis></term>
              <listitem>
                <para>IPSEC Encapsulation Protocol</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
              <listitem>
                <para>sets the MSS field in TCP packets</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">mode=</emphasis><emphasis
              role="bold">transport</emphasis>|<emphasis
              role="bold">tunnel</emphasis></term>
              <listitem>
                <para>IPSEC mode</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
              <listitem>
                <para>only available with mode=tunnel</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
              <listitem>
                <para>only available with mode=tunnel</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">strict</emphasis></term>
              <listitem>
                <para>Means that packets must match all rules.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">next</emphasis></term>
              <listitem>
                <para>Separates rules; can only be used with strict</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">yes</emphasis> or <emphasis
              role="bold">ipsec</emphasis></term>
              <listitem>
                <para>When used by itself, causes all traffic that will be
                encrypted/encapsulated or has been decrypted/un-encapsulated
                to match the rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">no</emphasis> or <emphasis
              role="bold">none</emphasis></term>
              <listitem>
                <para>When used by itself, causes all traffic that will not be
                encrypted/encapsulated or has been decrypted/un-encapsulated
                to match the rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">in</emphasis></term>
              <listitem>
                <para>May only be used in the FORWARD section and must be the
                first or the only item the list. Indicates that matching
                packets have been decrypted in input.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">out</emphasis></term>
              <listitem>
                <para>May only be used in the FORWARD section and must be the
                first or the only item in the list. Indicates that matching
                packets will be encrypted on output.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>If this column is non-empty and sections are not used,
          then:</para>
          <itemizedlist>
            <listitem>
              <para>A chain NAME appearing in the ACTION column must be a
              chain branched either directly or indirectly from the <emphasis
              role="bold">accipsecin</emphasis> or <emphasis
              role="bold">accipsecout</emphasis> chain.</para>
            </listitem>
            <listitem>
              <para>The CHAIN column must contain either <emphasis
              role="bold">accipsecin</emphasis> or <emphasis
              role="bold">accipsecout</emphasis> or a chain branched either
              directly or indirectly from those chains.</para>
            </listitem>
            <listitem>
              <para>These rules will NOT appear in the <emphasis
              role="bold">accounting</emphasis> chain.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">HEADERS -
        [!][any:|exactly:]</emphasis><replaceable>header-list
        </replaceable>(Optional - Added in Shorewall 4.4.15)</term>
        <listitem>
          <para>The <replaceable>header-list</replaceable> consists of a
          comma-separated list of headers from the following list.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">auth</emphasis>, <emphasis
              role="bold">ah</emphasis>, or <emphasis
              role="bold">51</emphasis></term>
              <listitem>
                <para><firstterm>Authentication Headers</firstterm> extension
                header.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">esp</emphasis>, or <emphasis
              role="bold">50</emphasis></term>
              <listitem>
                <para><firstterm>Encrypted Security Payload</firstterm>
                extension header.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">hop</emphasis>, <emphasis
              role="bold">hop-by-hop</emphasis> or <emphasis
              role="bold">0</emphasis></term>
              <listitem>
                <para>Hop-by-hop options extension header.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">route</emphasis>, <emphasis
              role="bold">ipv6-route</emphasis> or <emphasis
              role="bold">41</emphasis></term>
              <listitem>
                <para>IPv6 Route extension header.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">frag</emphasis>, <emphasis
              role="bold">ipv6-frag</emphasis> or <emphasis
              role="bold">44</emphasis></term>
              <listitem>
                <para>IPv6 fragmentation extension header.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">none</emphasis>, <emphasis
              role="bold">ipv6-nonxt</emphasis> or <emphasis
              role="bold">59</emphasis></term>
              <listitem>
                <para>No next header</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">proto</emphasis>, <emphasis
              role="bold">protocol</emphasis> or <emphasis
              role="bold">255</emphasis></term>
              <listitem>
                <para>Any protocol header.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>If <emphasis role="bold">any:</emphasis> is specified, the
          rule will match if any of the listed headers are present. If
          <emphasis role="bold">exactly:</emphasis> is specified, the will
          match packets that exactly include all specified headers. If neither
          is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
          <para>If <emphasis role="bold">!</emphasis> is entered, the rule
          will match those packets which would not be matched when <emphasis
          role="bold">!</emphasis> is omitted.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>In all of the above columns except <emphasis
    role="bold">ACTION</emphasis> and <emphasis role="bold">CHAIN</emphasis>,
    the values <emphasis role="bold">-</emphasis>, <emphasis
    role="bold">any</emphasis> and <emphasis role="bold">all</emphasis> may be
    used as wildcards. Omitted trailing columns are also treated as
    wildcards.</para>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall6/accounting</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para><ulink
    url="/Accounting.html">http://www.shorewall.net/Accounting.html
    </ulink></para>
    <para><ulink
    url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
    <para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
    shorewall6-providers(5), shorewall6-rtrules(5),
    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
    shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -1,260 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall6-actions</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
    <refname>actions</refname>
    <refpurpose>shorewall6 action declaration file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall6/actions</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>This file allows you to define new ACTIONS for use in rules (see
    <ulink
    url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>). You
    define the ip6tables rules to be performed in an ACTION in
    /etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
    <para>Columns are:</para>
    <variablelist>
      <varlistentry>
        <term>NAME</term>
        <listitem>
          <para>The name of the action. ACTION names should begin with an
          upper-case letter to distinguish them from Shorewall-generated chain
          names and be composed of letters, digits or numbers. If you intend
          to log from the action then the name must be no longer than 11
          characters in length if you use the standard LOGFORMAT.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>OPTIONS</term>
        <listitem>
          <para>Added in Shorewall 4.5.10. Available options are:</para>
          <variablelist>
            <varlistentry>
              <term><option>audit</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.7. When this option is specified,
                the action is expected to have at least two parameters; the
                first is a target and the second is either 'audit' or omitted.
                If the second is 'audit', then the first must be an auditable
                target (ACCEPT, DROP or REJECT).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>builtin</term>
              <listitem>
                <para>Added in Shorewall 4.5.16. Defines the action as a rule
                target that is supported by your ip6tables but is not directly
                supported by Shorewall. The action may be used as the rule
                target in an INLINE rule in <ulink
                url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
                <para>Beginning with Shorewall 4.6.0, the Netfilter table(s)
                in which the <emphasis role="bold">builtin</emphasis> can be
                used may be specified: <emphasis
                role="bold">filter</emphasis>, <emphasis
                role="bold">nat</emphasis>, <emphasis
                role="bold">mangle</emphasis> and <emphasis
                role="bold">raw</emphasis>. If no table name(s) are given,
                then <emphasis role="bold">filter</emphasis> is assumed. The
                table names follow <emphasis role="bold">builtin</emphasis>
                and are separated by commas; for example, "FOOBAR
                builtin,filter,mangle" would specify FOOBAR as a builtin
                target that can be used in the filter and mangle
                tables.</para>
                <para>Beginning with Shorewall 4.6.4, you may specify the
                <emphasis role="bold">terminating</emphasis> option with
                <emphasis role="bold">builtin</emphasis> to indicate to the
                Shorewall optimizer that the action is terminating (the
                current packet will not be passed to the next rule in the
                chain).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>inline</option></term>
              <listitem>
                <para>Causes the action body (defined in
                action.<replaceable>action-name</replaceable>) to be expanded
                in-line like a macro rather than in its own chain. You can
                list Shorewall Standard Actions in this file to specify the
                <option>inline</option> option.</para>
                <caution>
                  <para>Some of the Shorewall standard actions cannot be used
                  in-line and will generate a warning and the compiler will
                  ignore <option>inline</option> if you try to use them that
                  way:</para>
                  <simplelist>
                    <member>DropSmurfs</member>
                    <member>IfEvent</member>
                    <member>Invalid (Prior to Shorewall 4.5.13)</member>
                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
                    <member>RST (Prior to Shorewall 4.5.13)</member>
                    <member>TCPFlags</member>
                  </simplelist>
                </caution>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>logjump</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.8. Performs the same function as
                <option>nolog</option> (below), with the addition that the
                jump to the actions chain is logged if a log level is
                specified on the action invocation. For inline actions, this
                option is identical to <option>nolog</option>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>mangle</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
                url="/manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
                rather than <ulink
                url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>nat</option></term>
              <listitem>
                <para>Added in Shorewall 5.0.13. Specifies that this action is
                to be used in <ulink
                url="/manpages6/shorewall6-snat.html">shorewall6-snat(5)</ulink> rather
                than <ulink
                url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>. The
                <option>mangle</option> and <option>nat</option> options are
                mutually exclusive.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>noinline</option></term>
              <listitem>
                <para>Causes any later <option>inline</option> option for the
                same action to be ignored with a warning.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>nolog</option></term>
              <listitem>
                <para>Added in Shorewall 4.5.11. When this option is
                specified, the compiler does not automatically apply the log
                level and/or tag from the invocation of the action to all
                rules inside of the action. Rather, it simply sets the
                $_loglevel and $_logtag shell variables which can be used
                within the action body to apply those logging options only to
                a subset of the rules.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>section</option></term>
              <listitem>
                <para>Added in Shorewall 5.1.1. When specified, this option
                causes the rules file section name and a comma to be prepended
                to the parameters passed to the action (if any). Note that
                this means that the first parameter passed to the action by
                the user is actually the second parameter to the action. If
                the action is invoked out of the blrules file, 'BLACKLIST' is
                used as the section name.</para>
                <para>Given that neither the <filename>snat</filename> nor the
                <filename>mangle</filename> file is sectioned, this parameter
                has no effect when <option>mangle</option> or
                <option>nat</option> is specified.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
              <listitem>
                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
                in <filename>actions.std</filename>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>terminating</option></term>
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
                <option>builtin</option>, indicates that the built-in action
                is termiating (i.e., if the action is jumped to, the next rule
                in the chain is not evaluated).</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall6/actions</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para><ulink
    url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
    shorewall6-providers(5), shorewall6-rtrules(5),
    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-blrules.xml
+++ b/Shorewall6/manpages/shorewall6-blrules.xml
@@ -1,331 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall6-blrules</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
    <refname>blrules</refname>
    <refpurpose>shorewall6 Blacklist file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall6/blrules</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>This file is used to perform zone-specific blacklisting and
    whitelisting.</para>
    <para>Rules in this file are applied depending on the setting of
    BLACKLISTNEWONLY in <ulink
    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
    BLACKLISTNEWONLY=No, then they are applied regardless of the connection
    tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
    connections in the NEW and INVALID states.</para>
    <para>The format of rules in this file is the same as the format of rules
    in <ulink
    url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5). The
    difference in the two files lies in the ACTION (first) column.</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">ACTION- {<emphasis
        role="bold">ACCEPT</emphasis>|BLACKLIST|blacklog|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
        role="bold">WHITELIST</emphasis>|<emphasis
        role="bold">LOG</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[<emphasis
        role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
        role="bold">)</emphasis>]<emphasis
        role="bold">|[?]COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
        role="bold">(</emphasis><emphasis>target</emphasis><emphasis
        role="bold">)</emphasis>]}<emphasis
        role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
        role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
        role="bold">!</emphasis></emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>tag</emphasis>]]</emphasis></term>
        <listitem>
          <para>Specifies the action to be taken if the packet matches the
          rule. Must be one of the following.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">BLACKLIST</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.3. This is actually a macro that
                expands as follows:</para>
                <itemizedlist>
                  <listitem>
                    <para>If BLACKLIST_LOGLEVEL is specified in <ulink
                    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
                    then the macro expands to <emphasis
                    role="bold">blacklog</emphasis>.</para>
                  </listitem>
                  <listitem>
                    <para>Otherwise it expands to the action specified for
                    BLACKLIST_DISPOSITION in <ulink
                    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">blacklog</emphasis></term>
              <listitem>
                <para>May only be used if BLACKLIST_LOGLEVEL is specified in
                <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
                </ulink>(5). Logs, audits (if specified) and applies the
                BLACKLIST_DISPOSITION specified in <ulink
                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
                (5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">ACCEPT|CONTINUE|WHITELIST</emphasis></term>
              <listitem>
                <para>Exempt the packet from the remaining rules in this
                file.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP</emphasis></term>
              <listitem>
                <para>Ignore the packet.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>A_DROP and A_DROP!</term>
              <listitem>
                <para>Audited versions of DROP. Requires AUDIT_TARGET support
                in the kernel and ip6tables.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REJECT</emphasis></term>
              <listitem>
                <para>disallow the packet and return an icmp-unreachable or an
                RST packet.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>A_REJECT</term>
              <listitem>
                <para>Audited versions of REJECT. Require AUDIT_TARGET support
                in the kernel and ip6tables.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">LOG</emphasis></term>
              <listitem>
                <para>Simply log the packet and continue with the next
                rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">QUEUE</emphasis></term>
              <listitem>
                <para>Queue the packet to a user-space application such as
                ftwall (http://p2pwall.sf.net). The application may reinsert
                the packet for further processing.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
              <listitem>
                <para>queues matching packets to a back end logging daemon via
                a netlink socket then continues to the next rule. See <ulink
                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">NFQUEUE</emphasis></term>
              <listitem>
                <para>Queues the packet to a user-space application using the
                nfnetlink_queue mechanism. If a
                <replaceable>queuenumber</replaceable> is not specified, queue
                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">?COMMENT</emphasis></term>
              <listitem>
                <para>the rest of the line will be attached as a comment to
                the Netfilter rule(s) generated by the following entries. The
                comment will appear delimited by "/* ... */" in the output of
                "shorewall6 show &lt;chain&gt;". To stop the comment from
                being attached to further rules, simply include ?COMMENT on a
                line by itself.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>action</emphasis></term>
              <listitem>
                <para>The name of an <emphasis>action</emphasis> declared in
                <ulink
                url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
                or in /usr/share/shorewall6/actions.std.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis>macro</emphasis></term>
              <listitem>
                <para>The name of a macro defined in a file named
                macro.<emphasis>macro</emphasis>. If the macro accepts an
                action parameter (Look at the macro source to see if it has
                PARAM in the TARGET column) then the
                <emphasis>macro</emphasis> name is followed by the
                parenthesized <emphasis>target</emphasis> (<emphasis
                role="bold">ACCEPT</emphasis>, <emphasis
                role="bold">DROP</emphasis>, <emphasis
                role="bold">REJECT</emphasis>, ...) to be substituted for the
                parameter.</para>
                <para>Example: FTP(ACCEPT).</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>The <emphasis role="bold">ACTION</emphasis> may optionally be
          followed by ":" and a syslog log level (e.g, REJECT:info or
          Web(ACCEPT):debug). This causes the packet to be logged at the
          specified level.</para>
          <para>If the <emphasis role="bold">ACTION</emphasis> names an
          <emphasis>action</emphasis> declared in <ulink
          url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
          or in /usr/share/shorewall6/actions.std then:</para>
          <itemizedlist>
            <listitem>
              <para>If the log level is followed by "!' then all rules in the
              action are logged at the log level.</para>
            </listitem>
            <listitem>
              <para>If the log level is not followed by "!" then only those
              rules in the action that do not specify logging are logged at
              the specified level.</para>
            </listitem>
            <listitem>
              <para>The special log level <emphasis
              role="bold">none!</emphasis> suppresses logging by the
              action.</para>
            </listitem>
          </itemizedlist>
          <para>You may also specify <emphasis role="bold">NFLOG</emphasis>
          (must be in upper case) as a log level.This will log to the NFLOG
          target for routing to a separate log through use of ulogd (<ulink
          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
          <para>Actions specifying logging may be followed by a log tag (a
          string of alphanumeric characters) which is appended to the string
          generated by the LOGPREFIX (in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>For the remaining columns, see <ulink
    url="/manpages6/shorewall6-rules.html">shorewall6-rules
    (5)</ulink>.</para>
  </refsect1>
  <refsect1>
    <title>Example</title>
    <variablelist>
      <varlistentry>
        <term>Example 1:</term>
        <listitem>
          <para>Drop Teredo packets from the net.</para>
          <programlisting>DROP          net:[2001::/32]            all</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 2:</term>
        <listitem>
          <para>Don't subject packets from 2001:DB8::/64 to the remaining
          rules in the file.</para>
          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall6/blrules</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para><ulink
    url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
    shorewall6-providers(5), shorewall6-rtrules(5),
    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
    shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Show More
+++ b/Show More