Document issue with optional shared interfaces

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Disallow optional shared providers
2018-07-19 10:08:17 -07:00 · 2018-07-19 09:57:06 -07:00 · 2018-07-17 13:25:26 -07:00 · 2018-07-15 08:57:43 -07:00 · 2018-07-04 08:01:27 -07:00 · 2018-07-03 15:31:14 -07:00
214 changed files with 7223 additions and 4058 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -1,8 +1,8 @@
 #!/bin/bash
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
-#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
@@ -109,6 +109,9 @@ if [ -z "$vendor" ]; then
 	    opensuse)
 		vendor=suse
 		;;
 	    alt|basealt|altlinux)
 		vendor=alt
 		;;
 	    *)
 		vendor="$ID"
 		;;
@@ -132,6 +135,8 @@ if [ -z "$vendor" ]; then
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
 		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
 	    elif [ -f /etc/altlinux-release ] ; then
 		params[HOST]=alt
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -74,6 +74,8 @@ unless ( defined $vendor ) {
 	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
 	    my $init = `ls -l /sbin/init`;
 	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
 	} elsif ( $id eq 'alt' || $id eq 'basealt' || $id eq 'altlinux' ) {
 	    $vendor = 'alt';
 	} else {
 	    $vendor = $id;
 	}
@@ -117,6 +119,9 @@ if ( defined $vendor ) {
 	} else {
 	    $rcfilename = 'shorewallrc.debian.sysvinit';
 	}
    } elsif ( -f '/etc/altlinux-release' ){
 	$vendor = 'alt';
 	$rcfilename = 'shorewallrc.alt';
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -172,6 +172,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
 		    alt|basealt|altlinux)
 			BUILD=alt
 			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -180,6 +183,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
 	    elif [ -f /etc/altlinux-release ]; then
 		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
@@ -238,7 +243,7 @@ case "$HOST" in
    apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt|alt)
 	;;
    *)
 	fatal_error "Unknown HOST \"$HOST\""
@@ -335,9 +340,8 @@ for f in lib.* ; do
 done
 if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
 fi
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.cli
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=50105
+SHOREWALL_CAPVERSION=50200
 if [ -z "$g_basedir" ]; then
    #
@@ -47,6 +47,10 @@ startup_error() {
    exit 1
 }
 only_root() {
    [ "$(id -u)" != 0 ] && fatal_error "The '$COMMAND' command may only be run by root"
 }
 #
 # Display a chain if it exists
 #
@@ -83,6 +87,8 @@ showchain() # $1 = name of chain
 #
 validate_restorefile() # $* = label
 {
    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
    case $RESTOREFILE in
 	*/*)
 	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
@@ -411,9 +417,9 @@ resolve_arptables() {
 savesets() {
    local supported
-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+    supported=$(run_it $g_firewall help | fgrep savesets )
-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
+    [ -n "$supported" ] && run_it $g_firewall savesets ${g_restorepath}-ipsets 
 }
 #
@@ -422,9 +428,9 @@ savesets() {
 savesets1() {
    local supported
-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+    supported=$(run_it $g_firewall help | fgrep savesets )
-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+    [ -n "$supported" ] && run_it $g_firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }
 #
@@ -435,9 +441,9 @@ do_save() {
    local arptables
    status=0
-    if [ -f ${VARDIR}/firewall ]; then
+    if [ -f $g_firewall ]; then
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    cp -f ${VARDIR}/firewall $g_restorepath
+	    cp -f $g_firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod 700 $g_restorepath
 	    chmod 600 ${g_restorepath}-iptables
@@ -449,7 +455,7 @@ do_save() {
 	    status=1
 	fi
    else
-	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+	echo "   ERROR: $g_firewall does not exist" >&2
 	status=1
    fi
@@ -634,7 +640,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
+		ip -6 -o route list table $table | grep -vF cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -647,7 +653,7 @@ show_routing() {
    else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | grep -vF cache | sort_routes
+	    ip -6 -o route list | grep -vF cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -1137,16 +1143,31 @@ show_a_macro() {
    cat ${directory}/macro.$1
 }
 #
-# Don't dump empty SPD entries
+# Don't dump empty SPD entries or entries from the other address family
 #
-spd_filter()
+spd_filter() {
-{
+    #
-    awk \
+    # af   = Address Family (4 or 6)
-    'BEGIN            { skip=0; }; \
+    # afok = Address Family of entry matches af
-    /^src/            { skip=0; }; \
+    # p    = print the contents of A (entry is not empty)
-    /^src 0.0.0.0\/0/ { skip=1; }; \
+    # i    = Number of lines stored in A
-    /^src ::\/0/      { skip=1; }; \
+    #
-                      { if ( skip == 0 ) print; };'
+    awk -v af=$g_family \
 	'function prnt(A,i,    j) { while ( j < i ) print A[j++]; };\
 \
 	 /^src / { if (p) prnt( A, i );\
 		   afok = 1;\
 		   p	= 0;\
 		   i	= 0;\
 		   if ( af == 4 )\
 		       { if ( /:/ )  afok = 0; }\
 		   else\
 		       { if ( /\./ ) afok = 0; }\
 		 };\
 		 { if ( afok ) A[i++] = $0; };\
 	 /tmpl/	 { p = afok; };\
 \
 	 END	 { if (p) prnt( A, i ); }'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1159,7 +1180,8 @@ heading() {
 show_ipsec() {
    heading "PFKEY SPD"
-    $IP -s xfrm policy | spd_filter
+    $IP -s -$g_family xfrm policy | spd_filter
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -1169,6 +1191,32 @@ show_ipsec_command() {
    show_ipsec
 }
 show_saves_command() {
    local f
    local fn
    local mtime
    echo "$g_product $SHOREWALL_VERSION Saves at $g_hostname - $(date)"
    echo "Saved snapshots are:"
    echo
    for f in ${VARDIR}/*-iptables; do
 	case $f in
 	    *\**)
 	        ;;
 	    *)
 		fn=$(basename $f)
 		fn=${fn%-iptables}
 		mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
 		[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
 		echo "   $mtime ${fn%-iptables}"
 		;;
 	esac
    done
    echo
 }
 #
 # Show Command Executor
 #
@@ -1187,6 +1235,7 @@ show_command() {
    show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
 	if [ -n "$foo" ]; then
 	    macro=$(basename $macro)
 	    macro=${macro#*.}
 	    foo=${foo%.*}
 	    if [ ${#macro} -gt 5 ]; then
@@ -1281,37 +1330,47 @@ show_command() {
    [ -n "$g_debugging" ] && set -x
    COMMAND="$COMMAND $1"
    case "$1" in
 	connections)
 	    only_root
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	tos|mangle)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    only_root
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
 	    only_root
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
@@ -1335,6 +1394,7 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
@@ -1371,33 +1431,50 @@ show_command() {
 	    fi
 	    ;;
 	chain)
 	    only_root
 	    shift
 	    eval show_chain $@ $g_pager
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
        rc)
            shift
 	    [ $# -gt 1 ] && too_many_arguments $2
            if [ -n "$1" -a -d "$1" ]; then
                cat $1/shorewallrc
            elif [ -n "$g_basedir" -a -d "$g_basedir" ]; then
                cat $g_basedir/shorewallrc
            else
                fatal_error "Can not determine the location of the shorewallrc file."
            fi
            ;;
 	policies)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
 	    only_root
 	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1407,6 +1484,7 @@ show_command() {
 	    ;;
 	event)
 	    [ $# -gt 1 ] || too_many_arguments $2
 	    only_root
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
@@ -1414,14 +1492,18 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    setup_dbl
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 	    if chain_exists dynamic; then
@@ -1432,8 +1514,13 @@ show_command() {
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
 	saves)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    show_saves_command
 	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -1480,6 +1567,8 @@ show_command() {
 		    ;;
 	    esac
 	    only_root
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
@@ -1797,7 +1886,7 @@ do_dump_command() {
    echo
-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }
    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -1911,41 +2000,6 @@ show_proc() # $1 = name of a file
    [ -f $1 ] && echo "   $1 = $(cat $1)"
 }
 read_yesno_with_timeout() {
    local timeout
    timeout=${1:-60}
    case $timeout in
 	*s)
 	    ;;
 	*m)
 	    timeout=$((${timeout%m} * 60))
 	    ;;
 	*h)
 	    timeout=$((${timeout%h} * 3600))
 	    ;;
    esac
    read -t $timeout yn 2> /dev/null
    if [ $? -eq 2 ]
    then
 	# read doesn't support timeout
 	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
 	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
 	return $?
    else
 	# read supports timeout
 	case "$yn" in
 	    y|Y)
 		return 0
 		;;
 	    *)
 		return 1
 		;;
 	esac
    fi
 }
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2529,15 +2583,21 @@ hits_command() {
    fi
 }
 #
 # Issue an error message and terminate if the firewall isn't started
 #
 require_started() {
    if ! product_is_started; then
 	error_message "ERROR: $g_product is not started"
 	exit 2
    fi
 }
 #
 # 'allow' command executor
 #
 allow_command() {
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && missing_argument
    if product_is_started ; then
    local allowed
    local which
    which='-s'
@@ -2545,8 +2605,10 @@ allow_command() {
    range='--src-range'
    local dynexists
-	if [ -n "$g_blacklistipset" ]; then
+    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && missing_argument
    if [ -n "$g_blacklistipset" ]; then
 	case ${IPSET:=ipset} in
 	    */*)
 		if [ ! -x "$IPSET" ]; then
@@ -2563,6 +2625,7 @@ allow_command() {
    if chain_exists dynamic; then
 	dynexists=Yes
    elif [ -z "$g_blacklistipset" ]; then
 	require_started
 	fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
    fi
@@ -2628,10 +2691,6 @@ allow_command() {
    done
    [ -n "$g_nolock" ] || mutex_off
    else
 	error_message "ERROR: $g_product is not started"
 	exit 2
    fi
 }
 #
@@ -2707,7 +2766,7 @@ determine_capabilities() {
 	g_tool=$(mywhich $tool)
 	if [ -z "$g_tool" ]; then
-	    fatal-error "No executable $tool binary can be found on your PATH"
+	    fatal_error "No executable $tool binary can be found on your PATH"
 	fi
    fi
@@ -2751,7 +2810,6 @@ determine_capabilities() {
    LENGTH_MATCH=
    CLASSIFY_TARGET=
    ENHANCED_REJECT=
    USEPKTTYPE=
    KLUDGEFREE=
    MARK=
    XMARK=
@@ -2770,7 +2828,7 @@ determine_capabilities() {
    GOTO_TARGET=
    LOGMARK_TARGET=
    IPMARK_TARGET=
-    LOG_TARGET=Yes
+    LOG_TARGET=
    ULOG_TARGET=
    NFLOG_TARGET=
    PERSISTENT_SNAT=
@@ -2804,6 +2862,7 @@ determine_capabilities() {
    CPU_FANOUT=
    NETMAP_TARGET=
    NFLOG_SIZE=
    RESTORE_WAIT_OPTION=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -2827,9 +2886,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi
    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
    if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	tool="$tool --wait"
+	g_tool="$g_tool --wait"
    fi
    chain=fooX$$
@@ -2844,6 +2905,7 @@ determine_capabilities() {
 		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
 	    qt $g_tool -t nat -L INPUT -n && NAT_INPUT_CHAIN=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
@@ -3094,7 +3156,6 @@ determine_capabilities() {
 	fi
    fi
    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
    qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
@@ -3135,7 +3196,7 @@ determine_capabilities() {
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG || LOG_TARGET=
+    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
    qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
@@ -3208,7 +3269,6 @@ report_capabilities_unsorted() {
 	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
 	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
    fi
    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
    report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
    report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
    report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
@@ -3218,8 +3278,8 @@ report_capabilities_unsorted() {
    [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
    report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
    report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
    if [ -n "$IPSET_MATCH" ]; then
    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
    if [ -n "$IPSET_MATCH" ]; then
 	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
@@ -3299,9 +3359,11 @@ report_capabilities_unsorted() {
    if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
 	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
 	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    fi
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3310,6 +3372,7 @@ report_capabilities_unsorted() {
    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
    report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3322,8 +3385,6 @@ report_capabilities() {
 	report_capabilities_unsorted | sort
    fi
    [ -n "$PKTTYPE" ] || USEPKTTYPE=
 }
 report_capabilities_unsorted1() {
@@ -3340,7 +3401,6 @@ report_capabilities_unsorted1() {
    report_capability1 CONNTRACK_MATCH
    report_capability1 NEW_CONNTRACK_MATCH
    report_capability1 OLD_CONNTRACK_MATCH
    report_capability1 USEPKTTYPE
    report_capability1 POLICY_MATCH
    report_capability1 PHYSDEV_MATCH
    report_capability1 PHYSDEV_BRIDGE
@@ -3417,6 +3477,8 @@ report_capabilities_unsorted1() {
    report_capability1 CPU_FANOUT
    report_capability1 NETMAP_TARGET
    report_capability1 NFLOG_SIZE
    report_capability1 RESTORE_WAIT_OPTION
    report_capability1 NAT_INPUT_CHAIN
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3721,7 +3783,7 @@ ipcalc_command() {
    valid_address $address || fatal_error "Invalid IP address: $address"
    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
    address=$address/$vlsm
@@ -3759,7 +3821,7 @@ iprange_command() {
 }
 ipdecimal_command() {
-    if [ $# eq 1 ]; then
+    if [ $# -eq 1 ]; then
 	missing_argument
    else
 	[ $# -eq 2 ] || too_many_arguments $3
@@ -3902,7 +3964,7 @@ get_config() {
    ensure_config_path
-    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -4056,15 +4118,15 @@ start_command() {
 	rc=0
 	[ -n "$g_nolock" ] || mutex_on
-	if [ -x ${VARDIR}/firewall ]; then
+	if [ -x $g_firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
-		run_it ${VARDIR}/firewall $g_debugging start
+		run_it $g_firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
-	    error_message "${VARDIR}/firewall is missing or is not executable"
+	    error_message "$g_firewall is missing or is not executable"
 	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4193,11 +4255,11 @@ restart_command() {
    [ -n "$g_nolock" ] || mutex_on
-    if [ -x ${VARDIR}/firewall ]; then
+    if [ -x $g_firewall ]; then
-	run_it ${VARDIR}/firewall $g_debugging $COMMAND
+	run_it $g_firewall $g_debugging $COMMAND
 	rc=$?
    else
-	error_message "${VARDIR}/firewall is missing or is not executable"
+	error_message "$g_firewall is missing or is not executable"
 	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi
@@ -4207,10 +4269,10 @@ restart_command() {
 }
 run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
+    if [ -x $g_firewall ] ; then
-	run_it ${VARDIR}/firewall $g_debugging $@
+	run_it $g_firewall $g_debugging $@
    else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+	fatal_error "$g_firewall does not exist or is not executable"
    fi
 }
@@ -4268,7 +4330,6 @@ usage() # $1 = exit status
    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   reenable <interface>"
    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
    if [ -n "$g_lite" ]; then
@@ -4278,9 +4339,11 @@ usage() # $1 = exit status
    fi
    if [ -z "$g_lite" ]; then
-	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-getrc [ -T ] [ -c ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
-	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-getcaps [ -T ] [ -R ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
-	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
 	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
 	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
    fi
    echo "   reset [ <chain> ... ]"
@@ -4323,7 +4386,9 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] nfacct"
    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
    echo "   [ show | list | ls ] rc"
    echo "   [ show | list | ls ] routing"
    echo "   [ show | list | ls ] saves"
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
@@ -4372,7 +4437,6 @@ shorewall_cli() {
    g_use_verbosity=
    g_debug=
    g_export=
    g_refreshchains=:none:
    g_confess=
    g_update=
    g_annotate=
@@ -4391,6 +4455,7 @@ shorewall_cli() {
    g_nopager=
    g_blacklistipset=
    g_disconnect=
    g_havemutex=
    VERBOSE=
    VERBOSITY=1
@@ -4563,12 +4628,14 @@ shorewall_cli() {
    case "$COMMAND" in
 	start)
 	    only_root
 	    get_config Yes Yes
 	    shift
 	    start_command $@
 	    ;;
 	stop|clear)
 	    [ $# -ne 1 ] && too_many_arguments $2
 	    only_root
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4576,6 +4643,7 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
 	    only_root
 	    get_config
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4584,19 +4652,22 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
 	    only_root
 	    get_config Yes Yes
 	    shift
 	    restart_command $@
 	    ;;
 	disable|enable|reenable)
 	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it ${VARDIR}/firewall $g_debugging $@
+		run_it $g_firewall $g_debugging $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	blacklist)
 	    only_root
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4605,6 +4676,7 @@ shorewall_cli() {
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    only_root
 	    get_config Yes
 	    run_command $@
 	    ;;
@@ -4614,18 +4686,20 @@ shorewall_cli() {
    	    show_command $@
 	    ;;
 	status)
-	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
+	    only_root
 	    get_config
 	    shift
 	    status_command $@
 	    ;;
 	dump)
 	    only_root
 	    get_config Yes No Yes
    	    shift
    	    dump_command $@
 	    ;;
 	hits)
 	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
 	    only_root
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4636,53 +4710,63 @@ shorewall_cli() {
 	    version_command $@
 	    ;;
 	logwatch)
 	    only_root
 	    get_config Yes Yes Yes
 	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
 	    only_root
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
 	    only_root
 	    get_config
 	    allow_command $@
 	    ;;
 	add)
 	    only_root
 	    get_config
 	    shift
 	    add_command $@
 	    ;;
 	delete)
 	    only_root
 	    get_config
 	    shift
 	    delete_command $@
 	    ;;
 	save)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    save_command $@
 	    ;;
 	forget)
 	    only_root
 	    get_config
 	    forget_command $@
 	    ;;
@@ -4699,11 +4783,13 @@ shorewall_cli() {
 	    ipdecimal_command $@
 	    ;;
 	restore)
 	    only_root
 	    get_config
 	    shift
 	    restore_command $@
            ;;
 	call)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
@@ -4741,17 +4827,20 @@ shorewall_cli() {
 	    usage
 	    ;;
 	iptrace)
 	    only_root
 	    get_config
 	    shift
 	    iptrace_command $@
 	    ;;
 	noiptrace)
 	    only_root
 	    get_config
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || too_many_arguments $2
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
-#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,53 +269,48 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
    local modulename
    modulename=$1
    shift
    local moduleoptions
    moduleoptions=$*
    local modulefile
    local suffix
    if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
 		shift
 		for suffix in $MODULE_SUFFIX ; do
 		    for directory in $moduledirectories; do
 			modulefile=$directory/${modulename}.${suffix}
 			if [ -f $modulefile ]; then
 		case $moduleloader in
 		    insmod)
-				    insmod $modulefile $*
+			for directory in $moduledirectories; do
-				    ;;
+			    for modulefile in $directory/${modulename}.*; do
-				*)
+				if [ -f $modulefile ]; then
-				    modprobe $modulename $*
+				    insmod $modulefile $moduleoptions
-				    ;;
+				    return
 			    esac
 			    break 2
 				fi
 			    done
 			done
 			;;
 		    *)
 			modprobe -q $modulename $moduleoptions
 			;;
 		esac
 	    fi
 	fi
    elif ! list_search $modulename $DONT_LOAD $MODULES; then
 	shift
 	for suffix in $MODULE_SUFFIX ; do
 	    for directory in $moduledirectories; do
 		modulefile=$directory/${modulename}.${suffix}
 		if [ -f $modulefile ]; then
 	case $moduleloader in
 	    insmod)
-			    insmod $modulefile $*
+		for directory in $moduledirectories; do
-			    ;;
+		    for modulefile in $directory/${modulename}.*; do
-			*)
+			if [ -f $modulefile ]; then
-			    modprobe $modulename $*
+			    insmod $modulefile $moduleoptions
-			    ;;
+			    return
 		    esac
 		    break 2
 			fi
 		    done
 		done
 		;;
 	    *)
 		modprobe -q $modulename $moduleoptions
 		;;
 	esac
    fi
 }
@@ -338,8 +333,6 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi
    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -394,8 +387,6 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi
    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -763,7 +754,7 @@ mutex_on()
    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
-    if [ $MUTEX_TIMEOUT -gt 0 ]; then
+    if [ -z "$g_havemutex" -a $MUTEX_TIMEOUT -gt 0 ]; then
 	lockd=$(dirname $LOCKFILE)
@@ -771,7 +762,7 @@ mutex_on()
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
@@ -784,11 +775,13 @@ mutex_on()
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
 	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
 	    lock ${lockf}
 	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
 	    chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
@@ -799,10 +792,15 @@ mutex_on()
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
 		g_havemutex="rm -f ${lockf}"
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
 	if [ -n "$g_havemutex" ]; then
 	    trap mutex_off EXIT
 	fi
    fi
 }
@@ -811,7 +809,10 @@ mutex_on()
 #
 mutex_off()
 {
-    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
+    if [ -n "$g_havemutex" ]; then
-    rm -f ${LOCKFILE:=${VARDIR}/lock}
+	eval $g_havemutex
 	g_havemutex=
 	trap '' exit
    fi
 }
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
+# Shorewall 5.2 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #
-SHOREWALL_LIBVERSION=50100
+SHOREWALL_LIBVERSION=50108
 #
 # Fatal Error
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -1,6 +1,5 @@
 #
-#
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
 # Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -1,6 +1,5 @@
 #
-#
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
 # Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -405,20 +405,6 @@
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>options</arg>
      <arg
      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
      <replaceable>directory</replaceable> </arg><arg
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>
@@ -459,6 +445,54 @@
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>options</arg>
      <arg choice="plain"><option>remote-getcaps</option></arg>
      <arg><option>-s</option></arg>
      <arg><option>-R</option></arg>
      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
      <arg><option>-T</option></arg>
      <arg><option>-i</option></arg>
      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>options</arg>
      <arg choice="plain"><option>remote-getrc</option></arg>
      <arg><option>-s</option></arg>
      <arg><option>-c</option></arg>
      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
      <arg><option>-T</option></arg>
      <arg><option>-i</option></arg>
      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
@@ -813,7 +847,7 @@
      <arg choice="req"><option>show | list | ls </option></arg>
-      <arg choice="plain"><option>tc</option></arg>
+      <arg choice="plain"><option>saves</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -1316,7 +1350,7 @@
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
+          role="bold">reload</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
@@ -1773,63 +1807,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
        </option><replaceable>directory</replaceable> ] [
        <replaceable>chain</replaceable>... ]</term>
        <listitem>
          <para>Not available with Shorewall[6]-lite.</para>
          <para>All steps performed by <command>restart</command> are
          performed by <command>refresh</command> with the exception that
          <command>refresh</command> only recreates the chains specified in
          the command while <command>restart</command> recreates the entire
          Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
          the static blacklisting chain <emphasis
          role="bold">blacklst</emphasis> is assumed.</para>
          <para>The listed chains are assumed to be in the filter table. You
          can refresh chains in other tables by prefixing the chain name with
          the table name followed by ":" (e.g., nat:net_dnat). Chain names
          which follow are assumed to be in that table until the end of the
          list or until an entry in the list names another table. Built-in
          chains such as FORWARD may not be refreshed.</para>
          <para>The <option>-n</option> option was added in Shorewall 4.5.3
          causes Shorewall to avoid updating the routing table(s).</para>
          <para>The <option>-d</option> option was added in Shorewall 4.5.3
          causes the compiler to run under the Perl debugger.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
          <emphasis>directory</emphasis> first for configuration files.</para>
          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
          <para>The <emphasis role="bold">refresh</emphasis> command has
          slightly different behavior. When no chain name is given to the
          <emphasis role="bold">refresh</emphasis> command, the mangle table
          is refreshed along with the blacklist chain (if any). This allows
          you to modify <filename>/etc/shorewall/tcrules </filename>and
          install the changes using <emphasis
          role="bold">refresh</emphasis>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reject</emphasis><replaceable>
        address</replaceable></term>
@@ -1941,6 +1918,57 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">remote-getcaps</emphasis>
        [-<option>R</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [ [ -D ]
        <replaceable>directory</replaceable> ] [
        <replaceable>system</replaceable> ]</term>
        <listitem>
          <para>Added in Shoreall 5.2.0, this command executes <emphasis
          role="bold">shorewall[6]-lite show capabilities -f &gt;
          /var/lib/shorewall[6]-lite/capabilities</emphasis> on the remote
          <replaceable>system</replaceable> via ssh then the generated file is
          copied to <replaceable>directory</replaceable> on the local system.
          If no <replaceable>directory</replaceable> is given, the current
          working directory is assumed.</para>
          <para>if <emphasis role="bold">-R</emphasis> is included, the remote
          shorewallrc file is also copied to
          <replaceable>directory</replaceable>.</para>
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">remote-getrc</emphasis>
        [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [ [ -D ]
        <replaceable>directory</replaceable> ] [
        <replaceable>system</replaceable> ]</term>
        <listitem>
          <para>Added in Shoreall 5.2.0, this command copies the shorewallrc
          file from the remote <replaceable>system</replaceable> to
          <replaceable>directory</replaceable> on the local system. If no
          <replaceable>directory</replaceable> is given, the current working
          directory is assumed.</para>
          <para>if <emphasis role="bold">-c</emphasis> is included, the remote
          capabilities are also copied to
          <replaceable>directory</replaceable>, as is done by the
          <command>remote-getcaps</command> command.</para>
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">remote-start</emphasis>
        [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
@@ -1992,9 +2020,9 @@
          role="bold">shorewall-lite save</emphasis> via ssh.</para>
          <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall-lite show capabilities -f
+          command <emphasis role="bold">shorewall[6]-lite show capabilities -f
-          &gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
+          &gt; /var/lib/shorewall[6]-lite/capabilities</emphasis> is executed
-          ssh then the generated file is copied to
+          via ssh then the generated file is copied to
          <replaceable>directory</replaceable> using scp. This step is
          performed before the configuration is compiled.</para>
@@ -2005,13 +2033,6 @@
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -2430,11 +2451,11 @@
        <replaceable>filename</replaceable> ]</term>
        <listitem>
-          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
+          <para>Creates a snapshot of the currently running firewall. The
-          The state of the firewall is stored in
+          dynamic blacklist is stored in /var/lib/shorewall/save. The state of
          the firewall is stored in
          /var/lib/shorewall/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall restore</emphasis> and <emphasis
+          <emphasis role="bold">shorewall restore</emphasis> command. If
          role="bold">shorewall -f start</emphasis> commands. If
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
@@ -2737,6 +2758,15 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">rc</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.2.0. Displays the contents of
                $SHAREDIR/shorewall/shorewallrc.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>c</option>]<emphasis role="bold">
              routing</emphasis></term>
@@ -2762,6 +2792,20 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>saves</term>
              <listitem>
                <para>Added in Shorewall 5.2.0. Lists snapshots created by the
                <command>save</command> command. Each snapshot is listed with
                the date and time when it was taken. If there is a snapshot
                with the name specified in the RESTOREFILE option in <ulink
                url="shorewall.conf.html">shorewall.conf(5</ulink>), that
                snapshot is listed as the <emphasis>default</emphasis>
                snapshot for the <command>restore</command> command.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>
@@ -2921,7 +2965,7 @@
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
+          role="bold">reload</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
@@ -3172,29 +3216,38 @@
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall/</para>
+    <para>/etc/shorewall/*</para>
-    <para>/etc/shorewall6/</para>
+    <para>/etc/shorewall6/*</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para><ulink
+    <simplelist>
-    url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
+      <member><ulink
      url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink>
      - Describes operational aspects of Shorewall.</member>
-    <para>shorewall-accounting(5), shorewall-actions(5),
+      <member><ulink url="shorewall-files.html">shorewall-files(5)</ulink> -
-    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
+      Describes the various configuration files along with features and
-    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
+      conventions common to those files.</member>
-    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
+
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-mangle(5),
+      <member><ulink url="shorewall-names.html">shorewall-names(5)</ulink> -
-    shorewall-masq(5), shorewall-modules(5), shorewall-nat(5),
+      Describes naming of objects within a Shorewall configuration.</member>
-    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
+
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+      <member><ulink
-    shorewall6-proxyndp(5), shorewall-routes(5), shorewall-rtrules(5),
+      url="shorewall-addresses.html">shorewall-addresses(5)</ulink> -
-    shorewall-rtrules(5), shorewall-rules(5), shorewall-secmarks(5),
+      Describes how to specify addresses within a Shorewall
-    shorewall-snat(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+      configuration.</member>
-    shorewall-tcfilters(5), shorewall-tcinterfaces(5), shorewall-tcpri(5),
+
-    shorewall-tunnels(5), shorewall-vardir(5), shorewall-zones(5)</para>
+      <member><ulink
      url="shorewall-exclusion.html">shorewall-exclusion(5)</ulink> -
      Describes how to exclude certain hosts and/or networks from matching a
      rule.</member>
      <member><ulink url="shorewall-nesting.html">shorewall-nesting(5)</ulink>
      - Describes how to nest one Shorewall zone inside another.</member>
    </simplelist>
  </refsect1>
 </refentry>
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.0
+#     Shorewall Packet Filtering Firewall Control Program - V5.2
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,6 +25,10 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
 #
 # Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
 # options
 #
 PRODUCT=shorewall
 #
--- a/Shorewall-core/shorewallrc.alt
+++ b/Shorewall-core/shorewallrc.alt
@@ -0,0 +1,25 @@
 #
 # ALT/BaseALT/ALTLinux Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=alt
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
 PERLLIBDIR=${SHAREDIR}/perl5            #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
 INITDIR=${CONFDIR}/rc.d/init.d          #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.alt.sh                  #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less             #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.0 rc file
+# Apple OS X Shorewall 5.2 rc file
 #
 BUILD=apple
 HOST=apple
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.0 rc file
+# Arch Linux Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.0 rc file
+# Cygwin Shorewall 5.2 rc file
 #
 BUILD=cygwin
 HOST=cygwin
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -13,7 +13,7 @@ MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-zero, annotated configuration files are installed
+ANNOTATED=				#If non-empty, annotated configuration files are installed
 SYSCONFFILE=default.debian.systemd	#Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.0 rc file
+# Default Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,5 +1,5 @@
 #
-# OpenWRT Shorewall 5.0 rc file
+# OpenWRT/LEDE Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.0 rc file
+# RedHat/FedoraShorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat
--- a/Shorewall-core/shorewallrc.sandbox
+++ b/Shorewall-core/shorewallrc.sandbox
@@ -0,0 +1,28 @@
 #
 # Shorewall 5.2 rc file for installing into a Sandbox
 #
 BUILD=                                       # Default is to detect the build system
 HOST=linux
 INSTALLDIR=				     # Set this to the directory where you want Shorewall installed
 PREFIX=${INSTALLDIR}/usr		     # Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share		     # Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share		     # Directory for executable scripts.	
 PERLLIBDIR=${PREFIX}/share/shorewall	     # Directory to install Shorewall Perl module directory	
 CONFDIR=${INSTALLDIR}/etc		     # Directory where subsystem configurations are installed				
 SBINDIR=${INSTALLDIR}/sbin		     # Directory where system administration programs are installed			
 MANDIR=		     			     # Leave empty
 INITDIR=				     # Leave empty				     				
 INITSOURCE=				     # Leave empty
 INITFILE=				     # Leave empty
 AUXINITSOURCE=				     # Leave empty
 AUXINITFILE=				     # Leave empty
 SERVICEDIR=				     # Leave empty
 SERVICEFILE=    			     # Leave empty
 SYSCONFFILE=				     # Leave empty
 SYSCONFDIR=				     # Leave empty			
 SPARSE=					     # Leave empty			
 ANNOTATED=				     # If non-empty, annotated configuration files are installed				
 VARLIB=${INSTALLDIR}/var/lib		     # Directory where product variable data is stored.				
 VARDIR=${VARLIB}/$PRODUCT		     # Directory where product variable data is stored.		
 DEFAULT_PAGER=/usr/bin/less		     # Pager to use if none specified in shorewall[6].conf
 SANDBOX=Yes				     # Indicates SANDBOX installation
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.0 rc file
+# Slackware Shorewall 5.2 rc file
 #
 BUILD=slackware
 HOST=slackware
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.0 rc file
+# SuSE Shorewall 5.2 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse
--- a/Shorewall-core/wait4ifup
+++ b/Shorewall-core/wait4ifup
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall interface helper utility - V4.2
+#     Shorewall interface helper utility - V5.2
 #
 #     (c) 2007,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-init/init.alt.sh
+++ b/Shorewall-init/init.alt.sh
@@ -0,0 +1,150 @@
 #!/bin/sh
 #
 # Shorewall init script
 #
 # chkconfig: - 09 91
 # description: Initialize the shorewall firewall at boot time
 #
 ### BEGIN INIT INFO
 # Provides: shorewall-init
 # Required-Start: $local_fs
 # Required-Stop: $local_fs
 # Default-Start: 3 4 5
 # Default-Stop:  0 1 2 6
 # Short-Description: Initialize the shorewall firewall at boot time
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.
 ### END INIT INFO
 # Do not load RH compatibility interface.
 WITHOUT_RC_COMPAT=1
 # Source function library.
 . /etc/init.d/functions
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 NAME="Shorewall-init firewall"
 PROG="shorewall-init"
 SHOREWALL="$SBINDIR/$PROG"
 LOGGER="logger -i -t $PROG"
 # Get startup options (override default)
 OPTIONS=
 LOCKFILE=/var/lock/subsys/shorewall-init
 # check if shorewall-init is configured or not
 if [ -f "/etc/sysconfig/shorewall-init" ]; then
 	. /etc/sysconfig/shorewall-init
 	if [ -z "$PRODUCTS" ]; then
 		echo "No PRODUCTS configured"
 		exit 6
 	fi
 else
 	echo "/etc/sysconfig/shorewall-init not found"
 	exit 6
 fi
 RETVAL=0
 # set the STATEDIR variable
 setstatedir() {
 	local statedir
 	if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
 		statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
 	fi
 	[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 	if [ -x ${STATEDIR}/firewall ]; then
 		return 0
 	elif [ $PRODUCT = shorewall ]; then
 		${SBINDIR}/shorewall compile
 	elif [ $PRODUCT = shorewall6 ]; then
 		${SBINDIR}/shorewall -6 compile
 	else
 		return 1
 	fi
 }
 start() {
 	local PRODUCT
 	local STATEDIR
 	printf "Initializing \"Shorewall-based firewalls\": "
 	for PRODUCT in $PRODUCTS; do
 		if setstatedir; then
 			$STATEDIR/$PRODUCT/firewall ${OPTIONS} stop 2>&1 | "$LOGGER"
 			RETVAL=$?
 		else
 			RETVAL=6
 			break
 		fi
 	done
 	if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
 		ipset -R < "$SAVE_IPSETS"
 	fi
 	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
 	return $RETVAL
 }
 stop() {
 	local PRODUCT
 	local STATEDIR
 	printf "Clearing \"Shorewall-based firewalls\": "
 	for PRODUCT in $PRODUCTS; do
 		if setstatedir; then
 			${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | "$LOGGER"
 			RETVAL=$?
 		else
 			RETVAL=6
 			break
 		fi
 	done
 	if [ -n "$SAVE_IPSETS" ]; then
 		mkdir -p $(dirname "$SAVE_IPSETS")
 		if ipset -S > "${SAVE_IPSETS}.tmp"; then
 			grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
 		else
 			rm -f "${SAVE_IPSETS}.tmp"
 		fi
 	fi
 	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
 	return $RETVAL
 }
 # See how we were called.
 case "$1" in
 	start)
 	    start
 	    ;;
 	stop)
 	    stop
 	    ;;
 	restart|reload|condrestart|condreload)
 	    # "Not implemented"
 	    ;;
 	condstop)
 	    if [ -e "$LOCKFILE" ]; then
 		stop
 	    fi
 	    ;;
 	status)
 	    status "$PROG"
 	     RETVAL=$?
 	    ;;
 	*)
 	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|condrestart|condstop|status}"
 	    RETVAL=1
 esac
 exit $RETVAL
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -73,12 +73,16 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ -x ${STATEDIR}/firewall ]; then
        return 0
    else
        if [ $PRODUCT = shorewall ]; then
            ${SBINDIR}/shorewall compile
        elif [ $PRODUCT = shorewall6 ]; then
            ${SBINDIR}/shorewall -6 compile
        else
-	return 0
+            return 1
        fi
    fi
 }
@@ -108,7 +112,6 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
@@ -118,7 +121,6 @@ shorewall_start () {
 	      fi
 	  )
      fi
      fi
  done
  echo "done."
@@ -145,10 +147,8 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
 	  ${STATEDIR}/firewall ${OPTIONS} clear
      fi
      fi
  done
  echo "done."
@@ -159,8 +159,9 @@ shorewall_stop () {
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
      else
 	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
      fi
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,12 +44,14 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
 	return 0
    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 0
+	return 1
    fi
 }
@@ -66,12 +68,15 @@ start () {
    printf "Initializing \"Shorewall-based firewalls\": "
    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
 	ipset -R < "$SAVE_IPSETS"
    fi
    for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?
 	if [ $retval -eq 0 ]; then
 	    if [ -x "${STATEDIR}/firewall" ]; then
 	    ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ $retval -ne 0 ] && break
@@ -79,9 +84,6 @@ start () {
 	    retval=6 #Product not configured
 	    break
 	fi
 	else
 	    break
 	fi
    done
    if [ $retval -eq 0 ]; then
@@ -106,7 +108,6 @@ stop () {
 	retval=$?
 	if [ $retval -eq 0 ]; then
 	    if [ -x "${STATEDIR}/firewall" ]; then
 	    ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ $retval -ne 0 ] && break
@@ -114,12 +115,18 @@ stop () {
 	    retval=6 #Product not configured
 	    break
 	fi
 	else
 	    break
 	fi
    done
    if [ $retval -eq 0 ]; then
 	if [ -n "$SAVE_IPSETS" ]; then
 	    mkdir -p $(dirname "$SAVE_IPSETS")
 	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
 		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
 	    else
 		rm -f "${SAVE_IPSETS}.tmp"
 	    fi
 	fi
 	rm -f $lockfile
 	success
    else
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -1,5 +1,5 @@
 #!/bin/sh /etc/rc.common
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)
@@ -75,12 +75,14 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
 	return 0
    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 0
+	return 1
    fi
 }
@@ -92,17 +94,17 @@ start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 	      ${STATEDIR}/firewall ${OPTIONS} stop
 	  fi
      fi
      fi
  done
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
  return 0
 }
 boot () {
@@ -117,17 +119,19 @@ stop () {
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
 	    ${STATEDIR}/firewall ${OPTIONS} clear
 	fi
 	fi
    done
    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
 	else
 	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi
    return 0
 }
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -69,10 +69,12 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
 	return 0
    elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
-	return 0
+	return 1
    fi
 }
@@ -84,12 +86,10 @@ shorewall_start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 	      ${STATEDIR}/firewall ${OPTIONS} stop
 	  fi
      fi
      fi
  done
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
@@ -107,16 +107,16 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
 	  ${STATEDIR}/firewall ${OPTIONS} clear
      fi
      fi
  done
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
      else
 	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -79,12 +79,14 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
 	return 0
    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 0
+	return 6
    fi
 }
@@ -96,12 +98,10 @@ shorewall_start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
 	  fi
      fi
      fi
  done
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
@@ -117,16 +117,16 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
 	  ${STATEDIR}/firewall ${OPTIONS} clear
      fi
      fi
  done
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
      else
 	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi
 }
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -181,6 +181,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
 		    alt|basealt|altlinux)
 			BUILD=alt
 			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -191,6 +194,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
 	    elif [ -f /etc/altlinux-release ]; then
 		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/SuSE-release ]; then
@@ -253,6 +258,9 @@ case "$HOST" in
    openwrt)
 	echo "Installing Openwrt-specific configuration..."
 	;;
    alt)
 	echo "Installing ALT-specific configuration...";
 	;;
    linux)
 	fatal_error "Shorewall-init is not supported on this system"
 	;;
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -1,5 +1,5 @@
 #!/bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -33,12 +33,12 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
        return 0
    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
 }
@@ -67,7 +67,6 @@ shorewall_start () {
    printf "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
 	    #
 	    # Run in a sub-shell to avoid name collisions
 	    #
@@ -77,7 +76,6 @@ shorewall_start () {
 		fi
 	    )
 	fi
 	fi
    done
    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
@@ -95,16 +93,16 @@ shorewall_stop () {
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
 	    ${STATEDIR}/firewall ${OPTIONS} clear
 	fi
 	fi
    done
    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
 	else
 	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi
--- a/Shorewall-lite/init.alt.sh
+++ b/Shorewall-lite/init.alt.sh
@@ -0,0 +1,117 @@
 #!/bin/sh
 #
 # Shorewall-Lite init script
 #
 # chkconfig: - 28 90
 # description: Packet filtering firewall
 #
 ### BEGIN INIT INFO
 # Provides: shorewall-lite
 # Required-Start: $local_fs $remote_fs $syslog $network
 # Should-Start: $time $named
 # Required-Stop:
 # Default-Start: 3 4 5
 # Default-Stop:  0 1 2 6
 # Short-Description: Packet filtering firewall
 # Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
 #              Netfilter (iptables) based firewall
 ### END INIT INFO
 # Do not load RH compatibility interface.
 WITHOUT_RC_COMPAT=1
 # Source function library.
 . /etc/init.d/functions
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 NAME="Shorewall-Lite firewall"
 PROG="shorewall"
 SHOREWALL="$SBINDIR/$PROG -l"
 LOGGER="logger -i -t $PROG"
 # Get startup options (override default)
 OPTIONS=
 SourceIfNotEmpty $SYSCONFDIR/${PROG}-lite
 LOCKFILE="/var/lock/subsys/${PROG}-lite"
 RETVAL=0
 start() {
 	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
 	RETVAL=$?
 	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
 	return $RETVAL
 }
 stop() {
 	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
 	RETVAL=$?
 	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
 	return $RETVAL
 }
 restart() {
 	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
 	RETVAL=$?
 	return $RETVAL
 }
 reload() {
 	action $"Reloadinging $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
 	RETVAL=$?
 	return $RETVAL
 }
 clear() {
 	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
 	RETVAL=$?
 	return $RETVAL
 }
 # See how we were called.
 case "$1" in
 	start)
 	    start
 	    ;;
 	stop)
 	    stop
 	    ;;
 	restart)
 	    restart
 	    ;;
 	reload)
 	    reload
 	    ;;
 	clear)
 	    clear
 	    ;;
 	condrestart)
 	    if [ -e "$LOCKFILE" ]; then
 		restart
 	    fi
 	    ;;
 	condreload)
 	    if [ -e "$LOCKFILE" ]; then
 		restart
 	    fi
 	    ;;
 	condstop)
 	    if [ -e "$LOCKFILE" ]; then
 		stop
 	    fi
 	    ;;
 	status)
 	    "$SHOREWALL" status
 	     RETVAL=$?
 	    ;;
 	*)
 	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
 	    RETVAL=1
 esac
 exit $RETVAL
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-lite/init.suse.sh
+++ b/Shorewall-lite/init.suse.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -190,6 +190,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
 		    alt|basealt|altlinux)
 			BUILD=alt
 			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -198,6 +201,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
 	    elif [ -f /etc/altlinux-release ]; then
 		BUILD=alt
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f ${CONFDIR}/SuSE-release ]; then
@@ -266,6 +271,9 @@ case "$HOST" in
    openwrt)
 	echo "Installing OpenWRT-specific configuration..."
 	;;
    alt)
 	echo "Installing ALT-specific configuration...";
 	;;
    linux)
 	;;
    *)
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -1,5 +1,5 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,7 +38,6 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
 #        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall/Actions/action.A_AllowICMPs.deprecated
+++ b/Shorewall/Actions/action.A_AllowICMPs.deprecated
@@ -1,9 +0,0 @@
 #
 # Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
 #
 # This action A_ACCEPTs needed ICMP types
 #
 ###############################################################################
 #ACTION		SOURCE		DEST	PROTO		DPORT
 AllowICMPs(A_ACCEPT)
--- a/Shorewall/Actions/action.A_Drop.deprecated
+++ b/Shorewall/Actions/action.A_Drop.deprecated
@@ -1,57 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.A_Drop
 #
 # The audited default DROP common rules
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ?require AUDIT_TARGET
 ?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Special Handling for Auth
 #
 Auth(A_DROP)
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before broadcast Drop.
 #
 A_AllowICMPs	-	-	icmp
 #
 # Don't log broadcasts and multicasts
 #
 dropBcast(audit)
 dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
 dropInvalid(audit)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(A_DROP)
 A_DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn(audit)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 A_DropDNSrep
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -1,11 +1,11 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
+# Shorewall -- /usr/share/shorewall/action.A_REJECT
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
@@ -1,54 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.A_Reject
 #
 # The audited default REJECT action common rules
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ?require AUDIT_TARGET
 ?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before broadcast Drop.
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop Broadcasts and multicasts so they don't clutter up the log
 # (these must *not* be rejected).
 #
 dropBcast(audit)
 dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid(audit)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(A_REJECT)
 A_DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn(audit)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 A_DropDNSrep
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -13,7 +13,6 @@ DEFAULTS ACCEPT
    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
 ?else
 ?COMMENT Needed ICMP types (RFC4890)
    @1	-		-	ipv6-icmp	destination-unreachable
    @1	-		-	ipv6-icmp	packet-too-big
    @1	-		-	ipv6-icmp	time-exceeded
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -1,84 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Drop
 #
 # The former default DROP common rules. Use of this action is now deprecated
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # The action accepts six optional parameters:
 #
 # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #     actions.
 # 2 - Action to take with Auth requests. Default is to do nothing special
 #     with them.
 # 3 - Action to take with SMB requests. Default is DROP or A_DROP,
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
 # 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 ?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
 ?if passed(@1)
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
    ?else
        ?error The first parameter to Drop must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
 ?endif
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Special Handling for Auth
 #
 ?if passed(@2)
 Auth(@2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before silent broadcast Drop.
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Don't log broadcasts or multicasts
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
 Invalid(DROP,@1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
 DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DropDNSrep(@5)
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.FIN
+++ b/Shorewall/Actions/action.FIN
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -30,4 +30,4 @@
 DEFAULTS ACCEPT,-
-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH
+@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -107,6 +107,11 @@ if ( $command & $REAP_OPT ) {
 $duration .= '--rttl ' if $command & $TTL_OPT;
 if ( ( $targets{$action} || 0 ) & NATRULE ) {
    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
    $action = 'ACCEPT';
 }
 if ( $command & $RESET_CMD ) {
    require_capability 'MARK_ANYWHERE', '"reset"', 's';
@@ -130,7 +135,7 @@ if ( $command & $RESET_CMD ) {
    #
    # if the event is armed, remove it and perform the action
    #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
 } elsif ( $command & $UPDATE_CMD ) {
    perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
@@ -4,7 +4,7 @@
 # Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -1,85 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Reject
 #
 # The former default REJECT action common rules. Use of this action is deprecated.
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # The action accepts six optional parameters:
 #
 # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #     actions.
 # 2 - Action to take with Auth requests. Default is to do nothing
 #     special with them.
 # 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
 # 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 ?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
 ?if passed(@1)
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
    ?else
 	?error The first parameter to Reject must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
 ?endif
 #ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Special handling for Auth
 #
 ?if passed(@2)
 Auth(@2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before silent broadcast Drop.
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 Invalid(DROP,@1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
 DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DropDNSrep(@5)
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
@@ -41,6 +41,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 if ( ( $targets{$action} || 0 ) & NATRULE ) {
    perl_action_helper( "${action}-", "" );
    $action = 'ACCEPT';
 }
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
@@ -37,6 +37,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 if ( ( $targets{$action} || 0 ) & NATRULE ) {
    perl_action_helper( "${action}-", "" );
    $action = 'ACCEPT';
 }
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
@@ -26,4 +26,4 @@ $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
+$tcpflags_action	-	-	;;+ -p 6 --syn --sport 0
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Contrib/swping
+++ b/Shorewall/Contrib/swping
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #
--- a/Shorewall/Contrib/swping.init
+++ b/Shorewall/Contrib/swping.init
@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Macros/IPFS-swarm
+++ b/Shorewall/Macros/IPFS-swarm
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
 #
 # This macro handles IPFS data traffic (the connection to IPFS swarm).
 #
 ###############################################################################
 #ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
 PARAM   -       -       tcp     4001
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
@@ -1,9 +1,9 @@
 #
-# Shorewall - /usr/share/shorewall/macro.SNMPtrap
+# Shorewall -- /usr/share/shorewall/macro.Apcupsd
 #
-# This macro deprecated by SNMPtrap.
+# This macro handles apcupsd traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-SNMPtrap
+PARAM	-	-	tcp	3551
--- a/Shorewall/Macros/macro.FreeIPA
+++ b/Shorewall/Macros/macro.FreeIPA
@@ -0,0 +1,16 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.FreeIPA
 #
 # This macro handles FreeIPA server traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 DNS
 HTTP
 HTTPS
 Kerberos
 Kpasswd
 LDAP
 LDAPS
 NTP
--- a/Shorewall/Macros/macro.IPFS-API
+++ b/Shorewall/Macros/macro.IPFS-API
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.IPFS-API
 #
 # This macro handles IPFS API port (commands for the IPFS daemon).
 #
 ###############################################################################
 #ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
 PARAM   -       -       tcp     5001
--- a/Shorewall/Macros/macro.IPFS-gateway
+++ b/Shorewall/Macros/macro.IPFS-gateway
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.IPFS-gateway
 #
 # This macro handles the IPFS gateway to HTTP.
 #
 ###############################################################################
 #ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
 PARAM   -       -       tcp     8080
--- a/Shorewall/Macros/macro.IPFS-swarm
+++ b/Shorewall/Macros/macro.IPFS-swarm
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
 #
 # This macro handles IPFS data traffic (the connection to IPFS swarm).
 #
 ###############################################################################
 #ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
 PARAM   -       -       tcp     4001
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -11,13 +11,20 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	623		# RMCP
 PARAM	-	-	udp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
+PARAM	-	-	tcp	5120,5122,5123	# CD,FD,HD (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
-PARAM	-	-	udp	623		# RMCP
+PARAM	-	-	tcp	8889		# WS-MAN
 HTTP
 HTTPS
 SNMP
 SSH						# Serial over Lan
 Telnet
 SNMP
 # TLS/secure ports
 PARAM	-	-	tcp	3520		# Remote Console (Redfish)
 PARAM	-	-	tcp	3669		# Virtual Media (Dell)
 PARAM	-	-	tcp	5124,5126,5127	# CD,FD,HD (AMI)
 PARAM	-	-	tcp	7582		# Remote Console (AMI)
 HTTPS
 SSH						# Serial over Lan
--- a/Shorewall/Macros/macro.Kpasswd
+++ b/Shorewall/Macros/macro.Kpasswd
@@ -0,0 +1,10 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Kpasswd
 #
 # This macro handles Kerberos "passwd" traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	464
 PARAM	-	-	udp	464
--- a/Shorewall/Macros/macro.RDP
+++ b/Shorewall/Macros/macro.RDP
@@ -6,4 +6,5 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389
--- a/Shorewall/Macros/macro.RedisSecure
+++ b/Shorewall/Macros/macro.RedisSecure
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.RedisSecure
 #
 # This macro handles Redis Secure (SSL/TLS) traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	6380
--- a/Shorewall/Macros/macro.Rwhois
+++ b/Shorewall/Macros/macro.Rwhois
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Rwhois
 #
 # This macro handles Remote Who Is (rwhois) traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	4321
--- a/Shorewall/Macros/macro.SSDP
+++ b/Shorewall/Macros/macro.SSDP
@@ -0,0 +1,9 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.SSDP
 #
 # This macro handles SSDP (used by DLNA/UPnP) client traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	1900
--- a/Shorewall/Macros/macro.SSDPserver
+++ b/Shorewall/Macros/macro.SSDPserver
@@ -0,0 +1,10 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.SSDPserver
 #
 # This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	1900
 PARAM	DEST	SOURCE	udp	-	1900
--- a/Shorewall/Makefile-lite
+++ b/Shorewall/Makefile-lite
@@ -1,82 +0,0 @@
 #     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 ################################################################################
 # Place this file in each export directory. Modify each copy to set HOST
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
 #
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
 #
 ################################################################################
 #                             V A R I A B L E S
 #
 # Files in the export directory on which the firewall script does not depend
 #
 IGNOREFILES =  firewall% Makefile% trace% %~
 #
 # Remote Firewall system
 #
 HOST = gateway
 #
 # Save some typing
 #
 LITEDIR = /var/lib/shorewall-lite
 #
 # Set this if the remote system has a non-standard modules directory
 #
 MODULESDIR=
 #
 # Default target is the firewall script
 #
 ################################################################################
 #                                T A R G E T S
 #
 all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
 capabilities:
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
 # Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
 # 'filter-out' will be presented with the list of files in this directory rather than "*"
 #
 firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
 	shorewall compile -e . firewall
 #
 # Only reload on demand.
 #
 install: firewall
 	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
 	ssh root@$(HOST) "/sbin/shorewall-lite restart"
 #
 # Save running configuration
 #
 save:
 	ssh root@$(HOST) "/sbin/shorewall-lite save"
 #
 # Remove generated files
 #
 clean:
 	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -195,7 +195,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';
-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT_SECTION;
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
    my $prerule = '';
@@ -266,7 +266,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    if ( $source eq 'any' || $source eq 'all' ) {
        $source = ALLIP;
    } else {
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
+	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT_SECTION || ! $asection );
    }
    if ( have_bridges && ! $asection ) {
@@ -282,7 +282,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_rules_chain ( 'accountout' ) ,
+			    ensure_chain ( $config{ACCOUNTING_TABLE}, 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $prerule ,
 			    $rule ,
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.0
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -59,7 +59,7 @@ our $have_arptables;
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
    Shorewall::Chains::initialize ($family, 1, $export );
    Shorewall::Zones::initialize ($family, $_[0]);
    Shorewall::Nat::initialize($family);
@@ -103,13 +103,13 @@ sub generate_script_1( $ ) {
    copy2( $lib, $debug ) if -f $lib;
-    emit <<'EOF';
+    emithd<<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear restored enabled disabled/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -125,7 +125,7 @@ EOF
 	emit '}';
    }
-    emit <<'EOF';
+    emithd <<'EOF';
 ################################################################################
 # End user exit functions
 ################################################################################
@@ -209,6 +209,8 @@ sub generate_script_2() {
    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );
    emit 'TEMPFILE=';
@@ -266,13 +268,13 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( '' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
    }
    pop_indent;
-    emit "\n}\n"; # End of initialize()
+    emit "}\n"; # End of initialize()
    emit( '' ,
 	  '#' ,
@@ -309,10 +311,9 @@ sub generate_script_2() {
 	    push_indent;
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-
+		verify_required_interfaces(0);
 		set_global_variables(0, 0);
-
+		handle_optional_interfaces;
 		handle_optional_interfaces(0);
 	    }
 	    emit ';;';
@@ -324,19 +325,19 @@ sub generate_script_2() {
 	    push_indent;
 	}
 	verify_required_interfaces(1);
 	set_global_variables(1,1);
 	handle_optional_interfaces;
 	if ( $global_variables & NOT_RESTORE ) {
 	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
 	} else {
 	    handle_optional_interfaces(1);
 	}
    } else {
-	emit( 'true' ) unless handle_optional_interfaces(1);
+	verify_required_interfaces(1);
 	emit( 'true' ) unless handle_optional_interfaces;
    }
    pop_indent;
@@ -355,7 +356,7 @@ sub generate_script_2() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_3($) {
+sub generate_script_3() {
    if ( $family == F_IPV4 ) {
 	progress_message2 "Creating iptables-restore input...";
@@ -365,7 +366,6 @@ sub generate_script_3($) {
    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    create_load_ipsets;
@@ -397,16 +397,10 @@ sub generate_script_3($) {
 	emit 'load_kernel_modules Yes';
    }
-    emit '';
+    emit( '' ,
    emit ( 'if [ "$COMMAND" = refresh ]; then' ,
 	   '   run_refresh_exit' ,
 	   'else' ,
 	  'run_init_exit',
-	   'fi',
+	  '' ,
-	   '' );
+	  'load_ipsets' ,
    emit( 'load_ipsets' ,
 	  '' );
    create_nfobjects;
@@ -464,11 +458,6 @@ sub generate_script_3($) {
    dump_proxy_arp;
    emit_unindented '__EOF__';
    emit( '',
 	  'if [ "$COMMAND" != refresh ]; then' );
    push_indent;
    emit 'cat > ${VARDIR}/zones << __EOF__';
    dump_zone_contents;
    emit_unindented '__EOF__';
@@ -481,10 +470,6 @@ sub generate_script_3($) {
    dump_mark_layout;
    emit_unindented '__EOF__';
    pop_indent;
    emit "fi\n";
    emit '> ${VARDIR}/nat';
    add_addresses;
@@ -523,29 +508,12 @@ sub generate_script_3($) {
    my $config_dir = $globals{CONFIGDIR};
-    emit<<"EOF";
+    emithd <<"EOF";
    set_state Started $config_dir
    run_restored_exit
-elif [ \$COMMAND = refresh ]; then
+else
-    chainlist_reload
+    setup_netfilter
 EOF
    push_indent;
    setup_load_distribution;
    setup_forwarding( $family , 0 );
    pop_indent;
    #
    # Use a parameter list rather than 'here documents' to avoid an extra blank line
    #
    emit( '    run_refreshed_exit',
 	  '    do_iptables -N shorewall' );
    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
    emit( "    set_state Started $config_dir",
 	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
 	  'else',
 	  '    setup_netfilter'	);
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
@@ -570,7 +538,7 @@ EOF
 	  '    run_started_exit',
 	  "fi\n" );
-    emit<<'EOF';
+    emithd<<'EOF';
 date > ${VARDIR}/restarted
 case $COMMAND in
@@ -580,9 +548,6 @@ case $COMMAND in
    reload)
        mylogger kern.info "$g_product reloaded"
        ;;
    refresh)
        mylogger kern.info "$g_product refreshed"
        ;;
    restore)
        mylogger kern.info "$g_product restored"
        ;;
@@ -617,8 +582,8 @@ sub compile_info_command() {
 #
 sub compiler {
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 , $inline ) =
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
+       ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
    $export         = 0;
    $test           = 0;
@@ -647,7 +612,6 @@ sub compiler {
 		  timestamp     => { store => \$timestamp,     validate => \&validate_boolean   } ,
 		  debug         => { store => \$debug,         validate => \&validate_boolean   } ,
 		  export        => { store => \$export ,       validate => \&validate_boolean   } ,
 		  chains        => { store => \$chains },
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
@@ -655,7 +619,6 @@ sub compiler {
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
 		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -689,9 +652,10 @@ sub compiler {
    set_timestamp( $timestamp );
    set_debug( $debug , $confess );
    #
    #                                      S H O R E W A L L R C ,
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export , $update , $annotate , $inline );
+    get_configuration( $export , $update , $annotate );
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
@@ -793,13 +757,10 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
    }
    disable_script;
    #
    #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
    enable_script;
    #
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
@@ -817,7 +778,7 @@ sub compiler {
    #
    # Setup Masquerade/SNAT
    #
-    setup_snat( $update );
+    setup_snat;
    #
    # Setup Nat
    #
@@ -898,7 +859,7 @@ sub compiler {
 	optimize_level0;
-	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
+	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -920,7 +881,7 @@ sub compiler {
 	#                          N E T F I L T E R   L O A D
 	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
-	generate_script_3( $chains );
+	generate_script_3();
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Config.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Config.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -30,17 +30,97 @@
 #   into those files (emitters) and finalizing those files (renaming
 #   them to their final name and setting their mode appropriately).
 #
 #   A significant portion of this module is dedicated to the preprocessor:
 #
 #	process_compiler_directive() - processes compiler directives
 #
 #	embedded_shell() - handles embedded shell scripting
 #
 #	embedded_perl() - handles embedded perl scripting
 #
 #	read_a_line() - Reads the next configuration file record to
 #			be passed to the function processing the file.
 #
 #	    - Detects compiler directives and passes then to
 #	      process_compiler_directive() for handling.
 #
 #	    - Handles line continuation
 #
 #	    - Invokes a callback when the first (concatinated) non-directive
 #	      record is read from a file.
 #
 #	    - Conditionally expands variables.
 #
 #	    - Conditionally detects embedded Shell and Perl and passes them
 #	      off to embedded_shell() and embedded_perl() respectively.
 #
 #	    - Conditionally detects and handles [?}INCLUDE directives.
 #
 #	    - Conditionally detects and handles ?SECTION directives.
 #	      File processing functions can supply a callback to be
 #	      called during this processing.
 #
 #   File processing routines may need to open a second (third, fourth, ...)
 #   file while processing the main file (macro and/or action files). Two
 #   functions are provided to make that possible:
 #
 #      push_open() - open a file while leaving the current file open.
 #
 #      pop_open() - close the current file, and make the previous
 #		    file (if any) the current one.
 #
 #   Because this module expands variables, it must be aware of action
 #   parameters.
 #
 #	push_action_params() - populates the %actparams hash and
 #			       returns a reference to the previous
 #			       contents of that hash. The caller is
 #			       expected to store those contents locally.
 #
 #	pop_action_params()  - Restores the %actparams hash from
 #			       the reference returned by
 #			       push_action_params().
 #
 #   The following routines are provided for INLINE PERL within
 #   action bodies:
 #
 #	default_action_params() - called to fill in omitted
 #				  arguments when a DEFAULTS
 #				  line is encountered.
 #
 #	get_action_params() - returns an array of arguments.
 #
 #	setup_audit_action() - helper for A_* actions.
 #
 #	get_action_logging() - returns log level and tag
 #			       from the action's invocation.
 #
 #	get_action_chain_name() - returns chain name.
 #
 #	set_action_name_to_caller() - replace chain name
 #				      with that of invoking
 #				      chain for logging purposes.
 #
 #	set_action_disposition() - set the current action
 #				   disposition for logging purposes.
 #
 #	get_action_disposition() - get the current action disposition.
 #
 #	set_action_param() - set the value of an argument.
 #
 package Shorewall::Config;
 use strict;
 use warnings;
 use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
 use File::Glob ':globally';
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
 use Errno qw(:POSIX);
 our @ISA = qw(Exporter);
 #
@@ -109,6 +189,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 		                       in_hex8
 		                       in_hexp
 				       emit
 				       emithd
 				       emitstd
 				       emit_unindented
 				       save_progress_message
@@ -222,10 +303,10 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       DO_SECTION
 				       NORMAL_READ
 				       OPTIMIZE_MASK
 				       OPTIMIZE_POLICY_MASK
 				       OPTIMIZE_POLICY_MASK2n4
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_USE_FIRST
 				       OPTIMIZE_ALL
 				     ) , ] ,
 		   protocols => [ qw (
@@ -315,7 +396,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -333,7 +414,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		                    'Old conntrack match syntax',
 		 NEW_CONNTRACK_MATCH =>
 		                    'Extended Connection Tracking Match',
 		 USEPKTTYPE      => 'Packet Type Match',
 		 POLICY_MATCH    => 'Policy Match',
 		 PHYSDEV_MATCH   => 'Physdev Match',
 		 PHYSDEV_BRIDGE  => 'Physdev-is-bridged support',
@@ -385,7 +465,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 FLOW_FILTER     => 'Flow Classifier',
 		 FWMARK_RT_MASK  => 'fwmark route mask',
-		 MARK_ANYWHERE   => 'Mark in the filter table',
+		 MARK_ANYWHERE   => 'Mark in the filter and nat tables',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
@@ -414,7 +494,12 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                 NETMAP_TARGET   => 'NETMAP Target',
                 NFLOG_SIZE      => '--nflog-size support',
-
+		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
                 NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
 		 #
 		 # Helpers
 		 #
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -462,9 +547,8 @@ use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
 	       OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
 	       OPTIMIZE_RULESET_MASK   => 0x1C , # Call optimize_ruleset()
               OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
 	       OPTIMIZE_USE_FIRST      => 0x1000 # Always use interface 'first' chains -- undocumented
 	     };
 our %helpers = ( amanda          => UDP,
@@ -480,6 +564,8 @@ our %helpers = ( amanda          => UDP,
 		 tftp            => UDP,
    );
 use constant { INCLUDE_LIMIT     => 20 };
 our %helpers_map;
 our %helpers_names;
@@ -509,8 +595,6 @@ our %config_files = ( #accounting      => 1,
 		      policy	       => 1,
 		      providers	       => 1,
 		      proxyarp	       => 1,
 		      refresh	       => 1,
 		      refreshed	       => 1,
 		      restored	       => 1,
 		      rawnat	       => 1,
 		      route_rules      => 1,
@@ -585,7 +669,6 @@ our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
 our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive
 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
@@ -594,6 +677,7 @@ our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.
 our $family;                 # Protocol family (4 or 6)
 our $export;                 # True when compiling for export
 our $toolname;               # Name of the tool to use (iptables or iptables6)
 our $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
@@ -627,13 +711,13 @@ our %validlevels;            # Valid log levels.
 # Deprecated options with their default values
 #
 our %deprecated = (
-		   LEGACY_RESTART => 'no'
+		   LEGACY_RESTART => 'no' ,
 		  );
 #
 # Deprecated options that are eliminated via update
 #
 our %converted = (
-		  LEGACY_RESTART => 1
+		    LEGACY_RESTART => 1 ,
 		 );
 #
 # Eliminated options
@@ -647,6 +731,9 @@ our %eliminated = ( LOGRATE          => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
                    MODULE_SUFFIX    => 1,
                    MAPOLDACTIONS    => 1,
 		    INLINE_MATCHES   => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -706,8 +793,8 @@ sub add_variables( \% );
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$$) {
+sub initialize( $;$$$) {
-    ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
    if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -751,8 +838,8 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.5-RC1",
+		    VERSION                 => '5.2.0-Beta1',
-		    CAPVERSION              => 50105 ,
+		    CAPVERSION              => 50200 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -796,6 +883,7 @@ sub initialize( $;$$) {
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  LOG_LEVEL => undef,
 	  LOG_ZONE => undef,
 	  #
 	  # Location of Files
 	  #
@@ -847,7 +935,6 @@ sub initialize( $;$$) {
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
 	  MODULE_SUFFIX => undef,
 	  DISABLE_IPV6 => undef,
 	  DYNAMIC_ZONES => undef,
 	  PKTTYPE=> undef,
@@ -855,7 +942,6 @@ sub initialize( $;$$) {
 	  MACLIST_TTL => undef,
 	  SAVE_IPSETS => undef,
 	  SAVE_ARPTABLES => undef,
 	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
 	  IPSET_WARNINGS => undef,
@@ -898,7 +984,6 @@ sub initialize( $;$$) {
 	  USE_RT_NAMES => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
 	  WORKAROUNDS => undef ,
 	  LEGACY_RESTART => undef ,
@@ -912,6 +997,7 @@ sub initialize( $;$$) {
 	  BALANCE_PROVIDERS => undef ,
 	  PERL_HASH_SEED => undef ,
 	  USE_NFLOG_SIZE => undef ,
 	  RENAME_COMBINED => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -969,7 +1055,6 @@ sub initialize( $;$$) {
 	       CONNTRACK_MATCH => undef,
 	       NEW_CONNTRACK_MATCH => undef,
 	       OLD_CONNTRACK_MATCH => undef,
 	       USEPKTTYPE => undef,
 	       POLICY_MATCH => undef,
 	       PHYSDEV_MATCH => undef,
 	       PHYSDEV_BRIDGE => undef,
@@ -1007,7 +1092,7 @@ sub initialize( $;$$) {
 	       CONNLIMIT_MATCH => undef,
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
-	       LOG_TARGET => 1,         # Assume that we have it.
+	       LOG_TARGET => undef,
 	       ULOG_TARGET => undef,
 	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
@@ -1046,6 +1131,8 @@ sub initialize( $;$$) {
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
 	       NFLOG_SIZE => undef,
 	       RESTORE_WAIT_OPTION => undef,
 	       NAT_INPUT_CHAIN => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1605,6 +1692,7 @@ sub emit {
 		$line =~ s/^\n// if $lastlineblank;
 		$line =~ s/^/$indent/gm if $indent;
 		$line =~ s/        /\t/gm;
 		$line =~ s/[ \t]+\n/\n/gm;
 		print $script "$line\n" if $script;
 		$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
@@ -1625,6 +1713,15 @@ sub emit {
    }
 }
 #
 # Used to emit a 'here documents' string without introducing an unwanted blank line at the end
 #
 sub emithd( $ ) {
    my ( $line ) = @_; #make writable
    chomp $line;
    emit $line;
 }
 #
 # Version of emit() that writes to standard out unconditionally
 #
@@ -1635,6 +1732,7 @@ sub emitstd {
 	    $line =~ s/^\n// if $lastlineblank;
 	    $line =~ s/^/$indent/gm if $indent;
 	    $line =~ s/        /\t/gm;
 	    $line =~ s/[ \t]+\n/\n/gm;
 	    print "$line\n";
 	    $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 	} else {
@@ -1990,6 +2088,7 @@ sub find_file($)
    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
 	$!{ENOENT} || fatal_error "Unable to access $file: " . $!; 
    }
    "$config_path[0]$filename";
@@ -2296,8 +2395,6 @@ sub clear_comment();
 sub split_line2( $$;$$$ ) {
    my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
    my $inlinematches = $config{INLINE_MATCHES};
    my ( $columns, $pairs, $rest );
    my $currline = $currentline;
@@ -2320,16 +2417,20 @@ sub split_line2( $$;$$$ ) {
 	    fatal_error "Only one set of double semicolons (';;') allowed on a line" if defined $rest;
 	    $currline = $columns;
 	    #
 	    # Remove trailing white space
 	    #
 	    $currline =~ s/\s*$//;
 	    $inline_matches = $pairs;
 	    #
 	    # Don't look for matches below
 	    #
-	    $inline = $inlinematches = '';
+	    $inline = '';
 	}
    }
    #
-    # Next, see if there is a semicolon on the line; what follows will be column/value pairs or raw iptables input
+    # Next, see if there is a single semicolon on the line; what follows will be column/value pairs
    #
    ( $columns, $pairs, $rest ) = split( ';', $currline );
@@ -2338,42 +2439,6 @@ sub split_line2( $$;$$$ ) {
 	# Found it -- be sure there wasn't more than one.
 	#
 	fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
 	if ( $inlinematches ) {
 	    fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)" unless $inline;
 	    $inline_matches = $pairs;
 	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
 		#
 		# Pairs are enclosed in curly brackets.
 		#
 		$columns = $1;
 		$pairs   = $2;
 	    } else {
 		$pairs = '';
 	    }
 	} elsif ( $inline ) {
 	    #
 	    # This file supports INLINE or IPTABLES
 	    #
 	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;
 		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
 		    #
 		    # Pairs are enclosed in curly brackets.
 		    #
 		    $columns = $1;
 		    $pairs   = $2;
 		} else {
 		    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes" if $checkinline;
 		    $pairs = '';
 		}
 	    } 
 	} elsif ( $checkinline ) {
 	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
 	}
    } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
@@ -2464,6 +2529,10 @@ sub split_rawline2( $$;$$$ ) {
    # Delete trailing comment
    #
    $currentline =~ s/\s*#.*//;
    #
    # Convert ${...} to $...
    #
    $currentline =~ s/\$\{(.*?)\}/\$$1/g;
    my @result = &split_line2( @_ );
@@ -2572,7 +2641,7 @@ sub open_file( $;$$$$ ) {
 	$max_format       = supplied $mf ? $mf : 1;
 	$comments_allowed = supplied $ca ? $ca : 0;
 	$nocomment        = $nc;
-	do_open_file $fname;;
+	do_open_file $fname;
    } else {
 	$ifstack = @ifstack;
 	'';
@@ -3257,7 +3326,7 @@ sub copy1( $ ) {
 			my @line = split / /;
 			fatal_error "Invalid INCLUDE command"    if @line != 2;
-			fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+			fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
 			my $filename = find_file $line[1];
@@ -3467,7 +3536,7 @@ sub read_a_line($);
 sub embedded_shell( $ ) {
    my $multiline = shift;
-    fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+    fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
    my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );
    $directive_callback->( 'SHELL', $currentline ) if $directive_callback;
@@ -3554,7 +3623,7 @@ sub embedded_perl( $ ) {
    $embedded--;
    if ( $perlscript ) {
-	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+	fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
 	assert( close $perlscript );
@@ -3908,7 +3977,7 @@ sub read_a_line($) {
 		my @line = split ' ', $currentline;
 		fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
+		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= INCLUDE_LIMIT;
 		my $filename = find_file $line[1];
@@ -4285,7 +4354,7 @@ sub which( $ ) {
 # Load the kernel modules defined in the 'modules' file.
 #
 sub load_kernel_modules( ) {
-    my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );
+    my $moduleloader = which( 'modprobe' ) || which( 'insmod' );
    my $modulesdir = $config{MODULESDIR};
@@ -4318,25 +4387,20 @@ sub load_kernel_modules( ) {
 	close LSMOD;
-	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
+      MODULE:
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
 	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
-		for my $directory ( @moduledirectories ) {
+		if ( $moduleloader =~ /modprobe$/ ) {
-		    for my $suffix ( @suffixes ) {
+		    system( "modprobe -q $module $arguments" );
 			my $modulefile = "$directory/$module.$suffix";
 			if ( -f $modulefile ) {
 			    if ( $moduleloader eq 'insmod' ) {
 				system ("insmod $modulefile $arguments" );
 			    } else {
 				system( "modprobe $module $arguments" );
 			    }
 		    $loadedmodules{ $module } = 1;
 		} else {
 		    for my $directory ( @moduledirectories ) {
 			for my $modulefile ( <$directory/$module.*> ) {
 			    system ("insmod $modulefile $arguments" );
 			    $loadedmodules{ $module } = 1;
 			    next MODULE;
 			}
 		    }
 		}
@@ -4367,6 +4431,12 @@ sub Nat_Enabled() {
    qt1( "$iptables $iptablesw -t nat -L -n" );
 }
 sub Nat_Input_Chain {
    have_capability( 'NAT_ENABLED' ) || return '';
    qt1( "$iptables $iptablesw -t nat -L INPUT -n" );
 }
 sub Persistent_Snat() {
    have_capability( 'NAT_ENABLED' ) || return '';
@@ -4690,10 +4760,6 @@ sub IPSET_V5() {
    $result;
 }
 sub Usepkttype() {
    qt1( "$iptables $iptablesw -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
 }
 sub Addrtype() {
    qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }
@@ -4948,6 +5014,10 @@ sub Cpu_Fanout() {
    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }
 sub Restore_Wait_Option() {
    length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0;
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -5008,6 +5078,7 @@ our %detect_capability =
      MASQUERADE_TGT => \&Masquerade_Tgt,
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
      NAT_INPUT_CHAIN => \&Nat_Input_Chain,
      NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
      NETMAP_TARGET => \&Netmap_Target,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -5028,6 +5099,7 @@ our %detect_capability =
      REALM_MATCH => \&Realm_Match,
      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
      RESTORE_WAIT_OPTION => \&Restore_Wait_Option,
      RPFILTER_MATCH => \&RPFilter_Match,
      SANE_HELPER => \&SANE_Helper,
      SANE0_HELPER => \&SANE0_Helper,
@@ -5043,7 +5115,6 @@ our %detect_capability =
      TIME_MATCH => \&Time_Match,
      TPROXY_TARGET => \&Tproxy_Target,
      UDPLITEREDIRECT => \&Udpliteredirect,
      USEPKTTYPE => \&Usepkttype,
      XCONNMARK_MATCH => \&Xconnmark_Match,
      XCONNMARK => \&Xconnmark,
      XMARK => \&Xmark,
@@ -5106,6 +5177,7 @@ sub determine_capabilities() {
 	#
 	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
 	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
 	$capabilities{NAT_INPUT_CHAIN} = detect_capability( 'NAT_INPUT_CHAIN' );
 	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
 	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
@@ -5153,7 +5225,6 @@ sub determine_capabilities() {
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
 	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
 	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
 	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
@@ -5195,6 +5266,8 @@ sub determine_capabilities() {
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
 	$capabilities{RESTORE_WAIT_OPTION}
 				       = detect_capability( 'RESTORE_WAIT_OPTION' );
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5243,7 +5316,13 @@ sub ensure_config_path() {
 	fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH};
    }
-    @config_path = split /:/, $config{CONFIG_PATH};
+    my $path = $config{CONFIG_PATH};
    my $chop = ( $path =~ s/^:// );
    @config_path = split /:/, $path;
    shift @config_path if $chop && ( $export || $> != 0 );
    #
    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
@@ -5384,6 +5463,32 @@ sub update_config_file( $ ) {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
    }
    for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
 	my $policy = $config{ $_ };
 	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
 	    if ( $family == F_IPV4 ) {
 		$policy =~ s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
 	    } else {
 		$policy =~ s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
 	    }
 	} elsif ( $policy =~ /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
 	    if ( $family == F_IPV4 ) {
 		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
 	    } else {
 		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
 	    }
 	} elsif ( $policy =~ /\b(?:Drop|Reject)\b/ ) {
 	    if ( $family == F_IPV4 ) {
 		$policy =~ s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
 	    } else {
 		$policy =~ s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
 	    }
 	}
 	$config{$_} = $policy;
    }
    my $fn;
    unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -5423,7 +5528,13 @@ sub update_config_file( $ ) {
 			#
 			# OPTION='' - use default if 'Yes' or 'No'
 			#
-			$config{$var} = $val = $default if $default eq 'Yes' || $default eq 'No';
+			if ( $default eq 'Yes' || $default eq 'No' ) {
 			    $config{$var} = $val = $default;
 			} elsif ( $var eq 'CONFIG_PATH' ) {
 			    $val =~ s|^/etc/|\${CONFDIR}|;
 			    $val =~ s|:/etc/|:\${CONFDIR}/g|;
 			    $val =~ s|:/usr/share/|:\${SHAREDIR}|g;
 			}
 		    } else {
 			#
 			# Wasn't mentioned in old file - use default value
@@ -5431,7 +5542,6 @@ sub update_config_file( $ ) {
 			$config{$var} = $val = $default;
 		    }
 		}
 		if ( supplied $val ) {
 		    #
@@ -5912,9 +6022,12 @@ sub export_params() {
 }
 #
-# Walk the CONFIG_PATH converting FORMAT and COMMENT lines to compiler directives
+# Walk the CONFIG_PATH converting
 # - FORMAT and COMMENT lines to compiler directives
 # - single semicolons to double semicolons in lines beginning with 'INLINE', IPTABLES or IP6TABLES
 # - Rename macros/actions to their 5.2 counterparts
 #
-sub convert_to_directives() {
+sub convert_to_version_5_2() {
    my $sharedir = $shorewallrc{SHAREDIR};
    #
    # Make a copy of @config_path so that the for-loop below doesn't clobber that list
@@ -5925,7 +6038,7 @@ sub convert_to_directives() {
    my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;
-    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives...";
+    progress_message3 "Performing Shorewall 5.2 conversions...";
    for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -5936,40 +6049,129 @@ sub convert_to_directives() {
 		opendir( my $dirhandle, $dir ) || fatal_error "Cannot open directory $dir for reading:$!";
-		while ( my $file = readdir( $dirhandle ) ) {
+		while ( my $fname = readdir( $dirhandle ) ) {
-		    unless ( $file eq 'capabilities'       ||
+		    unless ( $fname eq 'capabilities'       ||
-			     $file eq 'params'             ||
+			     $fname eq 'params'             ||
-			     $file =~ /^shorewall6?.conf$/ ||
+			     $fname =~ /^shorewall6?.conf$/ ||
-			     $file =~ /\.bak$/ ) {
+			     $fname =~ /\.bak$/ ) {
-			$file = "$dir/$file";
+			#
 			# File we are interested in
 			#
 			my $fullname = "$dir/$fname";
-			if ( -f $file && -w _ ) {
+			if ( -f $fullname && -w _ ) {
 			    #
 			    # writeable regular file
 			    #
-			    my $result = system << "EOF";
+			    my $v5_2_update = ( $fname eq 'rules'          ||
-			    perl -pi.bak -e '/^\\s*FORMAT\\s+/ && s/FORMAT/?FORMAT/;
+						$fname =~ /^action\./      ||
-                                             /^\\s*SECTION\\s+/ && s/SECTION/?SECTION/;
+						$fname =~ /^macro\./       ||
-                                             if ( /^\\s*COMMENT\\s+/ ) {
+						$fname eq 'snat'           ||
 						$fname eq 'mangle'         ||
 						$fname eq 'conntrack'      ||
 						$fname eq 'accounting'     ||
 						$fname eq 'masq'           ||
 						$fname eq 'policy' );
 			    my $is_policy   = ( $fname eq 'policy' );
 			    my @file;
 			    my ( $ifile, $ofile );
 			    my $omitting = 0;
 			    my $changed;
 			    open $ifile, '<', "$fullname" or fatal_error "Unable to open $fullname: $!";
 			    while ( <$ifile> ) {
 				if ( $omitting ) {
 				    $omitting = 0, next if /\s*\??end\s+(?:perl|shell)/i;
 				} else {
 				    $omitting = 1, next if /\s*\??begin\s+(?:perl|shell)/i;
 				}
 				unless ( $omitting || /^\s*[#?]/ ) {
 				    if ( /^\s*FORMAT\s+/ ) {
 					s/FORMAT/?FORMAT/;
 					$changed = 1;
 				    }
 				    if ( /^\s*SECTION\s+/ ) {
 					s/SECTION/?SECTION/;
 					$changed = 1;
 				    }
 				    if ( /^\s*COMMENT\s+/ ) {
 					s/COMMENT/?COMMENT/;
 					$changed = 1;
 				    } elsif ( /^\\s*COMMENT\\s*\$/ ) {
 					s/COMMENT/?COMMENT/;
-                                             }' $file
+				    }
-EOF
+
-			    if ( $result == 0 ) {
+				    if ( $v5_2_update ) {
-				if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
+					if ( /\bA_AllowICMPs\b/ ) {
-				    progress_message3 "   File $file updated - old file renamed ${file}.bak";
+					    s/A_AllowICMPs/AllowICMPs(A_ACCEPT)/;
-				} elsif ( rename "${file}.bak" , $file ) {
+					    $changed = 1;
-				    progress_message "   File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found";
+					}
-				    progress_message "   File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found";
+
 					if ( $is_policy ) {
 					    if ( /\bA_(?:Drop|Reject)\b/ ) {
 						if ( $family == F_IPV4 ) {
 						    s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
 						} else {
-				    warning message "Unable to rename ${file}.bak to $file:$!";
+						    s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
 						}
 						$changed = 1;
 					    } elsif ( /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
 						if ( $family == F_IPV4 ) {
 						    s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
 						} else {
 						    s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
 						}
 						$changed = 1;
 					    } elsif ( /\b(?:Drop|Reject)\b/ ) {
 						if ( $family == F_IPV4 ) {
 						    s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
 						} else {
 						    s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
 						}
 						$changed = 1;
 					    }
 					} else {
-				warning_message ("Unable to update file $file" );
+					    unless ( /;;/ ) {
 						if ( /^\s*(?:INLINE|IP6?TABLES)/ ) {
 						    s/;/;;/;
 						    $changed = 1;
 						} elsif ( /^[^#]*;\s*-[mgj]/ ) {
 						    s/;/;;/;
 						    $changed = 1;
 						}
 					    }
 					    if ( /\bSMTPTrap\b/ ) {
 						s/SMTPTrap/SMTPtrap/;
 						$changed = 1;
 					    }
 					}
 				    }
 				}
 				push @file, $_;
 			    }
 			    close $ifile;
 			    if ( $changed ) {
 				fatal_error "Can't rename $fullname to $fullname.bak" unless rename $fullname, "$fullname.bak";
 				open $ofile, '>', "$fullname" or fatal_error "Unable to open $fullname: $!";
 				print $ofile $_ for @file;
 				close $ofile;
 				progress_message3 "   File $fullname updated - old file renamed ${fullname}.bak";
 			    } else {
 				progress_message "   File $file not updated -- no update required";
 			    }
 			} else {
-			    warning_message( "$file skipped (not writeable)" ) unless -d _;
+			    warning_message( "$fullname skipped (not writeable)" ) unless -d _;
 			}
 		    }
 		}
@@ -5986,9 +6188,9 @@ EOF
 # - Read the capabilities file, if any
 # - establish global hashes %params, %config , %globals and %capabilities
 #
-sub get_configuration( $$$$ ) {
+sub get_configuration( $$$ ) {
-    ( my ( $export, $update, $annotate ) , $checkinline ) = @_;
+    my ( $export, $update, $annotate ) = @_;
    $globals{EXPORT} = $export;
@@ -6061,7 +6263,6 @@ sub get_configuration( $$$$ ) {
    #
    # get_capabilities requires that the true settings of these options be established
    #
    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
    if ( ! $export && $> == 0 ) {
@@ -6247,7 +6448,7 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_VERBOSITY} = -1;
    }
-    default_yes_no 'ADD_IP_ALIASES'             , 'Yes';
+    default_yes_no 'ADD_IP_ALIASES'             , $family == F_IPV4 ? 'Yes' : '';
    default_yes_no 'ADD_SNAT_ALIASES'           , '';
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
@@ -6291,7 +6492,6 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
    default_yes_no 'MAPOLDACTIONS'              , 'Yes';
    warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};
@@ -6347,6 +6547,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
    default_yes_no 'RENAME_COMBINED'            , 'Yes';
    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6366,7 +6567,6 @@ sub get_configuration( $$$$ ) {
 	$origin{$_} ||= '';
    }
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
    default_yes_no 'DOCKER'                     , '';
@@ -6399,11 +6599,14 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'MANGLE_ENABLED'             , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
    default_yes_no 'USE_DEFAULT_RT'             , '';
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
-    default_yes_no 'AUTOMAKE'                   , '';
+    default_yes_no 'TRACK_PROVIDERS'            , 'Yes';
    default_yes_no 'TRACK_PROVIDERS'            , '';
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
    default_yes_no 'USE_NFLOG_SIZE'             , '';
    if ( ( $val = ( $config{AUTOMAKE} || '' ) ) !~ /^[Rr]ecursive$/ ) {
 	default_yes_no( 'AUTOMAKE' , '' ) unless $val && $val =~ /^\d{1,2}$/;
    }
    if ( $config{USE_NFLOG_SIZE} ) {
 	if ( have_capability( 'NFLOG_SIZE' ) ) {
 	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
@@ -6600,6 +6803,13 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_BACKEND} = $val;
    }
    if ( supplied( $val = $config{LOG_ZONE} ) ) {
 	fatal_error "Invalid LOG_ZONE setting ($val)" unless $val =~ /^(src|dst|both)$/i;
 	$config{LOG_ZONE} = lc( $val );
    } else {
 	$config{LOG_ZONE} = 'both';
    }
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
    default_log_level 'SMURF_LOG_LEVEL',     '';
@@ -6776,7 +6986,7 @@ sub get_configuration( $$$$ ) {
    } else {
 	$val = numeric_value $config{OPTIMIZE};
-	fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ~OPTIMIZE_USE_FIRST ) <= OPTIMIZE_ALL;
+	fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && $val <= OPTIMIZE_ALL;
    }
    require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16;
@@ -6833,13 +7043,19 @@ sub get_configuration( $$$$ ) {
 	}
    }
    if ( supplied( $val = $config{MUTEX_TIMEOUT} ) ) {
 	fatal_error "Invalid value ($val) for MUTEX_TIMEOUT" unless $val && $val =~ /^\d+$/;
    } else {
 	$config{MUTEX_TIMEOUT} = 60;
    }
    add_variables %config;
    while ( my ($var, $val ) = each %renamed ) {
 	$variables{$var} = $config{$val};
    }
-    convert_to_directives if $update;
+    convert_to_version_5_2 if $update;
    cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY};
 }
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,6 +60,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  decompose_net
 		  decompose_net_u32
 		  compare_nets
 		  loopback_address
 		  validate_host
 		  validate_range
 		  ip_range_explicit
@@ -98,12 +99,14 @@ our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
 our $loopback_address;
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
 	       IPv4_LOOPBACK       => '127.0.0.1' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
@@ -370,6 +373,10 @@ sub rfc1918_networks() {
    @rfc1918_networks
 }
 sub loopback_address() {
    $loopback_address;
 }
 #
 # Protocol/port validation
 #
@@ -755,6 +762,7 @@ sub initialize( $ ) {
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$vlsm_width       = VLSMv4;
 	$loopback_address = IPv4_LOOPBACK;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -767,6 +775,7 @@ sub initialize( $ ) {
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$vlsm_width       = VLSMv6;
 	$loopback_address = IPv6_LOOPBACK;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -667,6 +667,7 @@ sub create_docker_rules() {
    my $chainref = $filter_table->{FORWARD};
    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
    if ( my $dockerref = known_interface('docker0') ) {
@@ -717,7 +718,7 @@ sub add_common_rules ( $ ) {
    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
-	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+	fatal_error( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
    } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
@@ -809,7 +810,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -2447,7 +2448,7 @@ sub setup_mss( ) {
    my $clampmss = $config{CLAMPMSS};
    my $option;
    my @match;
-    my $chainref = $filter_table->{FORWARD};
+    my $chainref = $mangle_table->{FORWARD};
    if ( $clampmss ) {
 	if ( "\L$clampmss" eq 'yes' ) {
@@ -2553,9 +2554,6 @@ EOF
 	        reload)
 	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
 	        refresh)
 	            mylogger kern.err "ERROR:$g_product refresh failed"
 	            ;;
                enable)
                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
@@ -2645,7 +2643,6 @@ EOF
        rm -f ${VARDIR}/proxyarp
    fi
 EOF
    } else {
 	emit <<'EOF';
@@ -2659,7 +2656,6 @@ EOF
        rm -f ${VARDIR}/proxyndp
    fi
 EOF
    }
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -37,7 +37,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();
 Exporter::export_ok_tags('rules');
@@ -587,11 +587,11 @@ EOF
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
    my $have_masq_rules;
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );
 	my $have_masq_rules;
 	directive_callback(
 	    sub ()
 	    {
@@ -647,6 +647,8 @@ sub convert_masq() {
 	close $snat, directive_callback( 0 );
    }
    $have_masq_rules;
 }
 #
@@ -941,7 +943,17 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-	    my @servers = validate_address $server, 1;
+
 	    my @servers;
 	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
 		$server = record_runtime_address( $1, $2 );
 		$server =~ s/ $//;
 		@servers = ( $server );
 	    } else {
 		@servers = validate_address $server, 1;
 	    }
 	    $server = join ',', @servers;
 	}
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,7 +60,7 @@ our @routemarked_providers;
 our %routemarked_interfaces;
 our @routemarked_interfaces;
 our %provider_interfaces;
-our @load_interfaces;
+our @load_providers;
 our $balancing;
 our $fallback;
@@ -99,7 +99,7 @@ sub initialize( $ ) {
    %routemarked_interfaces = ();
    @routemarked_interfaces = ();
    %provider_interfaces    = ();
-    @load_interfaces        = ();
+    @load_providers         = ();
    $balancing              = 0;
    $balanced_providers     = 0;
    $fallback_providers     = 0;
@@ -161,6 +161,15 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
 		if ( have_ipsec ) {
 		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
 			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
 			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    }
 		}
 		$marked_interfaces{$interface} = 1;
 	    }
@@ -176,16 +185,16 @@ sub setup_route_marking() {
 	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
    }
-    if ( @load_interfaces ) {
+    if ( @load_providers ) {
 	my $chainref1 = new_chain 'mangle', 'balance';
 	my @match;
 	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
 	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";
-	for my $physical ( @load_interfaces ) {
+	for my $provider ( @load_providers ) {
-	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
+	    my $chainref2 = new_chain( 'mangle', load_chain( $provider ) );
 	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
@@ -329,22 +338,22 @@ sub balance_default_route( $$$$ ) {
    if ( $first_default_route ) {
 	if ( $balanced_providers == 1 ) {
 	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+		emit qq(DEFAULT_ROUTE="via $gateway dev $interface $realm");
 	    } else {
-		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+		emit qq(DEFAULT_ROUTE="dev $interface $realm");
 	    }
 	} elsif ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="nexthop dev $interface weight $weight $realm");
 	}
 	$first_default_route = 0;
    } else {
 	if ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm");
 	}
    }
 }
@@ -359,22 +368,22 @@ sub balance_fallback_route( $$$$ ) {
    if ( $first_fallback_route ) {
 	if ( $fallback_providers == 1 ) {
 	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+		emit qq(FALLBACK_ROUTE="via $gateway dev $interface $realm");
 	    } else {
-		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+		emit qq(FALLBACK_ROUTE="dev $interface $realm");
 	    }
 	} elsif ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="nexthop dev $interface weight $weight $realm");
 	}
 	$first_fallback_route = 0;
    } else {
 	if ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm");
 	}
    }
 }
@@ -437,7 +446,7 @@ sub process_a_provider( $ ) {
    fatal_error 'NAME must be specified' if $table eq '-';
    unless ( $pseudo ) {
-	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
+	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[A-Za-z][\w]*$/;
 	my $num = numeric_value $number;
@@ -502,7 +511,7 @@ sub process_a_provider( $ ) {
    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, 1 );
+	$gateway = get_interface_gateway( $interface, undef, $number );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
@@ -512,6 +521,9 @@ sub process_a_provider( $ ) {
 	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	$gateway = $1 if $family == F_IPV6 && $gateway =~ /^\[(.+)\]$/;
 	validate_address $gateway, 0;
 	if ( defined $mac ) {
@@ -602,6 +614,7 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'nohostroute' ) {
 		$hostroute = 0;
 	    } elsif ( $option eq 'persistent' ) {
 		warning_message "When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option may not work as expected" if $config{RESTORE_DEFAULT_ROUTE};
 		$persistent = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -623,6 +636,7 @@ sub process_a_provider( $ ) {
    }
    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
    fatal_error "An interface supporting multiple providers may not be optional" if $shared && $optional;
    unless ( $pseudo ) {
 	if ( $local ) {
@@ -688,7 +702,6 @@ sub process_a_provider( $ ) {
 	    $pref = 10000 + $number - 1;
 	}
    }
    unless ( $loose || $pseudo ) {
@@ -767,7 +780,7 @@ sub process_a_provider( $ ) {
 	push @routemarked_providers, $providers{$table};
    }
-    push @load_interfaces, $physical if $load;
+    push @load_providers, $table if $load;
    push @providers, $table;
@@ -847,7 +860,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}
@@ -863,7 +876,7 @@ sub add_a_provider( $$ ) {
 		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }
-	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
 	    emit( qq(echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
@@ -873,14 +886,16 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( "find_interface_addresses $physical | while read address; do" );
+		emit  ( '',
-		emit  ( "    qt \$IP -$family rule del from \$address" );
+			"find_interface_addresses $physical | while read address; do",
-		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
+			"    qt \$IP -$family rule del from \$address",
 			"    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
 			'done'
 		      );
 	    }
 	}
 	if ( @{$providerref->{persistent_routes}} ) {
 	    emit '';
@@ -891,14 +906,12 @@ sub add_a_provider( $$ ) {
 	    emit '';
 	    emit $_ for @{$providers{$table}->{persistent_rules}};
 	}
 	}
 	pop_indent;
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 	pop_indent;
 	emit( "}\n" );
@@ -924,13 +937,14 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}
    }
-    emit( "echo $load > \${VARDIR}/${physical}_load",
+    emit( "echo $load > \${VARDIR}/${table}_load",
-	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;
+	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${table}_mark",
 	  "echo $physical > \${VARDIR}/${table}_interface" ) if $load;
    emit( '',
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
@@ -956,7 +970,7 @@ CEOF
 	my $hexmark = in_hex( $mark );
 	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $persistent || $config{DELETE_THEN_ADD};
 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
@@ -985,7 +999,7 @@ CEOF
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}
-	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	emit "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm";
    }
    if ( $balance ) {
@@ -997,14 +1011,16 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route add default table $id dev $physical metric $number);
+	    emit qq(run_ip route replace default table $id dev $physical metric $number);
 	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}
 	emit( 'g_fallback=Yes' ) if $persistent;
 	$metrics = 1;
    }
@@ -1026,12 +1042,13 @@ CEOF
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
 		if ( $persistent ) {
-		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
+		    emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),
 			  qq(    qt \$IP -$family rule del from $address pref 20000),
 			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
-		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		    emit  "qt \$IP -$family rule del from $address" if $persistent || $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
@@ -1082,13 +1099,27 @@ CEOF
 	    $weight = 1;
 	}
-	emit ( "distribute_load $maxload @load_interfaces" ) if $load;
+	emit ( "distribute_load $maxload @load_providers" ) if $load;
 	unless ( $shared ) {
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
-	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
 	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
 	    );
 	if ( ! $pseudo && $config{USE_DEFAULT_RT} && $config{RESTORE_DEFAULT_ROUTE} ) {
 	    emit  ( '#',
 		    '# We now have a viable default route in the \'default\' table so delete any default routes in the main table',
 		    '#',
 		    'while qt \$IP -$family route del default table ' . MAIN_TABLE . '; do',
 		    '    true',
 		    'done',
 		    ''
 		);
 	}
 	emit_started_message( '', 2, $pseudo, $table, $number );
 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1215,14 +1246,14 @@ CEOF
 	}
 	emit ( '',
-	       "distribute_load $maxload @load_interfaces" ) if $load;
+	       "distribute_load $maxload @load_providers" ) if $load;
 	if ( $persistent ) {
 	    emit ( '',
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled",
 		   "fi\n",
 		 );
 	}
@@ -1233,7 +1264,9 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
-	emit( "echo 1 > \${VARDIR}/${physical}.status" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status",
 	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
 	    );
 	if ( $pseudo ) {
 	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
@@ -1339,7 +1372,7 @@ sub add_an_rtrule1( $$$$$ ) {
    $priority = "pref $priority";
-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $persistent || $config{DELETE_THEN_ADD};
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    if ( $persistent ) {
@@ -1437,22 +1470,22 @@ sub add_a_route( ) {
    if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes,            qq(run_ip route add $dest via $gateway dev $physical table $id);
+	    push @$routes,            qq(run_ip route replace $dest via $gateway dev $physical table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway dev $physical table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway dev $physical table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} elsif ( $null ) {
-	    push @$routes,            qq(run_ip route add $null $dest table $id);
+	    push @$routes,            qq(run_ip route replace $null $dest table $id);
-	    push @$persistent_routes, qq(run_ip route add $null $dest table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route replace $null $dest table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes,            qq(run_ip route add $dest via $gateway table $id);
+	    push @$routes,            qq(run_ip route replace $dest via $gateway table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
    } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes,            qq(run_ip route add $dest dev $physical table $id);
+	push @$routes,            qq(run_ip route replace $dest dev $physical table $id);
-	push @$persistent_routes, qq(run_ip route add $dest dev $physical table $id) if $persistent;
+	push @$persistent_routes, qq(run_ip route replace $dest dev $physical table $id) if $persistent;
 	push @$routes,             q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
    }
@@ -1554,7 +1587,7 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        while qt \$IP -6 route delete default table $table; do true; done",
 		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
 		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
@@ -1563,7 +1596,8 @@ sub finish_providers() {
 	}
 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit  ( "    while qt \$IP -$family route del default table $main; do",
+	    emit  ( '',
 		    "    while qt \$IP -$family route del default table $main; do",
 		    '        true',
 		    '    done',
 		    ''
@@ -1575,7 +1609,7 @@ sub finish_providers() {
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit qq(    [ -z "\${FALLBACK_ROUTE}\${g_fallback}" ] && restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -1583,7 +1617,7 @@ sub finish_providers() {
 	emit(   'fi',
 		'' );
    } else {
-	if ( ( $fallback || @load_interfaces ) && $config{USE_DEFAULT_RT} ) {
+	if ( ( $fallback || @load_providers ) && $config{USE_DEFAULT_RT} ) {
 	    emit  ( q(#),
 		    q(# Delete any default routes in the 'main' table),
 		    q(#),
@@ -1602,7 +1636,7 @@ sub finish_providers() {
 	}
 	emit ( '#',
-	       '# Delete any routes in the \'balance\' table',
+	       '# Delete any default routes with metric 0 in the \'balance\' table',
 	       '#',
 	       "while qt \$IP -$family route del default table $balance; do",
 	       '    true',
@@ -1617,7 +1651,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
@@ -1630,7 +1664,10 @@ sub finish_providers() {
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( "delete_default_routes $default",
+	emit( '#',
 	      '# No balanced fallback routes - delete any routes with metric 0 from the \'default\' table',
 	      '#',
 	      "delete_default_routes $default",
 	      ''
 	    );
    }
@@ -1675,7 +1712,7 @@ sub process_providers( $ ) {
    }
    if ( $providers ) {
-	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
+	fatal_error q(Either all 'fallback' providers must specify a weight or none of them can specify a weight) if $fallback && $metrics;
 	my $fn = open_file( 'route_rules' );
@@ -1706,7 +1743,7 @@ sub process_providers( $ ) {
    add_a_provider( $providers{$_}, $tcdevices ) for @providers;
-    emit << 'EOF';;
+    emithd << 'EOF';;
 #
 # Enable an optional provider
@@ -1752,12 +1789,11 @@ EOF
    pop_indent;
    pop_indent;
-    emit << 'EOF';;
+    emithd << 'EOF';;
        *)
            startup_error "$g_interface is not an optional provider or interface"
            ;;
    esac
 }
 #
@@ -1861,22 +1897,21 @@ sub setup_providers() {
 	start_providers;
-	setup_null_routing if $config{NULL_ROUTE_RFC1918};
+	setup_null_routing, emit '' if $config{NULL_ROUTE_RFC1918};
 	emit '';
 	if ( @providers ) {
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
 	    emit '';
 	}
 	finish_providers;
 	emit "\nrun_ip route flush cache";
 	pop_indent;
-	emit "fi\n";
+	emit 'fi';
-	setup_route_marking if @routemarked_interfaces || @load_interfaces;
+	setup_route_marking if @routemarked_interfaces || @load_providers;
    } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";
@@ -1885,9 +1920,10 @@ sub setup_providers() {
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
 	    emit '';
 	}
-	emit "\nundo_routing";
+	emit "undo_routing";
 	emit "restore_default_route $config{USE_DEFAULT_RT}";
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
@@ -1912,9 +1948,8 @@ sub setup_providers() {
 	pop_indent;
-	emit "fi\n";
+	emit 'fi';
    }
 }
 #
@@ -2163,17 +2198,13 @@ sub provider_realm( $ ) {
 }
 #
-# This function is called by the compiler when it is generating the detect_configuration() function.
+# Perform processing related to optional interfaces. Returns true if there are optional interfaces.
-# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
+
 # ..._IS_USABLE interface variables appropriately for the  optional interfaces
 #
-# Returns true if there were required or optional interfaces
+sub handle_optional_interfaces() {
 #
 sub handle_optional_interfaces( $ ) {
    my @interfaces;
    my $wildcards;
    #
    # First do the provider interfacess. Those that are real providers will never have wildcard physical
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
@@ -2197,10 +2228,6 @@ sub handle_optional_interfaces( $ ) {
    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
 	verify_required_interfaces( $gencase );
 	emit '' if $gencase;
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -2343,7 +2370,7 @@ sub handle_optional_interfaces( $ ) {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
-		  '        start|reload|restore|refresh)'
+		  '        start|reload|restore)'
 		);
 	    if ( $family == F_IPV4 ) {
@@ -2364,8 +2391,6 @@ sub handle_optional_interfaces( $ ) {
 	return 1;
    }
    verify_required_interfaces( shift );
 }
 #
@@ -2462,7 +2487,7 @@ sub handle_stickiness( $ ) {
 	}
    }
-    if ( @routemarked_providers || @load_interfaces ) {
+    if ( @routemarked_providers || @load_providers ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
    }
@@ -2470,9 +2495,9 @@ sub handle_stickiness( $ ) {
 sub setup_load_distribution() {
    emit ( '',
-	   "distribute_load $maxload @load_interfaces" ,
+	   "distribute_load $maxload @load_providers" ,
 	   ''
-	 ) if @load_interfaces;
+	 ) if @load_providers;
 }
 1;
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,6 +96,7 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
    }
    emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
 	   '' ,
 	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );
    push @proxyarp, "$address $interface $external $haveroute";
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -91,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
    my $disposition = $action;
    my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
+
    my $level = '';
    if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
@@ -138,6 +138,14 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 	if ( $proto ne '-' ) {
 	    if ( $proto =~ s/:all$// ) {
 		fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
 	    } else {
 		$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
 	    }
 	}
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
@@ -199,7 +207,9 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
    expand_rule( $chainref ,
 		 $restriction ,
 		 '',
-		 $rule,
+		 do_proto( $proto, $ports, $sports ) . 
 		 do_user ( $user ) . 
 		 do_condition( $switch , $chainref->{name} ),
 		 $source ,
 		 $dest ,
 		 '' ,
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -225,11 +225,11 @@ sub handle_in_bandwidth( $$$ ) {
    if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
-		  "    police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
+		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst drop\n" );
 	} else {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
 		  "    estimator $in_interval $in_decay basic \\",
-		  "    police drop avrate ${in_avrate}kbit\n" );
+		  "    police avrate ${in_avrate}kbit drop\n" );
 	}
    } else {
 	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 	    while ( @sportlist ) {
 		my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
-		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
+		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
 		$rule .= ' or' if @sportlist;
 	    }
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
@@ -85,8 +85,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+		$inchainref  = ensure_rules_chain( ${zone}, ${fw} );
-		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+		$outchainref = ensure_rules_chain( ${fw}, ${zone} );
 		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  p => 50, @$source;
@@ -250,8 +250,8 @@ sub setup_tunnels() {
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );
-	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+	my $inchainref  = ensure_rules_chain( ${zone}, ${fw}   );
-	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+	my $outchainref = ensure_rules_chain( ${fw},   ${zone} );
 	$gateways = ALLIP if $gateways eq '-';
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,7 +90,6 @@ our @EXPORT = ( qw( NOTHING
 		    interface_is_optional
 		    interface_is_required
 		    find_interfaces_by_option
 		    find_interfaces_by_option1
 		    get_interface_option
 		    get_interface_origin
 		    interface_has_option
@@ -253,6 +252,17 @@ use constant { NO_UPDOWN   => 1,
 our %validinterfaceoptions;
 our %procinterfaceoptions=( accept_ra   => 1,
 			    arp_filter  => 1,
 			    arp_ignore  => 1,
 			    forward     => 1,
 			    logmartians => 1,
 			    proxyarp    => 1,
 			    proxyndp    => 1,
 			    routefilter => 1,
 			    sourceroute => 1,
 			  );
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -317,7 +327,7 @@ sub initialize( $$ ) {
    %mapbase = ();
    %mapbase1 = ();
    $baseseq = 0;
-    $minroot = 0;
+    $minroot = undef;
    $loopback_interface = '';
    %validzoneoptions = ( mss            => NUMERIC,
@@ -339,7 +349,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
-				  dbl         => ENUM_IF_OPTION,
+				  dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -363,9 +373,9 @@ sub initialize( $$ ) {
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
-				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
+				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST + IF_OPTION_WILDOK,
 				  unmanaged   => SIMPLE_IF_OPTION,
-				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				  wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -390,7 +400,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
-				    dbl         => ENUM_IF_OPTION,
+				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -402,18 +412,18 @@ sub initialize( $$ ) {
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER + IF_OPTION_WILDOK,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => BINARY_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK,
 				    unmanaged   => SIMPLE_IF_OPTION,
 				    upnp        => SIMPLE_IF_OPTION,
 				    upnpclient  => SIMPLE_IF_OPTION,
-				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				    wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -701,6 +711,40 @@ sub haveipseczones() {
    0;
 }
 #
 # Returns 1 if the two interfaces passed are related
 #
 sub interface_match( $$ ) {
    my ( $piface, $ciface ) = @_;
    return 1 if $piface eq $ciface;
    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
    return 1 if $piface eq $cifaceref->{bridge};
    return 1 if $ciface eq $pifaceref->{bridge};
    if ( defined $minroot ) {
 	if ( $piface =~ /\+$/ ) {
 	    my $root    = $pifaceref->{root};
 	    my $rlength = length( $root );
 	    while ( length( $ciface ) >= $rlength ) {
 		return 1 if $ciface eq $root;
 		chop $ciface;
 	    }
 	} elsif ( $ciface =~ /\+$/ ) {
 	    my $root    = $cifaceref->{root};
 	    my $rlength = length( $root );
 	    while ( length( $piface ) >= $rlength ) {
 		return 1 if $piface eq $root;
 		chop $piface;
 	    }
 	}
    }
    0;
 }
 #
 # Report about zones.
 #
@@ -738,7 +782,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
+				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
 			    }
 			    $printed = 1;
 			}
@@ -747,6 +791,17 @@ sub zone_report()
 	    }
 	}
      PARENT:
 	for my $p ( @{$zoneref->{parents}} ) {
 	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
 		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
 		    next PARENT if interface_match( $pi, $ci );
 		}
 	    }
 	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
 	}
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -1159,15 +1214,16 @@ sub process_interface( $$ ) {
    }
    my $wildcard = 0;
    my $physwild = 0;
    my $root;
    if ( $interface =~ /\+$/ ) {
-	$wildcard = 1;
+	$wildcard = $physwild = 1; # Default physical name is the logical name
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;
-	if ( $minroot ) {
+	if ( defined $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
 	    $minroot = $len;
@@ -1213,8 +1269,6 @@ sub process_interface( $$ ) {
 	my %hostoptions = ( dynamic => 0 );
 	for my $option (split_list1 $options, 'option' ) {
 	    next if $option eq '-';
 	    ( $option, my $value ) = split /=/, $option;
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
@@ -1251,7 +1305,6 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
 		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
@@ -1275,7 +1328,6 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
 		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1327,7 +1379,9 @@ sub process_interface( $$ ) {
 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
-		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
+		    $physwild = ( $value =~ /\+$/ );
 		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $physwild;
 		    $physical = $value;
 		} else {
 		    assert(0);
@@ -1355,6 +1409,14 @@ sub process_interface( $$ ) {
 	    $options{ignore} = 0;
 	}
 	for my $option ( keys %options ) {
 	    if ( $root ) {
 		warning_message( "The '$option' option is ignored when used with a wildcard physical name" ) if $physwild && $procinterfaceoptions{$option};
 	    } else {
 		warning_message( "The '$option' option is ignored when used with interface name '+'" ) unless $validinterfaceoptions{$option} & IF_OPTION_WILDOK;
 	    }
 	}
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
@@ -1413,6 +1475,7 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
 						   physwild   => $physwild, # Currently unused
 					         };
    $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1571,13 +1634,11 @@ sub known_interface($)
    my $iface = $interface;
-    if ( $minroot ) {
+    if ( defined $minroot ) {
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface > $minroot ) {
+	while ( length $iface >= $minroot ) {
 	    chop $iface;
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1599,6 +1660,8 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
 	    chop $iface;
 	}
    }
@@ -1812,7 +1875,8 @@ sub find_interfaces_by_option( $;$ ) {
    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
-	next unless $interfaceref->{root};
+	next unless $interfaceref->{root};                                   # Don't return '+' interface
 	next if $procinterfaceoptions{$option} && $interfaceref->{physwild}; # Ignore /proc options on wildcard interface
 	my $optionsref = $interfaceref->{options};
 	if ( $nonzero ) {
@@ -1827,35 +1891,6 @@ sub find_interfaces_by_option( $;$ ) {
    \@ints;
 }
 #
 # Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
 #
 # - All entries in %interfaces are searched.
 # - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
 #
 sub find_interfaces_by_option1( $ ) {
    my $option = $_[0];
    my @ints = ();
    my $wild = 0;
    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 	next unless defined $interfaceref->{physical};
 	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
 	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
    }
    return unless defined wantarray;
    wantarray ? ( \@ints, $wild ) : \@ints;
 }
 #
 # Return the value of an option for an interface
 #
@@ -1986,6 +2021,7 @@ sub verify_required_interfaces( $ ) {
 	emit( "esac\n" );
 	$returnvalue = 1;
    }
    $interfaces = find_interfaces_by_option( 'required' );
@@ -1995,7 +2031,7 @@ sub verify_required_interfaces( $ ) {
 	if ( $generate_case ) {
 	    emit( 'case "$COMMAND" in' );
 	    push_indent;
-	    emit( 'start|reload|restore|refresh)' );
+	    emit( 'start|reload|restore)' );
 	    push_indent;
 	}
@@ -2031,7 +2067,7 @@ sub verify_required_interfaces( $ ) {
 	    emit( ';;' );
 	    pop_indent;
 	    pop_indent;
-	    emit( 'esac' );
+	    emit( "esac\n" );
 	}
 	$returnvalue = 1;
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -32,7 +32,6 @@
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
 #         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
@@ -40,7 +39,6 @@
 #         --shorewallrc=<path>        # Path to global shorewallrc file.
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
 #    If the <filename> is omitted, then a 'check' operation is performed.
@@ -64,7 +62,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --timestamp ]
    [ --debug ]
    [ --confess ]
    [ --refresh=<chainlist> ]
    [ --log=<filename> ]
    [ --log-verbose={-1|0-2} ]
    [ --test ]
@@ -75,7 +72,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --shorewallrc=<pathname> ]
    [ --shorewallrc1=<pathname> ]
    [ --config_path=<path-list> ]
    [ --inline ]
 _EOF_
 exit shift @_;
@@ -90,7 +86,6 @@ my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
 my $confess       = 0;
 my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
@@ -102,7 +97,6 @@ my $update        = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 my $shorewallrc1  = '';
 my $inline        = 0;
 Getopt::Long::Configure ('bundling');
@@ -117,8 +111,6 @@ my $result = GetOptions('h'               => \$help,
 			'timestamp'       => \$timestamp,
 			't'               => \$timestamp,
 		        'debug'           => \$debug,
 			'r=s'             => \$chains,
 			'refresh=s'       => \$chains,
 			'log=s'           => \$log,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
@@ -132,7 +124,6 @@ my $result = GetOptions('h'               => \$help,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
 			'inline'          => \$inline,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -147,7 +138,6 @@ compiler( script          => $ARGV[0] || '',
 	  timestamp       => $timestamp,
 	  debug           => $debug,
 	  export          => $export,
 	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
@@ -159,5 +149,4 @@ compiler( script          => $ARGV[0] || '',
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc,
 	  shorewallrc1    => $shorewallrc1,
 	  inline          => $inline,
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall Packet Filtering Firewall Param File Helper - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Param File Helper - V5.2
 #
 #     (c) 2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1,4 +1,4 @@
-#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -369,7 +369,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 delete_default_routes() # $1 = table number
 {
    $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
-	qt $IP -$g_family route del $route
+	qt $IP -$g_family route del $route table $1
    done
 } 
@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {
    if [ -n "$g_purge" ]; then
-	if [ -n $(mywhich conntrack) ]; then
+	if [ -n "$(mywhich conntrack)" ]; then
            conntrack -F
 	else
            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -601,26 +601,29 @@ interface_enabled() {
 }
 distribute_load() {
    local provider
    local interface
-    local currentload # Total load of enabled interfaces
+    local currentload # Total load of enabled providers
-    local load        # Specified load of an enabled interface
+    local load        # Specified load of an enabled provider
-    local mark        # Mark of an enabled interface
+    local mark        # Mark of an enabled provider
-    local totalload   # Total load of all interfaces - usually 1.000000
+    local totalload   # Total load of all providers - usually 1.000000
-    local nload       # Normalized load of an enabled interface
+    local nload       # Normalized load of an enabled provider
    local var         # Interface name to embed in a variable name
    totalload=$1
    shift
    currentload=0
-    for interface in $@; do
+    for provider in $@; do
 	interface=$(cat ${VARDIR}/${provider}_interface)
 	eval ${provider}_interface=$interface
 	if interface_enabled $interface; then
-	    var=$(echo $interface | sed 's/[.-]/_/g')
+	    load=$(cat ${VARDIR}/${provider}_load)
-	    load=$(cat ${VARDIR}/${interface}_load)
+	    eval ${provider}_load=$load
-	    eval ${var}_load=$load
+	    mark=$(cat ${VARDIR}/${provider}_mark)
-	    mark=$(cat ${VARDIR}/${interface}_mark)
+	    eval ${provider}_mark=$mark
 	    eval ${var}_mark=$mark
 	    currentload=$( bc <<EOF
 scale=8
 $currentload + $load
@@ -630,12 +633,13 @@ EOF
    done
    if [ $currentload ]; then
-	for interface in $@; do
+	for provider in $@; do
-	    qt $g_tool -t mangle -F ~$interface
+	    eval interface=\$${provider}_interface
-	    var=$(echo $interface | sed 's/[.-]/_/g')
+	    qt $g_tool -t mangle -F ~$provider
-	    eval load=\$${var}_load
+
-	    eval mark=\$${var}_mark
+	    eval load=\$${provider}_load
 	    eval mark=\$${provider}_mark
 	    if [ -n "$load" ]; then
 		nload=$(bc <<EOF
@@ -651,10 +655,10 @@ EOF
 		case $nload in
 		    .*|0.*)
-			run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $nload -j MARK --set-mark $mark
+			run_iptables -t mangle -A ~$provider -m statistic --mode random --probability $nload -j MARK --set-mark $mark
 			;;
 		    *)
-			run_iptables -t mangle -A ~$interface -j MARK --set-mark $mark
+			run_iptables -t mangle -A ~$provider -j MARK --set-mark $mark
 			;;
 		esac
 	    fi
@@ -675,7 +679,7 @@ interface_is_usable() # $1 = interface
    status=0
    if ! loopback_interface $1; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -899,7 +903,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface
+detect_gateway() # $1 = interface $2 = table number
 {
    local interface
    interface=$1
@@ -912,6 +916,8 @@ detect_gateway() # $1 = interface
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
@@ -1063,8 +1069,6 @@ clear_firewall() {
    run_iptables -F
    qt $IPTABLES -t raw -F
    echo 1 > /proc/sys/net/ipv4/ip_forward
    if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
@@ -1101,7 +1105,7 @@ interface_is_usable() # $1 = interface
    status=0
    if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -1373,8 +1377,6 @@ clear_firewall() {
    run_iptables -F
    qt $IP6TABLES -t raw -F
    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
    run_clear_exit
    set_state "Cleared"
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -1,5 +1,23 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
 #
 #   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #	Free Software Foundation, either version 2 of the license or, at your
 #	option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 ###############################################################################
 #
 # Give Usage Information
@@ -78,11 +96,13 @@ reload_command() {
    detect_configuration
    define_firewall
    status=$?
    if [ -n "$SUBSYSLOCK" ]; then
 	[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
    fi
-    [ $status -eq 0 ] && progress_message3 "done."
+    if [ $status -eq 0 ]; then
 	[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
 	progress_message3 "done."
    else
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
    fi
 }
 ################################################################################
@@ -127,8 +147,10 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
 g_dockeringress=
 g_dockernetwork=
 g_forcereload=
 g_fallback=
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
@@ -264,8 +286,10 @@ case "$COMMAND" in
 	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
-	    $g_tool -Z
+	    for table in raw mangle nat filter; do
-	    $g_tool -t mangle -Z
+		qt $g_tool -t $table -Z
 	    done
 	    date > ${VARDIR}/restarted
 	    status=0
 	    progress_message3 "$g_product Counters Reset"
@@ -349,6 +373,7 @@ case "$COMMAND" in
    clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
 	detect_configuration
 	clear_firewall
 	status=0
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -418,9 +443,12 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
 	    COMMAND=disable
 	    detect_configuration $1
-	    COMMAND=enable  disable_provider $1 Yes
+	    disable_provider $1 Yes
-	    COMMAND=disable enable_provider  $1 Yes
+	    COMMAND=enable
 	    detect_configuration $1
 	    enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0
--- a/Show More
+++ b/Show More