Update Shorewall 5 Article

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Finish removal of 'refresh command'
2018-04-10 10:00:52 -07:00 · 2018-03-30 15:30:34 -07:00 · 2018-03-28 13:03:49 -07:00 · 2018-03-27 11:38:47 -07:00 · 2018-03-27 11:08:33 -07:00 · 2018-03-27 09:54:32 -07:00
169 changed files with 4500 additions and 3795 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -2,7 +2,7 @@
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -335,9 +335,8 @@ for f in lib.* ; do
 done

 if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
 fi

 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.cli
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=50105
+SHOREWALL_CAPVERSION=50200

 if [ -z "$g_basedir" ]; then
    #
@@ -47,6 +47,10 @@ startup_error() {
    exit 1
 }

+only_root() {
+    [ "$(id -u)" != 0 ] && fatal_error "The '$COMMAND' command may only be run by root"
+}
+
 #
 # Display a chain if it exists
 #
@@ -83,6 +87,8 @@ showchain() # $1 = name of chain
 #
 validate_restorefile() # $* = label
 {
+    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
+
    case $RESTOREFILE in
 	*/*)
 	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
@@ -411,9 +417,9 @@ resolve_arptables() {
 savesets() {
    local supported

-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+    supported=$(run_it $g_firewall help | fgrep savesets )

-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
+    [ -n "$supported" ] && run_it $g_firewall savesets ${g_restorepath}-ipsets 
 }

 #
@@ -422,9 +428,9 @@ savesets() {
 savesets1() {
    local supported

-    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
+    supported=$(run_it $g_firewall help | fgrep savesets )

-    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+    [ -n "$supported" ] && run_it $g_firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }

 #
@@ -435,9 +441,9 @@ do_save() {
    local arptables
    status=0

-    if [ -f ${VARDIR}/firewall ]; then
+    if [ -f $g_firewall ]; then
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    cp -f ${VARDIR}/firewall $g_restorepath
+	    cp -f $g_firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod 700 $g_restorepath
 	    chmod 600 ${g_restorepath}-iptables
@@ -449,7 +455,7 @@ do_save() {
 	    status=1
 	fi
    else
-	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+	echo "   ERROR: $g_firewall does not exist" >&2
 	status=1
    fi

@@ -634,7 +640,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
+		ip -6 -o route list table $table | grep -vF cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -647,7 +653,7 @@ show_routing() {
    else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | grep -vF cache | sort_routes
+	    ip -6 -o route list | grep -vF cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -1137,16 +1143,31 @@ show_a_macro() {
    cat ${directory}/macro.$1
 }
 #
-# Don't dump empty SPD entries
+# Don't dump empty SPD entries or entries from the other address family
 #
-spd_filter()
-{
-    awk \
-    'BEGIN            { skip=0; }; \
-    /^src/            { skip=0; }; \
-    /^src 0.0.0.0\/0/ { skip=1; }; \
-    /^src ::\/0/      { skip=1; }; \
-                      { if ( skip == 0 ) print; };'
+spd_filter() {
+    #
+    # af   = Address Family (4 or 6)
+    # afok = Address Family of entry matches af
+    # p    = print the contents of A (entry is not empty)
+    # i    = Number of lines stored in A
+    #
+    awk -v af=$g_family \
+	'function prnt(A,i,    j) { while ( j < i ) print A[j++]; };\
+\
+	 /^src / { if (p) prnt( A, i );\
+		   afok = 1;\
+		   p	= 0;\
+		   i	= 0;\
+		   if ( af == 4 )\
+		       { if ( /:/ )  afok = 0; }\
+		   else\
+		       { if ( /\./ ) afok = 0; }\
+		 };\
+		 { if ( afok ) A[i++] = $0; };\
+	 /tmpl/	 { p = afok; };\
+\
+	 END	 { if (p) prnt( A, i ); }'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1159,7 +1180,8 @@ heading() {

 show_ipsec() {
    heading "PFKEY SPD"
-    $IP -s xfrm policy | spd_filter
+    $IP -s -$g_family xfrm policy | spd_filter
+
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -1169,6 +1191,26 @@ show_ipsec_command() {
    show_ipsec
 }

+show_saves_command() {
+    local f
+    local fn
+    local mtime
+
+    echo "$g_product $SHOREWALL_VERSION Saves at $g_hostname - $(date)"
+    echo "Saved snapshots are:"
+    echo
+
+    for f in ${VARDIR}/*-iptables; do
+	fn=$(basename $f)
+	fn=${fn%-iptables}
+	mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
+	[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
+	echo "   $mtime ${fn%-iptables}"
+    done
+
+    echo
+}
+
 #
 # Show Command Executor
 #
@@ -1187,6 +1229,7 @@ show_command() {
    show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
 	if [ -n "$foo" ]; then
+	    macro=$(basename $macro)
 	    macro=${macro#*.}
 	    foo=${foo%.*}
 	    if [ ${#macro} -gt 5 ]; then
@@ -1281,37 +1324,47 @@ show_command() {

    [ -n "$g_debugging" ] && set -x

+    COMMAND="$COMMAND $1"
+
    case "$1" in
 	connections)
+	    only_root
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	tos|mangle)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && too_many_arguments $2

+	    only_root
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
+	    only_root
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
@@ -1335,6 +1388,7 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
@@ -1371,33 +1425,50 @@ show_command() {
 	    fi
 	    ;;
 	chain)
+	    only_root
 	    shift
 	    eval show_chain $@ $g_pager
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
+        rc)
+            shift
+	    [ $# -gt 1 ] && too_many_arguments $2
+            if [ -n "$1" -a -d "$1" ]; then
+                cat $1/shorewallrc
+            elif [ -n "$g_basedir" -a -d "$g_basedir" ]; then
+                cat $g_basedir/shorewallrc
+            else
+                fatal_error "Can not determine the location of the shorewallrc file."
+            fi
+            ;;
 	policies)
+	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
+	    only_root
 	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1407,6 +1478,7 @@ show_command() {
 	    ;;
 	event)
 	    [ $# -gt 1 ] || too_many_arguments $2
+	    only_root
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
@@ -1414,14 +1486,18 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
+	    setup_dbl
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"

 	    if chain_exists dynamic; then
@@ -1432,8 +1508,13 @@ show_command() {
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
+	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
+	saves)
+	    [ $# -gt 1 ] && too_many_arguments $2
+	    show_saves_command
+	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -1480,6 +1561,8 @@ show_command() {
 		    ;;
 	    esac

+	    only_root
+
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
@@ -1797,7 +1880,7 @@ do_dump_command() {

    echo

-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }

    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -1911,41 +1994,6 @@ show_proc() # $1 = name of a file
    [ -f $1 ] && echo "   $1 = $(cat $1)"
 }

-read_yesno_with_timeout() {
-    local timeout
-    timeout=${1:-60}
-
-    case $timeout in
-	*s)
-	    ;;
-	*m)
-	    timeout=$((${timeout%m} * 60))
-	    ;;
-	*h)
-	    timeout=$((${timeout%h} * 3600))
-	    ;;
-    esac
-
-    read -t $timeout yn 2> /dev/null
-    if [ $? -eq 2 ]
-    then
-	# read doesn't support timeout
-	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
-	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
-	return $?
-    else
-	# read supports timeout
-	case "$yn" in
-	    y|Y)
-		return 0
-		;;
-	    *)
-		return 1
-		;;
-	esac
-    fi
-}
-
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2529,109 +2577,114 @@ hits_command() {
    fi
 }

+#
+# Issue an error message and terminate if the firewall isn't started
+#
+require_started() {
+    if ! product_is_started; then
+	error_message "ERROR: $g_product is not started"
+	exit 2
+    fi
+}
+
 #
 # 'allow' command executor
 #
 allow_command() {

+    local allowed
+    local which
+    which='-s'
+    local range
+    range='--src-range'
+    local dynexists
+
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && missing_argument

-    if product_is_started ; then
-	local allowed
-	local which
-	which='-s'
-	local range
-	range='--src-range'
-	local dynexists
-
-	if [ -n "$g_blacklistipset" ]; then
-
-	    case ${IPSET:=ipset} in
-		*/*)
-		    if [ ! -x "$IPSET" ]; then
-			fatal_error "IPSET=$IPSET does not exist or is not executable"
-		    fi
-		    ;;
-		*)
-		    IPSET="$(mywhich $IPSET)"
-		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
-		    ;;
-	    esac
-	fi
-
-	if chain_exists dynamic; then
-	    dynexists=Yes
-	elif [ -z "$g_blacklistipset" ]; then
-	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
-	fi
-
-	[ -n "$g_nolock" ] || mutex_on
-
-	while [ $# -gt 1 ]; do
-	    shift
-
-	    allowed=''
-
-	    case $1 in
-		from)
-		    which='-s'
-		    range='--src-range'
-		    continue
-		    ;;
-		to)
-		    which='-d'
-		    range='--dst-range'
-		    continue
-		    ;;
-		*-*)
-		    if [ -n "$g_blacklistipset" ]; then
-			if qt $IPSET -D $g_blacklistipset $1; then
-			    allowed=Yes
-			fi
-		    fi
-
-		    if [ -n "$dynexists" ]; then
-			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
-			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
-			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
-			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
-			then
-			    allowed=Yes
-			fi
-		    fi
-		    ;;
-		*)
-		    if [ -n "$g_blacklistipset" ]; then
-			if qt $IPSET -D $g_blacklistipset $1; then
-			    allowed=Yes
-			fi
-		    fi
-
-		    if [ -n "$dynexists" ]; then
-			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
-			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
-			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
-			    qt $g_tool -D dynamic $which $1 -j logreject
-			then
-			    allowed=Yes
-			fi
-		    fi
-		    ;;
-	    esac
-
-	    if [ -n "$allowed" ]; then
-		progress_message2 "$1 Allowed"
-	    else
-		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
-	    fi
-	done
-
-	[ -n "$g_nolock" ] || mutex_off
-    else
-	error_message "ERROR: $g_product is not started"
-	exit 2
+    if [ -n "$g_blacklistipset" ]; then
+	case ${IPSET:=ipset} in
+	    */*)
+		if [ ! -x "$IPSET" ]; then
+		    fatal_error "IPSET=$IPSET does not exist or is not executable"
+		fi
+		;;
+	    *)
+		IPSET="$(mywhich $IPSET)"
+		[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+		;;
+	esac
    fi
+
+    if chain_exists dynamic; then
+	dynexists=Yes
+    elif [ -z "$g_blacklistipset" ]; then
+	require_started
+	fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
+    fi
+
+    [ -n "$g_nolock" ] || mutex_on
+
+    while [ $# -gt 1 ]; do
+	shift
+
+	allowed=''
+
+	case $1 in
+	    from)
+		which='-s'
+		range='--src-range'
+		continue
+		;;
+	    to)
+		which='-d'
+		range='--dst-range'
+		continue
+		;;
+	    *-*)
+		if [ -n "$g_blacklistipset" ]; then
+		    if qt $IPSET -D $g_blacklistipset $1; then
+			allowed=Yes
+		    fi
+		fi
+
+		if [ -n "$dynexists" ]; then
+		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+		    then
+			allowed=Yes
+		    fi
+		fi
+		;;
+	    *)
+		if [ -n "$g_blacklistipset" ]; then
+		    if qt $IPSET -D $g_blacklistipset $1; then
+			allowed=Yes
+		    fi
+		fi
+
+		if [ -n "$dynexists" ]; then
+		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+		        qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			qt $g_tool -D dynamic $which $1 -j logreject
+		    then
+			allowed=Yes
+		    fi
+		fi
+		;;
+	esac
+
+	if [ -n "$allowed" ]; then
+	    progress_message2 "$1 Allowed"
+	else
+	    error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+	fi
+    done
+
+    [ -n "$g_nolock" ] || mutex_off
 }

 #
@@ -2751,7 +2804,6 @@ determine_capabilities() {
    LENGTH_MATCH=
    CLASSIFY_TARGET=
    ENHANCED_REJECT=
-    USEPKTTYPE=
    KLUDGEFREE=
    MARK=
    XMARK=
@@ -2770,7 +2822,7 @@ determine_capabilities() {
    GOTO_TARGET=
    LOGMARK_TARGET=
    IPMARK_TARGET=
-    LOG_TARGET=Yes
+    LOG_TARGET=
    ULOG_TARGET=
    NFLOG_TARGET=
    PERSISTENT_SNAT=
@@ -2804,6 +2856,7 @@ determine_capabilities() {
    CPU_FANOUT=
    NETMAP_TARGET=
    NFLOG_SIZE=
+    RESTORE_WAIT_OPTION=

    AMANDA_HELPER=
    FTP_HELPER=
@@ -2827,9 +2880,11 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi

+    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
+
    if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	tool="$tool --wait"
+	g_tool="$g_tool --wait"
    fi

    chain=fooX$$
@@ -2844,6 +2899,7 @@ determine_capabilities() {
 		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
+	    qt $g_tool -t nat -L INPUT -n && NAT_INPUT_CHAIN=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
@@ -3094,7 +3150,6 @@ determine_capabilities() {
 	fi
    fi

-    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
    qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
@@ -3135,7 +3190,7 @@ determine_capabilities() {
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG || LOG_TARGET=
+    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
    qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
@@ -3208,7 +3263,6 @@ report_capabilities_unsorted() {
 	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
 	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
    fi
-    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
    report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
    report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
    report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
@@ -3218,8 +3272,8 @@ report_capabilities_unsorted() {
    [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
    report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
    report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
+    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
    if [ -n "$IPSET_MATCH" ]; then
-	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
 	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
@@ -3299,9 +3353,11 @@ report_capabilities_unsorted() {
    if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
+	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    fi

    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3310,6 +3366,7 @@ report_capabilities_unsorted() {
    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
+    report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN

    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3322,8 +3379,6 @@ report_capabilities() {
 	report_capabilities_unsorted | sort
    fi

-    [ -n "$PKTTYPE" ] || USEPKTTYPE=
-
 }

 report_capabilities_unsorted1() {
@@ -3340,7 +3395,6 @@ report_capabilities_unsorted1() {
    report_capability1 CONNTRACK_MATCH
    report_capability1 NEW_CONNTRACK_MATCH
    report_capability1 OLD_CONNTRACK_MATCH
-    report_capability1 USEPKTTYPE
    report_capability1 POLICY_MATCH
    report_capability1 PHYSDEV_MATCH
    report_capability1 PHYSDEV_BRIDGE
@@ -3417,6 +3471,8 @@ report_capabilities_unsorted1() {
    report_capability1 CPU_FANOUT
    report_capability1 NETMAP_TARGET
    report_capability1 NFLOG_SIZE
+    report_capability1 RESTORE_WAIT_OPTION
+    report_capability1 NAT_INPUT_CHAIN

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3721,7 +3777,7 @@ ipcalc_command() {

    valid_address $address || fatal_error "Invalid IP address: $address"
    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"

    address=$address/$vlsm
@@ -3902,7 +3958,7 @@ get_config() {

    ensure_config_path

-    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf

    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

@@ -4056,15 +4112,15 @@ start_command() {
 	rc=0
 	[ -n "$g_nolock" ] || mutex_on

-	if [ -x ${VARDIR}/firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+	if [ -x $g_firewall ]; then
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
-		run_it ${VARDIR}/firewall $g_debugging start
+		run_it $g_firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
-	    error_message "${VARDIR}/firewall is missing or is not executable"
+	    error_message "$g_firewall is missing or is not executable"
 	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4193,11 +4249,11 @@ restart_command() {

    [ -n "$g_nolock" ] || mutex_on

-    if [ -x ${VARDIR}/firewall ]; then
-	run_it ${VARDIR}/firewall $g_debugging $COMMAND
+    if [ -x $g_firewall ]; then
+	run_it $g_firewall $g_debugging $COMMAND
 	rc=$?
    else
-	error_message "${VARDIR}/firewall is missing or is not executable"
+	error_message "$g_firewall is missing or is not executable"
 	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi
@@ -4207,10 +4263,10 @@ restart_command() {
 }

 run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
-	run_it ${VARDIR}/firewall $g_debugging $@
+    if [ -x $g_firewall ] ; then
+	run_it $g_firewall $g_debugging $@
    else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+	fatal_error "$g_firewall does not exist or is not executable"
    fi
 }

@@ -4268,7 +4324,6 @@ usage() # $1 = exit status

    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   reenable <interface>"
-    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."

    if [ -n "$g_lite" ]; then
@@ -4278,9 +4333,11 @@ usage() # $1 = exit status
    fi

    if [ -z "$g_lite" ]; then
-	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-getrc [ -T ] [ -c ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
+	echo "   remote-getcaps [ -T ] [ -R ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
    fi

    echo "   reset [ <chain> ... ]"
@@ -4323,7 +4380,9 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] nfacct"
    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
+    echo "   [ show | list | ls ] rc"
    echo "   [ show | list | ls ] routing"
+    echo "   [ show | list | ls ] saves"
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
@@ -4372,7 +4431,6 @@ shorewall_cli() {
    g_use_verbosity=
    g_debug=
    g_export=
-    g_refreshchains=:none:
    g_confess=
    g_update=
    g_annotate=
@@ -4391,6 +4449,7 @@ shorewall_cli() {
    g_nopager=
    g_blacklistipset=
    g_disconnect=
+    g_havemutex=

    VERBOSE=
    VERBOSITY=1
@@ -4563,12 +4622,14 @@ shorewall_cli() {

    case "$COMMAND" in
 	start)
+	    only_root
 	    get_config Yes Yes
 	    shift
 	    start_command $@
 	    ;;
 	stop|clear)
 	    [ $# -ne 1 ] && too_many_arguments $2
+	    only_root
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4576,6 +4637,7 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
+	    only_root
 	    get_config
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4584,19 +4646,22 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
+	    only_root
 	    get_config Yes Yes
 	    shift
 	    restart_command $@
 	    ;;
 	disable|enable|reenable)
+	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it ${VARDIR}/firewall $g_debugging $@
+		run_it $g_firewall $g_debugging $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	blacklist)
+	    only_root
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4605,6 +4670,7 @@ shorewall_cli() {
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
+	    only_root
 	    get_config Yes
 	    run_command $@
 	    ;;
@@ -4614,18 +4680,20 @@ shorewall_cli() {
    	    show_command $@
 	    ;;
 	status)
-	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
+	    only_root
 	    get_config
 	    shift
 	    status_command $@
 	    ;;
 	dump)
+	    only_root
 	    get_config Yes No Yes
    	    shift
    	    dump_command $@
 	    ;;
 	hits)
 	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
+	    only_root
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4636,53 +4704,63 @@ shorewall_cli() {
 	    version_command $@
 	    ;;
 	logwatch)
+	    only_root
 	    get_config Yes Yes Yes
 	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
+	    only_root
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
+	    only_root
 	    get_config
 	    allow_command $@
 	    ;;
 	add)
+	    only_root
 	    get_config
 	    shift
 	    add_command $@
 	    ;;
 	delete)
+	    only_root
 	    get_config
 	    shift
 	    delete_command $@
 	    ;;
 	save)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    save_command $@
 	    ;;
 	forget)
+	    only_root
 	    get_config
 	    forget_command $@
 	    ;;
@@ -4699,11 +4777,13 @@ shorewall_cli() {
 	    ipdecimal_command $@
 	    ;;
 	restore)
+	    only_root
 	    get_config
 	    shift
 	    restore_command $@
            ;;
 	call)
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
@@ -4741,17 +4821,20 @@ shorewall_cli() {
 	    usage
 	    ;;
 	iptrace)
+	    only_root
 	    get_config
 	    shift
 	    iptrace_command $@
 	    ;;
 	noiptrace)
+	    only_root
 	    get_config
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || too_many_arguments $2
+	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
-#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,53 +269,48 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
    local modulename
    modulename=$1
+    shift
+    local moduleoptions
+    moduleoptions=$*
    local modulefile
    local suffix

    if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		shift
-
-		for suffix in $MODULE_SUFFIX ; do
-		    for directory in $moduledirectories; do
-			modulefile=$directory/${modulename}.${suffix}
-
-			if [ -f $modulefile ]; then
-			    case $moduleloader in
-				insmod)
-				    insmod $modulefile $*
-				    ;;
-				*)
-				    modprobe $modulename $*
-				    ;;
-			    esac
-			    break 2
-			fi
-		    done
-		done
+		case $moduleloader in
+		    insmod)
+			for directory in $moduledirectories; do
+			    for modulefile in $directory/${modulename}.*; do
+				if [ -f $modulefile ]; then
+				    insmod $modulefile $moduleoptions
+				    return
+				fi
+			    done
+			done
+			;;
+		    *)
+			modprobe -q $modulename $moduleoptions
+			;;
+		esac
 	    fi
 	fi
    elif ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
-		    case $moduleloader in
-			insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
-		fi
-	    done
-	done
+	case $moduleloader in
+	    insmod)
+		for directory in $moduledirectories; do
+		    for modulefile in $directory/${modulename}.*; do
+			if [ -f $modulefile ]; then
+			    insmod $modulefile $moduleoptions
+			    return
+			fi
+		    done
+		done
+		;;
+	    *)
+		modprobe -q $modulename $moduleoptions
+		;;
+	esac
    fi
 }

@@ -338,8 +333,6 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
-
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -394,8 +387,6 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
-
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -763,7 +754,7 @@ mutex_on()

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

-    if [ $MUTEX_TIMEOUT -gt 0 ]; then
+    if [ -z "$g_havemutex" -a $MUTEX_TIMEOUT -gt 0 ]; then

 	lockd=$(dirname $LOCKFILE)

@@ -771,7 +762,7 @@ mutex_on()

 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
@@ -784,12 +775,14 @@ mutex_on()

 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock ${lockf}
-            chmod u=r ${lockf}
+	    lock ${lockf}
+	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
+	    chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -799,10 +792,15 @@ mutex_on()
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
+		g_havemutex="rm -f ${lockf}"
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
+
+	if [ -n "$g_havemutex" ]; then
+	    trap mutex_off EXIT
+	fi
    fi
 }

@@ -811,7 +809,10 @@ mutex_on()
 #
 mutex_off()
 {
-    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
-    rm -f ${LOCKFILE:=${VARDIR}/lock}
+    if [ -n "$g_havemutex" ]; then
+	eval $g_havemutex
+	g_havemutex=
+	trap '' exit
+    fi
 }

--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
+# Shorewall 5.2 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #

-SHOREWALL_LIBVERSION=50100
+SHOREWALL_LIBVERSION=50108

 #
 # Fatal Error
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -1,6 +1,5 @@
 #
-#
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -1,6 +1,5 @@
 #
-#
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -405,20 +405,6 @@
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
-      <arg>options</arg>
-
-      <arg
-      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
-      <replaceable>directory</replaceable> </arg><arg
-      rep="repeat"><replaceable>chain</replaceable></arg></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

@@ -459,6 +445,54 @@
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>options</arg>
+
+      <arg choice="plain"><option>remote-getcaps</option></arg>
+
+      <arg><option>-s</option></arg>
+
+      <arg><option>-R</option></arg>
+
+      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
+
+      <arg><option>-T</option></arg>
+
+      <arg><option>-i</option></arg>
+
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
+
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>options</arg>
+
+      <arg choice="plain"><option>remote-getrc</option></arg>
+
+      <arg><option>-s</option></arg>
+
+      <arg><option>-c</option></arg>
+
+      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
+
+      <arg><option>-T</option></arg>
+
+      <arg><option>-i</option></arg>
+
+      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
+
+      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall[6]</command>

@@ -813,7 +847,7 @@

      <arg choice="req"><option>show | list | ls </option></arg>

-      <arg choice="plain"><option>tc</option></arg>
+      <arg choice="plain"><option>saves</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -1316,7 +1350,7 @@
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
+          role="bold">reload</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -1773,63 +1807,6 @@
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
-        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
-        </option><replaceable>directory</replaceable> ] [
-        <replaceable>chain</replaceable>... ]</term>
-
-        <listitem>
-          <para>Not available with Shorewall[6]-lite.</para>
-
-          <para>All steps performed by <command>restart</command> are
-          performed by <command>refresh</command> with the exception that
-          <command>refresh</command> only recreates the chains specified in
-          the command while <command>restart</command> recreates the entire
-          Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
-          the static blacklisting chain <emphasis
-          role="bold">blacklst</emphasis> is assumed.</para>
-
-          <para>The listed chains are assumed to be in the filter table. You
-          can refresh chains in other tables by prefixing the chain name with
-          the table name followed by ":" (e.g., nat:net_dnat). Chain names
-          which follow are assumed to be in that table until the end of the
-          list or until an entry in the list names another table. Built-in
-          chains such as FORWARD may not be refreshed.</para>
-
-          <para>The <option>-n</option> option was added in Shorewall 4.5.3
-          causes Shorewall to avoid updating the routing table(s).</para>
-
-          <para>The <option>-d</option> option was added in Shorewall 4.5.3
-          causes the compiler to run under the Perl debugger.</para>
-
-          <para>The <option>-T</option> option was added in Shorewall 4.5.3
-          and causes a Perl stack trace to be included with each
-          compiler-generated error and warning message.</para>
-
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
-          contains alternative input specifications following a semicolon
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-
-          <para>The <option>-D</option> option was added in Shorewall 4.5.3
-          and causes Shorewall to look in the given
-          <emphasis>directory</emphasis> first for configuration files.</para>
-
-          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
-
-          <para>The <emphasis role="bold">refresh</emphasis> command has
-          slightly different behavior. When no chain name is given to the
-          <emphasis role="bold">refresh</emphasis> command, the mangle table
-          is refreshed along with the blacklist chain (if any). This allows
-          you to modify <filename>/etc/shorewall/tcrules </filename>and
-          install the changes using <emphasis
-          role="bold">refresh</emphasis>.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">reject</emphasis><replaceable>
        address</replaceable></term>
@@ -1941,6 +1918,57 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">remote-getcaps</emphasis>
+        [-<option>R</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
+
+        <listitem>
+          <para>Added in Shoreall 5.2.0, this command executes <emphasis
+          role="bold">shorewall[6]-lite show capabilities -f &gt;
+          /var/lib/shorewall[6]-lite/capabilities</emphasis> on the remote
+          <replaceable>system</replaceable> via ssh then the generated file is
+          copied to <replaceable>directory</replaceable> on the local system.
+          If no <replaceable>directory</replaceable> is given, the current
+          working directory is assumed.</para>
+
+          <para>if <emphasis role="bold">-R</emphasis> is included, the remote
+          shorewallrc file is also copied to
+          <replaceable>directory</replaceable>.</para>
+
+          <para>If <option>-r</option> is included, it specifies that the root
+          user on <replaceable>system</replaceable> is named
+          <replaceable>root-user-name</replaceable> rather than "root".</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">remote-getrc</emphasis>
+        [-<option>c</option>] [-<option>r</option>
+        <replaceable>root-user-name</replaceable>] [ [ -D ]
+        <replaceable>directory</replaceable> ] [
+        <replaceable>system</replaceable> ]</term>
+
+        <listitem>
+          <para>Added in Shoreall 5.2.0, this command copies the shorewallrc
+          file from the remote <replaceable>system</replaceable> to
+          <replaceable>directory</replaceable> on the local system. If no
+          <replaceable>directory</replaceable> is given, the current working
+          directory is assumed.</para>
+
+          <para>if <emphasis role="bold">-c</emphasis> is included, the remote
+          capabilities are also copied to
+          <replaceable>directory</replaceable>, as is done by the
+          <command>remote-getcaps</command> command.</para>
+
+          <para>If <option>-r</option> is included, it specifies that the root
+          user on <replaceable>system</replaceable> is named
+          <replaceable>root-user-name</replaceable> rather than "root".</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">remote-start</emphasis>
        [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
@@ -1992,9 +2020,9 @@
          role="bold">shorewall-lite save</emphasis> via ssh.</para>

          <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall-lite show capabilities -f
-          &gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
-          ssh then the generated file is copied to
+          command <emphasis role="bold">shorewall[6]-lite show capabilities -f
+          &gt; /var/lib/shorewall[6]-lite/capabilities</emphasis> is executed
+          via ssh then the generated file is copied to
          <replaceable>directory</replaceable> using scp. This step is
          performed before the configuration is compiled.</para>

@@ -2005,13 +2033,6 @@
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
-
-          <para>The <option>-i</option> option was added in Shorewall 4.6.0
-          and causes a warning message to be issued if the current line
-          contains alternative input specifications following a semicolon
-          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
-          set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -2430,11 +2451,11 @@
        <replaceable>filename</replaceable> ]</term>

        <listitem>
-          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
-          The state of the firewall is stored in
+          <para>Creates a snapshot of the currently running firewall. The
+          dynamic blacklist is stored in /var/lib/shorewall/save. The state of
+          the firewall is stored in
          /var/lib/shorewall/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall restore</emphasis> and <emphasis
-          role="bold">shorewall -f start</emphasis> commands. If
+          <emphasis role="bold">shorewall restore</emphasis> command. If
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
@@ -2737,6 +2758,15 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">rc</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.0. Displays the contents of
+                $SHAREDIR/shorewall/shorewallrc.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>[-<option>c</option>]<emphasis role="bold">
              routing</emphasis></term>
@@ -2762,6 +2792,20 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>saves</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.0. Lists snapshots created by the
+                <command>save</command> command. Each snapshot is listed with
+                the date and time when it was taken. If there is a snapshot
+                with the name specified in the RESTOREFILE option in <ulink
+                url="shorewall.conf.html">shorewall.conf(5</ulink>), that
+                snapshot is listed as the <emphasis>default</emphasis>
+                snapshot for the <command>restore</command> command.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>

@@ -2921,7 +2965,7 @@
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
-          role="bold">refresh</emphasis> command if that script exists.</para>
+          role="bold">reload</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -3187,14 +3231,15 @@
    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-mangle(5),
-    shorewall-masq(5), shorewall-modules(5), shorewall-nat(5),
-    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall6-proxyndp(5), shorewall-routes(5), shorewall-rtrules(5),
-    shorewall-rtrules(5), shorewall-rules(5), shorewall-secmarks(5),
-    shorewall-snat(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcfilters(5), shorewall-tcinterfaces(5), shorewall-tcpri(5),
-    shorewall-tunnels(5), shorewall-vardir(5), shorewall-zones(5)</para>
+    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
+    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
+    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
+    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
+    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
+    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.0
+#     Shorewall Packet Filtering Firewall Control Program - V5.1
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,6 +25,10 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
+#
+# Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
+# options
+#
 PRODUCT=shorewall

 #
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -13,9 +13,9 @@ MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+ANNOTATED=				#If non-empty, annotated configuration files are installed
+SYSCONFFILE=default.debian.systemd	#Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
--- a/Shorewall-core/shorewallrc.sandbox
+++ b/Shorewall-core/shorewallrc.sandbox
@@ -0,0 +1,28 @@
+#
+# Shorewall 5.2 rc file for installing into a Sandbox
+#
+BUILD=                                       # Default is to detect the build system
+HOST=linux
+INSTALLDIR=				     # Set this to the directory where you want Shorewall installed
+PREFIX=${INSTALLDIR}/usr		     # Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share		     # Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share		     # Directory for executable scripts.	
+PERLLIBDIR=${PREFIX}/share/shorewall	     # Directory to install Shorewall Perl module directory	
+CONFDIR=${INSTALLDIR}/etc		     # Directory where subsystem configurations are installed				
+SBINDIR=${INSTALLDIR}/sbin		     # Directory where system administration programs are installed			
+MANDIR=		     			     # Leave empty
+INITDIR=				     # Leave empty				     				
+INITSOURCE=				     # Leave empty
+INITFILE=				     # Leave empty
+AUXINITSOURCE=				     # Leave empty
+AUXINITFILE=				     # Leave empty
+SERVICEDIR=				     # Leave empty
+SERVICEFILE=    			     # Leave empty
+SYSCONFFILE=				     # Leave empty
+SYSCONFDIR=				     # Leave empty			
+SPARSE=					     # Leave empty			
+ANNOTATED=				     # If non-empty, annotated configuration files are installed				
+VARLIB=${INSTALLDIR}/var/lib		     # Directory where product variable data is stored.				
+VARDIR=${VARLIB}/$PRODUCT		     # Directory where product variable data is stored.		
+DEFAULT_PAGER=/usr/bin/less		     # Pager to use if none specified in shorewall[6].conf
+SANDBOX=Yes				     # Indicates SANDBOX installation
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -73,12 +73,16 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ -x ${STATEDIR}/firewall ]; then
+        return 0
    else
-	return 0
+        if [ $PRODUCT = shorewall ]; then
+            ${SBINDIR}/shorewall compile
+        elif [ $PRODUCT = shorewall6 ]; then
+            ${SBINDIR}/shorewall -6 compile
+        else
+            return 1
+        fi
    fi
 }

@@ -108,16 +112,14 @@ shorewall_start () {

  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-              #
-	      # Run in a sub-shell to avoid name collisions
-	      #
-	      (
-		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		      ${STATEDIR}/firewall ${OPTIONS} stop
-		  fi
-	      )
-	  fi
+          #
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  (
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
+	  )
      fi
  done

@@ -145,9 +147,7 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear
      fi
  done

@@ -159,8 +159,9 @@ shorewall_stop () {

      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
      else
+	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
      fi

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,12 +44,14 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 0
+	return 1
    fi
 }

@@ -66,20 +68,20 @@ start () {

    printf "Initializing \"Shorewall-based firewalls\": "

+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
    for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?

 	if [ $retval -eq 0 ]; then
-	    if [ -x "${STATEDIR}/firewall" ]; then
-		${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
-		retval=${PIPESTATUS[0]}
-		[ $retval -ne 0 ] && break
-	    else
-		retval=6 #Product not configured
-		break
-	    fi
+	    ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ $retval -ne 0 ] && break
 	else
+	    retval=6 #Product not configured
 	    break
 	fi
    done
@@ -106,20 +108,25 @@ stop () {
 	retval=$?

 	if [ $retval -eq 0 ]; then
-	    if [ -x "${STATEDIR}/firewall" ]; then
-		${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
-		retval=${PIPESTATUS[0]}
-		[ $retval -ne 0 ] && break
-	    else
-		retval=6 #Product not configured
-		break
-	    fi
+	    ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ $retval -ne 0 ] && break
 	else
+	    retval=6 #Product not configured
 	    break
 	fi
    done

    if [ $retval -eq 0 ]; then
+	if [ -n "$SAVE_IPSETS" ]; then
+	    mkdir -p $(dirname "$SAVE_IPSETS")
+	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
+		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	    else
+		rm -f "${SAVE_IPSETS}.tmp"
+	    fi
+	fi
+
 	rm -f $lockfile
 	success
    else
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,12 +75,14 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 0
+	return 1
    fi
 }

@@ -92,10 +94,8 @@ start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
-	      fi
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      ${STATEDIR}/firewall ${OPTIONS} stop
 	  fi
      fi
  done
@@ -103,6 +103,8 @@ start () {
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
+
+  return 0
 }

 boot () {
@@ -117,17 +119,19 @@ stop () {
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
-		${STATEDIR}/firewall ${OPTIONS} clear
-	    fi
+	    ${STATEDIR}/firewall ${OPTIONS} clear
 	fi
    done

    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi
+
+    return 0
 }

--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -69,10 +69,12 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
-	return 0
+	return 1
    fi
 }

@@ -84,10 +86,8 @@ shorewall_start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
-	      fi
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      ${STATEDIR}/firewall ${OPTIONS} stop
 	  fi
      fi
  done
@@ -107,16 +107,16 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear
      fi
  done

  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi

--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,12 +79,14 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 0
+	return 6
    fi
 }

@@ -96,10 +98,8 @@ shorewall_start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x $STATEDIR/firewall ]; then
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
-	      fi
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
 	  fi
      fi
  done
@@ -117,16 +117,16 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear
      fi
  done

  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi
 }
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,12 +33,12 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+        return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
-    else
-	return 0
    fi
 }

@@ -67,16 +67,14 @@ shorewall_start () {
    printf "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
-		#
-		# Run in a sub-shell to avoid name collisions
-		#
-		(
-		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-			${STATEDIR}/firewall ${OPTIONS} stop
-		    fi
-		)
-	    fi
+	    #
+	    # Run in a sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} stop
+		fi
+	    )
 	fi
    done

@@ -95,16 +93,16 @@ shorewall_stop () {
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
-		${STATEDIR}/firewall ${OPTIONS} clear
-	    fi
+	    ${STATEDIR}/firewall ${OPTIONS} clear
 	fi
    done

    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi

--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -1,5 +1,5 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,7 +38,6 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall/Actions/action.A_AllowICMPs.deprecated
+++ b/Shorewall/Actions/action.A_AllowICMPs.deprecated
@@ -1,9 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
-#
-# This action A_ACCEPTs needed ICMP types
-#
-###############################################################################
-#ACTION		SOURCE		DEST	PROTO		DPORT
-
-AllowICMPs(A_ACCEPT)
--- a/Shorewall/Actions/action.A_Drop.deprecated
+++ b/Shorewall/Actions/action.A_Drop.deprecated
@@ -1,57 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.A_Drop
-#
-# The audited default DROP common rules
-#
-# This action is invoked before a DROP policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-?require AUDIT_TARGET
-?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
-###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special Handling for Auth
-#
-Auth(A_DROP)
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before broadcast Drop.
-#
-A_AllowICMPs	-	-	icmp
-#
-# Don't log broadcasts and multicasts
-#
-dropBcast(audit)
-dropMcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-dropInvalid(audit)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_DROP)
-A_DropUPnP
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -1,11 +1,11 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
+# Shorewall -- /usr/share/shorewall/action.A_REJECT
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
@@ -1,54 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.A_Reject
-#
-# The audited default REJECT action common rules
-#
-# This action is invoked before a REJECT policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-?require AUDIT_TARGET
-?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
-###############################################################################
-#ACTION		SOURCE	DEST	PROTO
-#
-# Count packets that come through here
-#
-COUNT
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before broadcast Drop.
-#
-A_AllowICMPs	-	-	icmp
-#
-# Drop Broadcasts and multicasts so they don't clutter up the log
-# (these must *not* be rejected).
-#
-dropBcast(audit)
-dropMcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid(audit)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_REJECT)
-A_DropUPnP
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -13,7 +13,6 @@ DEFAULTS ACCEPT
    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
 ?else
 ?COMMENT Needed ICMP types (RFC4890)
-
    @1	-		-	ipv6-icmp	destination-unreachable
    @1	-		-	ipv6-icmp	packet-too-big
    @1	-		-	ipv6-icmp	time-exceeded
@@ -38,7 +37,7 @@ DEFAULTS ACCEPT
    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
    @1	-		-	ipv6-icmp	149	# Certificate path advertisement

-# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -1,84 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Drop
-#
-# The former default DROP common rules. Use of this action is now deprecated
-#
-# This action is invoked before a DROP policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# The action accepts six optional parameters:
-#
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     actions.
-# 2 - Action to take with Auth requests. Default is to do nothing special
-#     with them.
-# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#     depending on the setting of the first parameter.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
-#     is DROP or A_DROP depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
-#     depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-###############################################################################
-?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
-    ?else
-        ?error The first parameter to Drop must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
-?endif
-
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special Handling for Auth
-#
-?if passed(@2)
-Auth(@2)
-?endif
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before silent broadcast Drop.
-#
-AllowICMPs(@4)	-	-	icmp
-#
-# Don't log broadcasts or multicasts
-#
-Broadcast(DROP,@1)
-Multicast(DROP,@1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-Invalid(DROP,@1)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(@3)
-DropUPnP(@6)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,@1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep(@5)
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.FIN
+++ b/Shorewall/Actions/action.FIN
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -30,4 +30,4 @@

 DEFAULTS ACCEPT,-

-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH
+@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -107,6 +107,11 @@ if ( $command & $REAP_OPT ) {

 $duration .= '--rttl ' if $command & $TTL_OPT;

+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
+    $action = 'ACCEPT';
+}
+
 if ( $command & $RESET_CMD ) {
    require_capability 'MARK_ANYWHERE', '"reset"', 's';

--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
@@ -4,7 +4,7 @@
 # Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -1,85 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Reject
-#
-# The former default REJECT action common rules. Use of this action is deprecated.
-#
-# This action is invoked before a REJECT policy is enforced. The purpose
-# of the action is:
-#
-# a) Avoid logging lots of useless cruft.
-# b) Ensure that certain ICMP packets that are necessary for successful
-#    internet operation are always ACCEPTed.
-#
-# The action accepts six optional parameters:
-#
-# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#     actions.
-# 2 - Action to take with Auth requests. Default is to do nothing
-#     special with them.
-# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#     depending on the setting of the first parameter.
-# 4 - Action to take with required ICMP packets. Default is ACCEPT or
-#     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
-#     is DROP or A_DROP depending on the first parameter.
-# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
-#     depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
-    ?else
-	?error The first parameter to Reject must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
-?endif
-
-#ACTION		SOURCE	DEST	PROTO
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Special handling for Auth
-#
-?if passed(@2)
-Auth(@2)
-?endif
-#
-# ACCEPT critical ICMP types
-#
-# For IPv6 connectivity ipv6-icmp broadcasting is required so
-# AllowICMPs must be before silent broadcast Drop.
-#
-AllowICMPs(@4)	-	-	icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-Broadcast(DROP,@1)
-Multicast(DROP,@1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-Invalid(DROP,@1)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(@3)
-DropUPnP(@6)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,@1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep(@5)
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
@@ -41,6 +41,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;

+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "" );
+    $action = 'ACCEPT';
+}
+
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
@@ -37,6 +37,11 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;

+if ( ( $targets{$action} || 0 ) & NATRULE ) {
+    perl_action_helper( "${action}-", "" );
+    $action = 'ACCEPT';
+}
+
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
@@ -26,4 +26,4 @@ $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
+$tcpflags_action	-	-	;;+ -p 6 --syn --sport 0
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
@@ -1,9 +1,9 @@
 #
-# Shorewall - /usr/share/shorewall/macro.SNMPtrap
+# Shorewall -- /usr/share/shorewall/macro.Apcupsd
 #
-# This macro deprecated by SNMPtrap.
+# This macro handles apcupsd traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

-SNMPtrap
+PARAM	-	-	tcp	3551
--- a/Shorewall/Macros/macro.FreeIPA
+++ b/Shorewall/Macros/macro.FreeIPA
@@ -0,0 +1,16 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.FreeIPA
+#
+# This macro handles FreeIPA server traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DNS
+HTTP
+HTTPS
+Kerberos
+Kpasswd
+LDAP
+LDAPS
+NTP
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -11,13 +11,20 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

 PARAM	-	-	tcp	623		# RMCP
+PARAM	-	-	udp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
+PARAM	-	-	tcp	5120,5122,5123	# CD,FD,HD (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
-PARAM	-	-	udp	623		# RMCP
+PARAM	-	-	tcp	8889		# WS-MAN
 HTTP
-HTTPS
-SNMP
-SSH						# Serial over Lan
 Telnet
+SNMP
+
+# TLS/secure ports
+PARAM	-	-	tcp	3520		# Remote Console (Redfish)
+PARAM	-	-	tcp	3669		# Virtual Media (Dell)
+PARAM	-	-	tcp	5124,5126,5127	# CD,FD,HD (AMI)
+PARAM	-	-	tcp	7582		# Remote Console (AMI)
+HTTPS
+SSH						# Serial over Lan
--- a/Shorewall/Macros/macro.Kpasswd
+++ b/Shorewall/Macros/macro.Kpasswd
@@ -0,0 +1,10 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Kpasswd
+#
+# This macro handles Kerberos "passwd" traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	464
+PARAM	-	-	udp	464
--- a/Shorewall/Macros/macro.RDP
+++ b/Shorewall/Macros/macro.RDP
@@ -6,4 +6,5 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

+PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389
--- a/Shorewall/Macros/macro.RedisSecure
+++ b/Shorewall/Macros/macro.RedisSecure
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.RedisSecure
+#
+# This macro handles Redis Secure (SSL/TLS) traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	6380
--- a/Shorewall/Macros/macro.Rwhois
+++ b/Shorewall/Macros/macro.Rwhois
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Rwhois
+#
+# This macro handles Remote Who Is (rwhois) traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	4321
--- a/Shorewall/Macros/macro.SSDP
+++ b/Shorewall/Macros/macro.SSDP
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.SSDP
+#
+# This macro handles SSDP (used by DLNA/UPnP) client traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	udp	1900
--- a/Shorewall/Macros/macro.SSDPserver
+++ b/Shorewall/Macros/macro.SSDPserver
@@ -0,0 +1,10 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.SSDPserver
+#
+# This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	udp	1900
+PARAM	DEST	SOURCE	udp	-	1900
--- a/Shorewall/Makefile-lite
+++ b/Shorewall/Makefile-lite
@@ -1,82 +0,0 @@
-#     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-################################################################################
-# Place this file in each export directory. Modify each copy to set HOST
-# to the name of the remote firewall corresponding to the directory.
-#
-#	To make the 'firewall' script, type "make".
-#
-#	Once the script is compiling correctly, you can install it by
-#	typing "make install".
-#
-################################################################################
-#                             V A R I A B L E S
-#
-# Files in the export directory on which the firewall script does not depend
-#
-IGNOREFILES =  firewall% Makefile% trace% %~
-#
-# Remote Firewall system
-#
-HOST = gateway
-#
-# Save some typing
-#
-LITEDIR = /var/lib/shorewall-lite
-#
-# Set this if the remote system has a non-standard modules directory
-#
-MODULESDIR=
-#
-# Default target is the firewall script
-#
-################################################################################
-#                                T A R G E T S
-#
-all: firewall
-#
-# Only generate the capabilities file if it doesn't already exist
-#
-capabilities:
-	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
-	scp root@$(HOST):$(LITEDIR)/capabilities .
-#
-# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
-# 'filter-out' will be presented with the list of files in this directory rather than "*"
-#
-firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
-	shorewall compile -e . firewall
-#
-# Only reload on demand.
-#
-install: firewall
-	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
-	ssh root@$(HOST) "/sbin/shorewall-lite restart"
-#
-# Save running configuration
-#
-save:
-	ssh root@$(HOST) "/sbin/shorewall-lite save"
-#
-# Remove generated files
-#
-clean:
-	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -282,7 +282,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {

 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_rules_chain ( 'accountout' ) ,
+			    ensure_chain ( $config{ACCOUNTING_TABLE}, 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $prerule ,
 			    $rule ,
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -172,6 +172,12 @@ our %EXPORT_TAGS = (
 				       related_chain
 				       invalid_chain
 				       untracked_chain
+				       rules_log
+				       blacklist_log
+				       established_log
+				       related_log
+				       invalid_log
+				       untracked_log
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -335,7 +341,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               logchains    => { <key1> = <chainref1>, ... }
 #                                               references   => { <ref1> => <refs>, <ref2> => <refs>, ... }
 #                                               blacklistsection
-#                                                            => Chain was created by entries in the BLACKLIST section of the rules file
+#                                                            => Chain was created by entries in the blrules file
 #                                               action       => <action tuple that generated this chain>
 #                                               restricted   => Logical OR of restrictions of rules in this chain.
 #                                               restriction  => Restrictions on further rules in this chain.
@@ -361,13 +367,13 @@ our $VERSION = 'MODULEVERSION';
 #
 #       Only 'referenced' chains get written to the iptables-restore input.
 #
-#       'loglevel', 'synparams', 'synchain', 'audit', 'default' abd 'origin' only apply to policy chains.
+#       'loglevel', 'synparams', 'synchain', 'audit', 'default' and 'origin' only apply to policy chains.
 ###########################################################################################################################################
 #
 # For each ordered pair of zones, there may exist a 'canonical rules chain' in the filter table; the name of this chain is formed by
 # joining the names of the zones using the ZONE_SEPARATOR ('2' or '-'). This chain contains the rules that specifically deal with
 # connections from the first zone to the second. These chains will end with the policy rules when EXPAND_POLICIES=Yes and when there is an
-# explicit policy for the order pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a
+# explicit policy for the ordered pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a
 # wildcard policy chain (all[2-]zone, zone[2-]all, or all[2-]all).
 #
 # Except in the most trivial one-interface configurations, each zone has a "forward chain" which is branched to from the filter table
@@ -397,7 +403,7 @@ our $VERSION = 'MODULEVERSION';
 #      MAC Recent      - <dev>_rec
 #      SNAT            - <dev>_snat
 #      ECN             - <dev>_ecn
-#      FORWARD Options - <dev>_fop
+#      INPUT Options   - <dev>_iop
 #      OUTPUT Options  - <dev>_oop
 #      FORWARD Options - <dev>_fop
 #
@@ -874,6 +880,9 @@ sub validate_port( $$ ) {
    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }

+#
+# Port or port-pair separated by ':'. Either port may be omitted in the pair
+#
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
@@ -914,15 +923,15 @@ sub validate_portpair( $$ ) {

 }

+#
+# Port or port-pair separated by '-'. Neither port may be omitted in the pair
+#
 sub validate_portpair1( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;

    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;

-    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
-
    my @ports = split /-/, $portpair, 2;

    my $protonum = resolve_proto( $proto ) || 0;
@@ -1316,14 +1325,14 @@ sub pop_match( $$ ) {

 sub clone_irule( $ );

-sub format_rule( $$;$ ) {
-    my ( $chainref, $rulerefp, $suppresshdr ) = @_;
+sub format_rule( $$ ) {
+    my ( $chainref, $rulerefp ) = @_;

    return $rulerefp->{cmd} if exists $rulerefp->{cmd};

-    my $rule = $suppresshdr ? '' : "-A $chainref->{name}";
+    my $rule = "-A $chainref->{name}";
    #
-    # The code the follows can be destructive of the rule so we clone it
+    # The code that follows can be destructive of the rule so we clone it
    #
    my $ruleref = $rulerefp->{complex} ? clone_irule( $rulerefp ) : $rulerefp;
    my $nfacct  = $rulerefp->{nfacct};
@@ -1345,8 +1354,6 @@ sub format_rule( $$;$ ) {
 	    } else {
 		$rule .= join( '' , ' --', $_, ' ', $value );
 	    }
-
-	    next;
 	} elsif ( $type == EXPENSIVE ) {
 	    #
 	    # Only emit expensive matches now if there are '-m nfacct' or '-m recent' matches in the rule
@@ -1405,13 +1412,15 @@ sub compatible( $$ ) {
    }
    #
    # Don't combine chains where each specifies
-    #    -m policy
+    #    -m policy and the policies are different
    # or when one specifies
    #    -m multiport
    # and the other specifies
    #    --dport or --sport or -m multiport
    #
-    return ! ( $ref1->{policy} && $ref2->{policy} ||
+    my ( $p1, $p2 );
+
+    return ! ( ( ( $p1 = $ref1->{policy} ) && ( $p2 = $ref2->{policy} ) && $p1 ne $p2 ) ||
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
 		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
@@ -1929,7 +1938,7 @@ sub delete_reference( $$ ) {

    assert( $toref );

-    delete $toref->{references}{$fromref->{name}} unless --$toref->{references}{$fromref->{name}} > 0;
+    delete $toref->{references}{$fromref->{name}} if --$toref->{references}{$fromref->{name}} <= 0;
 }

 #
@@ -2067,7 +2076,7 @@ sub adjust_reference_counts( $$$ ) {
    my ($toref, $name1, $name2) = @_;

    if ( $toref ) {
-	delete $toref->{references}{$name1} unless --$toref->{references}{$name1} > 0;
+	delete $toref->{references}{$name1} if --$toref->{references}{$name1} <= 0;
 	$toref->{references}{$name2}++;
    }
 }
@@ -2263,6 +2272,56 @@ sub untracked_chain($$) {
    '&' . &rules_chain(@_);
 }

+#
+# Logname for chains between an ordered pair of zones
+#
+sub rules_log( $$ ) {
+    my $logchain = $config{LOG_ZONE};
+
+    if ( $logchain eq 'both' ) {
+	join "$config{ZONE2ZONE}", @_;
+    } elsif ( $logchain eq 'src' ) {
+	$_[0];
+    } else {
+	$_[1];
+    }
+}
+
+#
+# Log name of the blacklist chain between an ordered pair of zones
+#
+sub blacklist_log($$) {
+    &rules_log(@_) . '~';
+}
+
+#
+# Log name of the established chain between an ordered pair of zones
+#
+sub established_log($$) {
+    '^' . &rules_log(@_)
+}
+
+#
+# Log name of the related chain between an ordered pair of zones
+#
+sub related_log($$) {
+    '+' . &rules_log(@_);
+}
+
+#
+# Log name of the invalid chain between an ordered pair of zones
+#
+sub invalid_log($$) {
+    '_' . &rules_log(@_);
+}
+
+#
+# Name of the untracked chain between an ordered pair of zones
+#
+sub untracked_log($$) {
+    '&' . &rules_log(@_);
+}
+
 #
 # Create the base for a chain involving the passed interface -- we make this a function so it will be
 # easy to change the mapping should the need ever arrive.
@@ -2298,8 +2357,6 @@ sub use_forward_chain($$) {

    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};
-
-    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
    #
    # Use it if we already have jumps to it
    #
@@ -2374,8 +2431,6 @@ sub use_input_chain($$) {
    my ( $interface, $chainref ) = @_;
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};
-
-    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
    #
    # We must use the interfaces's chain if the interface is associated with multiple Zones
    #
@@ -2455,8 +2510,6 @@ sub use_output_chain($$) {
    my ( $interface, $chainref)  = @_;
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};
-
-    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
    #
    # We must use the interfaces's chain if the interface is associated with multiple Zones
    #
@@ -2588,13 +2641,14 @@ sub reserved_name( $ ) {
 #
 # Create a new chain and return a reference to it.
 #
-sub new_chain($$)
+sub new_chain($$;$)
 {
-    my ($table, $chain) = @_;
+    my ($table, $chain, $logchain) = @_;

    assert( $chain_table{$table} && ! ( $chain_table{$table}{$chain} || $builtin_target{ $chain } ) );

    my $chainref = { name           => $chain,
+		     logname        => $logchain || $chain,
 		     rules          => [],
 		     table          => $table,
 		     loglevel       => '',
@@ -2615,7 +2669,7 @@ sub new_chain($$)
 #
 # Find a chain
 #
-sub find_chain($$) {
+sub find_chain($$;$) {
    my ($table, $chain) = @_;

    assert( $table && $chain && $chain_table{$table} );
@@ -2626,7 +2680,7 @@ sub find_chain($$) {
 #
 # Create a chain if it doesn't exist already
 #
-sub ensure_chain($$)
+sub ensure_chain($$;$)
 {
    &find_chain( @_ ) || &new_chain( @_ );
 }
@@ -3179,6 +3233,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain 'nat', $chain, 'ACCEPT';
 	}

+	new_builtin_chain 'nat', 'INPUT', 'ACCEPT' if have_capability('NAT_INPUT_CHAIN');
+
 	for my $chain ( qw(PREROUTING INPUT OUTPUT ) ) {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
@@ -3241,6 +3297,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain 'nat', $chain, 'ACCEPT';
 	}

+	new_builtin_chain 'nat', 'INPUT', 'ACCEPT' if have_capability('NAT_INPUT_CHAIN');
+
 	for my $chain ( qw(PREROUTING INPUT OUTPUT FORWARD POSTROUTING ) ) {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
@@ -3266,7 +3324,7 @@ sub initialize_chain_table($) {
 	$mangle_table->{POSTROUTING}{chainnumber}   = POSTROUTING;
    }

-    if ( my $docker = $config{DOCKER} ) {
+    if ( $config{DOCKER} ) {
 	add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
 	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
 	$chainref = new_standard_chain( 'DOCKER' );
@@ -3275,8 +3333,10 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
+	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS   ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
    }

@@ -3374,15 +3434,43 @@ sub delete_references( $ ) {
 #
 # Calculate a digest for the passed chain and store it in the {digest} member.
 #
+# First, a lightweight version of format_rule()
+#
+sub irule_to_string( $ ) {
+    my ( $ruleref ) = @_;
+
+    return $ruleref->{cmd} if exists $ruleref->{cmd};
+
+    my $string = '';
+
+    for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}} ) {
+	my $value = $ruleref->{$_};
+	if ( reftype $value ) {
+	    $string .= "$_=" . join( ',', @$value ) . ' ';
+	} else {
+	    $string .= "$_=$value ";
+	}
+    }
+
+    if ( $ruleref->{target} ) {
+	$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
+	$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
+    }
+
+    $string .= join( '', ' -m comment --comment "', $ruleref->{comment}, '"' ) if $ruleref->{comment};
+
+    $string;
+}
+
 sub calculate_digest( $ ) {
    my $chainref = shift;
    my $rules = '';

    for ( @{$chainref->{rules}} ) {
 	if ( $rules ) {
-	    $rules .= ' |' . format_rule( $chainref, $_, 1 );
+	    $rules .= ' |' . irule_to_string( $_ );
 	} else {
-	    $rules = format_rule( $chainref, $_, 1 );
+	    $rules = irule_to_string( $_ );
 	}
    }

@@ -3673,7 +3761,7 @@ sub optimize_level4( $$ ) {
 				#
 				delete_chain_and_references( $chainref );
 				$progress = 1;
-			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
+			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
@@ -3744,7 +3832,7 @@ sub optimize_level4( $$ ) {
    #
    # In this loop, we look for chains that end in an unconditional jump. The jump is replaced by
    # the target's rules, provided that the target chain is short (< 4 rules) or has only one
-    # reference. This prevents multiple copies of long chains being created.
+    # reference. This prevents multiple copies of long chains from being created.
    #
    $progress = 1;

@@ -3854,7 +3942,10 @@ sub optimize_level8( $$$ ) {
    %renamed = ();

    while ( $progress ) {
-	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} &&
+							   @{$_->{rules}}        &&
+							   ! $_->{builtin},
+							   values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@@ -3874,12 +3965,11 @@ sub optimize_level8( $$$ ) {
 	    # Shift the current $chainref off of @chains1
 	    #
 	    shift @chains1;
-	    #
-	    # Skip empty chains
-	    #
-	    for my $chainref1 ( @chains1 ) {
-		next unless @{$chainref1->{rules}};
-		next if $chainref1->{optflags} & DONT_DELETE;
+
+	    for my $chainref1 (grep ! ( $_->{optflags} & DONT_DELETE ), @chains1 ) {
+		#
+		# Chains identical?
+		#
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
@@ -3890,7 +3980,7 @@ sub optimize_level8( $$$ ) {
 					'',      # Origin
 					1 );     # Recalculate digests of modified chains

-		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
+		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
 			#
 			# For simple use of the BLACKLIST section, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
@@ -3900,6 +3990,15 @@ sub optimize_level8( $$$ ) {
 		    }

 		    $combined{ $chainref1->{name} } = $chainref->{name};
+		    #
+		    # While rare, it is possible for a policy chain to be combined with a non-policy chain. So we need to preserve
+		    # the policy attributes in the combined chain
+		    #
+		    if ( $chainref->{policychain} ) {
+			@{$chainref1}{qw(policychain policy)} = @{$chainref}{qw(policychain policy)} unless $chainref1->{policychain};
+		    } elsif ( $chainref1->{policychain} ) {
+			@{$chainref}{qw(policychain policy)} = @{$chainref1}{qw(policychain policy)} unless $chainref->{policychain};
+		    }
 		}
 	    }
 	}
@@ -4300,7 +4399,7 @@ sub get_conntrack( $ ) {
 }

 #
-# Return an array of keys for the passed rule. 'conntrack',  'comment' & origin are omitted;
+# Return an array of keys for the passed rule. 'conntrack',  'comment' & 'origin' are omitted;
 #
 sub get_keys1( $ ) {
    my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
@@ -4464,16 +4563,22 @@ sub valid_tables() {

 sub optimize_ruleset() {

+    my $optimize = $config{OPTIMIZE};
+
    for my $table ( valid_tables ) {

 	my $tableref = $chain_table{$table};
 	my $passes   = 0;
-	my $optimize = $config{OPTIMIZE};

 	$passes = optimize_level4(  $table, $tableref )           if $optimize & 4;
-	$passes = optimize_level8(  $table, $tableref , $passes ) if $optimize & 8;
 	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16;

+	my $savepasses = $passes;
+
+	$passes = optimize_level8(  $table, $tableref , $passes ) if $optimize & 8;
+
+	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16 && $passes > $savepasses + 1;
+
 	progress_message "  Table $table Optimized -- Passes = $passes";
 	progress_message '';
    }
@@ -4586,7 +4691,7 @@ sub logchain( $$$$$$ ) {
 	log_irule_limit(
 		       $loglevel ,
 		       $logchainref ,
-		       $chainref->{name} ,
+		       $chainref->{logname} ,
 		       $disposition ,
 		       [] ,
 		       $logtag,
@@ -4771,6 +4876,7 @@ sub do_proto( $$$;$ )
    if ( $proto ne '' ) {

 	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
+	my $all      = ( $proto =~ s/:all$//i );
 	my $notsyn   = $1;
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
@@ -4786,6 +4892,7 @@ sub do_proto( $$$;$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
+		fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@@ -4826,7 +4933,7 @@ sub do_proto( $$$;$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
 				$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
 			    }
 			}
@@ -4925,6 +5032,8 @@ sub do_proto( $$$;$ )
 	} else {
 	    fatal_error '":syn" is only allowed with tcp' if $synonly;

+	    $proto = $proto . ':all' if $all;
+
 	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
@@ -4981,6 +5090,7 @@ sub do_iproto( $$$ )
    if ( $proto ne '' ) {

 	my $synonly  = ( $proto =~ s/:syn$//i );
+	my $all      = ( $proto =~ s/:all$//i );
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;

@@ -4995,6 +5105,7 @@ sub do_iproto( $$$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
+		fatal_error '":all" is only allowed with tcp' if $all && $proto != TCP;
 		@output = ( p => "${invert}${proto}" );
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@@ -5033,7 +5144,7 @@ sub do_iproto( $$$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports;
+				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;

 				if ( $srcndst ) {
 				    push @output, multiport => "${invert}--ports ${ports}";
@@ -5129,6 +5240,8 @@ sub do_iproto( $$$ )
 	} else {
 	    fatal_error '":syn" is only allowed with tcp' if $synonly;

+	    $proto = $proto . ':all' if $all;
+
 	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
@@ -6318,7 +6431,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
    }

-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
    $net eq ALLIP ? '' : "-d $net ";
 }

@@ -6399,7 +6512,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
    }

-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
    $net eq ALLIP ? () : ( d =>  $net );
 }

@@ -6757,13 +6870,13 @@ sub log_irule_limit( $$$$$$$$@ ) {
 sub log_rule( $$$$ ) {
    my ( $level, $chainref, $disposition, $matches ) = @_;

-    log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
+    log_rule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
 }

 sub log_irule( $$$;@ ) {
    my ( $level, $chainref, $disposition, @matches ) = @_;

-    log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
+    log_irule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
 }

 #
@@ -6984,14 +7097,17 @@ sub interface_address( $ ) {
 #
 sub get_interface_address ( $;$ ) {
    my ( $logical, $provider ) = @_;
-
    my $interface = get_physical( $logical );
    my $variable = interface_address( $interface );
-    my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';

    $global_variables |= ALL_COMMANDS;

-    $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
+    if ( $interface eq loopback_interface ) {
+	$interfaceaddr{$interface} = "$variable=" . loopback_address;
+    } else {
+	my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
+	$interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
+    }

    set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;

@@ -7058,6 +7174,8 @@ sub interface_gateway( $ ) {
 sub get_interface_gateway ( $;$$ ) {
    my ( $logical, $protect, $provider ) = @_;

+    $provider = '' unless defined $provider;
+
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
    my $gateway  = get_interface_option( $interface, 'gateway' );
@@ -7071,9 +7189,9 @@ sub get_interface_gateway ( $;$$ ) {
    }

    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider));
    } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

@@ -7522,6 +7640,11 @@ sub isolate_dest_interface( $$$$ ) {

 	    $rule .= "-d $variable ";
 	}
+    } elsif ( $dest =~ /^\$/ ) {
+	#
+	# Runtime address variable
+	#
+	$dnets  = $dest;
    } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
@@ -8172,19 +8295,8 @@ sub add_interface_options( $ ) {
 	# Generate a digest for each chain
 	#
 	for my $chainref ( values %input_chains, values %forward_chains ) {
-	    my $digest = '';
-
 	    assert( $chainref );
-
-	    for ( @{$chainref->{rules}} ) {
-		if ( $digest ) {
-		    $digest .= ' |' . format_rule( $chainref, $_, 1 );
-		} else {
-		    $digest = format_rule( $chainref, $_, 1 );
-		}
-	    }
-
-	    $chainref->{digest} = sha1_hex $digest;
+	    calculate_digest( $chainref );
 	}
 	#
 	# Insert jumps to the interface chains into the rules chains
@@ -8445,6 +8557,7 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
+	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
 	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);

@@ -8460,6 +8573,7 @@ sub save_docker_rules($) {
 	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
@@ -8471,7 +8585,7 @@ sub save_dynamic_chains() {
    my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';

-    emit ( 'if [ "$COMMAND" = reload -o "$COMMAND" = refresh ]; then' );
+    emit ( 'if [ "$COMMAND" = reload ]; then' );
    push_indent;

    emit( 'if [ -n "$g_counters" ]; then' ,
@@ -8480,7 +8594,7 @@ sub save_dynamic_chains() {
 	);

    if ( have_capability 'IPTABLES_S' ) {
-	emit <<"EOF";
+	emithd <<"EOF";
 if chain_exists 'UPnP -t nat'; then
    $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
 else
@@ -8501,6 +8615,7 @@ fi
 EOF
 	if ( $config{MINIUPNPD} ) {
 	    emit << "EOF";
+
 if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
    $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
 else
@@ -8509,7 +8624,7 @@ fi
 EOF
 	}
    } else {
-	emit <<"EOF";
+	emithd <<"EOF";
 if chain_exists 'UPnP -t nat'; then
    $utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
 else
@@ -8529,7 +8644,8 @@ else
 fi
 EOF
 	if ( $config{MINIUPNPD} ) {
-	    emit << "EOF";
+	    emithd << "EOF";
+
 if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
    $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
 else
@@ -8543,7 +8659,7 @@ EOF
    emit ( 'else' );
    push_indent;

-emit <<"EOF";
+emithd <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
 EOF
@@ -8580,7 +8696,7 @@ sub ensure_ipsets( @ ) {

 	pop_indent;

-	emit( qq(    fi\n) );
+	emit( q(    fi) );

    }

@@ -8756,7 +8872,6 @@ sub create_load_ipsets() {
 		  '        $IPSET flush $set' ,
 		  '        $IPSET destroy $set' ,
 		  "    done" ,
-		  '',
 		);
 	} else {
 	    #
@@ -8768,7 +8883,7 @@ sub create_load_ipsets() {
 		   '    fi' );
 	};

-	emit( '}' );
+	emit( "}\n" );
    }
    #
    # Now generate load_ipsets()
@@ -8835,22 +8950,16 @@ sub create_load_ipsets() {

 	    emit ( 'elif [ "$COMMAND" = reload ]; then' );   ################### Reload Command ####################
 	    ensure_ipsets( @ipsets );
-
-	    emit( 'elif [ "$COMMAND" = refresh ]; then' );   ################### Refresh Command ###################
-	    emit ( '' );
-	    ensure_ipsets( @ipsets );
-	    emit ( '' );
 	};

-	emit ( 'fi' ,
-	       '' );
+	emit ( 'fi' );
    } else {
 	emit 'true';
    }

    pop_indent;

-    emit '}';	    
+    emit "}\n";	    
 }

 #
@@ -8902,9 +9011,15 @@ sub create_netfilter_load( $ ) {
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';

    emit( '',
-	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
-	  '    option="--counters"',
-	  '',
+	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then' );
+
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit( '    option="--counters --wait "' . $config{MUTEX_TIMEOUT} );
+    } else {
+	emit( '    option="--counters"' );
+    }
+
+    emit( '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
@@ -8912,7 +9027,11 @@ sub create_netfilter_load( $ ) {

    push_indent;

-    emit 'option=';
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit 'option="--wait "' . $config{MUTEX_TIMEOUT};
+    } else {
+	emit 'option=';
+    }

    save_progress_message "Preparing $utility input...";

@@ -8961,6 +9080,10 @@ sub create_netfilter_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9009,7 +9132,7 @@ sub create_netfilter_load( $ ) {
 	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
 	  'if [ $? != 0 ]; then',
 	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
-	  "fi\n"
+	  'fi'
 	);

    pop_indent;
@@ -9065,6 +9188,11 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode1 unless $mode == CMD_MODE;
+			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			print "\n";
+			enter_cat_mode1;
 		    } else {		    
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
@@ -9096,156 +9224,6 @@ sub preview_netfilter_load() {
    print "\n";
 }

-#
-# Generate the netfilter input for refreshing a list of chains
-#
-sub create_chainlist_reload($) {
-
-    my $chains = $_[0];
-
-    my @chains;
-
-    unless ( $chains eq ':none:' ) {
-	if ( $chains eq ':refresh:' ) {
-	    $chains = '';
-	} else {
-	    @chains =  split_list $chains, 'chain';
-	}
-
-	unless ( @chains ) {
-	    @chains = qw( blacklst ) if $filter_table->{blacklst};
-	    push @chains, 'blackout' if $filter_table->{blackout};
-
-	    for ( grep $_->{blacklistsection} && $_->{referenced}, values %{$filter_table} ) {
-		push @chains, $_->{name} if $_->{blacklistsection};
-	    }
-
-	    push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-	    $chains = join( ',', @chains ) if @chains;
-	}
-    }
-
-    $mode = NULL_MODE;
-
-    emit(  'chainlist_reload()',
-	   '{'
-	   );
-
-    push_indent;
-
-    if ( @chains ) {
-	my $word = @chains == 1 ? 'chain' : 'chains';
-
-	progress_message2 "Compiling iptables-restore input for $word @chains...";
-	save_progress_message "Preparing iptables-restore input for $word @chains...";
-
-	emit '';
-
-	my $table = 'filter';
-
-	my %chains;
-
-	my %tables;
-
-	for my $chain ( @chains ) {
-	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
-
-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
-
-	    $chains{$table} = {} unless $chains{$table};
-
-	    if ( $chain ) {
-		my $chainref;
-		fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain};
-		fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin};
-
-		if ( $chainseq{$table} && @{$chainref->{rules}} ) {
-		    $tables{$table} = 1;
-		} else {
-		    $chains{$table}{$chain} = $chainref;
-		}
-	    } else {
-		$tables{$table} = 1;
-	    }
-	}
-
-	for $table ( keys %tables ) {
-	    while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
-		$chains{$table}{$chain} = $chainref if $chainref->{referenced} && ! $chainref->{builtin};
-	    }
-	}
-
-	emit 'exec 3>${VARDIR}/.iptables-restore-input';
-
-	enter_cat_mode;
-
-	for $table ( qw(raw nat mangle filter) ) {
-	    my $tableref=$chains{$table};
-
-	    next unless $tableref;
-
-	    @chains = sort keys %$tableref;
-
-	    emit_unindented "*$table";
-
-	    for my $chain ( @chains ) {
-		my $chainref = $tableref->{$chain};
-		emit_unindented ":$chainref->{name} - [0:0]";
-	    }
-
-	    for my $chain ( @chains ) {
-		my $chainref = $tableref->{$chain};
-		my @rules = @{$chainref->{rules}};
-		my $name = $chainref->{name};
-
-		@rules = () unless @rules;
-		#
-		# Emit the chain rules
-		#
-		emitr($chainref, $_) for @rules;
-	    }
-	    #
-	    # Commit the changes to the table
-	    #
-	    enter_cat_mode unless $mode == CAT_MODE;
-
-	    emit_unindented 'COMMIT';
-	}
-
-	enter_cmd_mode;
-
-	#
-	# Now generate the actual ip[6]tables-restore command
-	#
-	emit(  'exec 3>&-',
-	       '' );
-
-	if ( $family == F_IPV4 ) {
-	    emit ( 'progress_message2 "Running iptables-restore..."',
-		   '',
-		   'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
-		   'if [ $? != 0 ]; then',
-		   '    fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
-		   "fi\n"
-		 );
-	} else {
-	    emit ( 'progress_message2 "Running ip6tables-restore..."',
-		   '',
-		   'cat ${VARDIR}/.iptables-restore-input | $IP6TABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
-		   'if [ $? != 0 ]; then',
-		   '    fatal_error "ip6tables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
-		   "fi\n"
-		 );
-	}
-    } else {
-	emit('true');
-    }
-
-    pop_indent;
-
-    emit "}\n";
-}
-
 #
 # Generate the netfilter input to stop the firewall
 #
@@ -9302,6 +9280,10 @@ sub create_stop_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
+			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9327,7 +9309,11 @@ sub create_stop_load( $ ) {

    enter_cmd_mode;

-    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
+	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' --wait ' . $config{MUTEX_TIMEOUT} . '"' );
+    } else {
+	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
+    }

    emit( '',
 	  'progress_message2 "Running $command..."',
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -59,7 +59,7 @@ our $have_arptables;
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
    Shorewall::Chains::initialize ($family, 1, $export );
    Shorewall::Zones::initialize ($family, $_[0]);
    Shorewall::Nat::initialize($family);
@@ -103,13 +103,13 @@ sub generate_script_1( $ ) {

    copy2( $lib, $debug ) if -f $lib;

-    emit <<'EOF';
+    emithd<<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF

-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear restored enabled disabled/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -125,7 +125,7 @@ EOF
 	emit '}';
    }

-    emit <<'EOF';
+    emithd <<'EOF';
 ################################################################################
 # End user exit functions
 ################################################################################
@@ -209,6 +209,8 @@ sub generate_script_2() {
    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
+    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
+    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );

    emit 'TEMPFILE=';

@@ -266,13 +268,13 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
-	emit( '' );
+	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
    }

    pop_indent;

-    emit "\n}\n"; # End of initialize()
+    emit "}\n"; # End of initialize()

    emit( '' ,
 	  '#' ,
@@ -309,10 +311,9 @@ sub generate_script_2() {
 	    push_indent;

 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-
+		verify_required_interfaces(0);
 		set_global_variables(0, 0);
-
-		handle_optional_interfaces(0);
+		handle_optional_interfaces;
 	    }

 	    emit ';;';
@@ -324,19 +325,19 @@ sub generate_script_2() {
 	    push_indent;
 	}

+	verify_required_interfaces(1);
 	set_global_variables(1,1);
+	handle_optional_interfaces;

 	if ( $global_variables & NOT_RESTORE ) {
-	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
-	} else {
-	    handle_optional_interfaces(1);
 	}
    } else {
-	emit( 'true' ) unless handle_optional_interfaces(1);
+	verify_required_interfaces(1);
+	emit( 'true' ) unless handle_optional_interfaces;
    }

    pop_indent;
@@ -355,7 +356,7 @@ sub generate_script_2() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_3($) {
+sub generate_script_3() {

    if ( $family == F_IPV4 ) {
 	progress_message2 "Creating iptables-restore input...";
@@ -365,7 +366,6 @@ sub generate_script_3($) {

    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
-    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    create_load_ipsets;

@@ -397,16 +397,10 @@ sub generate_script_3($) {
 	emit 'load_kernel_modules Yes';
    }

-    emit '';
-
-    emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	   '   run_refresh_exit' ,
-	   'else' ,
-	   '    run_init_exit',
-	   'fi',
-	   '' );
-
-    emit( 'load_ipsets' ,
+    emit( '' ,
+	  'run_init_exit',
+	  '' ,
+	  'load_ipsets' ,
 	  '' );

    create_nfobjects;
@@ -464,11 +458,6 @@ sub generate_script_3($) {
    dump_proxy_arp;
    emit_unindented '__EOF__';

-    emit( '',
-	  'if [ "$COMMAND" != refresh ]; then' );
-
-    push_indent;
-
    emit 'cat > ${VARDIR}/zones << __EOF__';
    dump_zone_contents;
    emit_unindented '__EOF__';
@@ -481,10 +470,6 @@ sub generate_script_3($) {
    dump_mark_layout;
    emit_unindented '__EOF__';

-    pop_indent;
-
-    emit "fi\n";
-
    emit '> ${VARDIR}/nat';

    add_addresses;
@@ -523,29 +508,12 @@ sub generate_script_3($) {

    my $config_dir = $globals{CONFIGDIR};

-    emit<<"EOF";
+    emithd <<"EOF";
    set_state Started $config_dir
    run_restored_exit
-elif [ \$COMMAND = refresh ]; then
-    chainlist_reload
+else
+    setup_netfilter
 EOF
-    push_indent;
-    setup_load_distribution;
-    setup_forwarding( $family , 0 );
-    pop_indent;
-    #
-    # Use a parameter list rather than 'here documents' to avoid an extra blank line
-    #
-    emit( '    run_refreshed_exit',
-	  '    do_iptables -N shorewall' );
-
-    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
-
-    emit( "    set_state Started $config_dir",
-	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-	  'else',
-	  '    setup_netfilter'	);
-
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
@@ -570,7 +538,7 @@ EOF
 	  '    run_started_exit',
 	  "fi\n" );

-    emit<<'EOF';
+    emithd<<'EOF';
 date > ${VARDIR}/restarted

 case $COMMAND in
@@ -580,9 +548,6 @@ case $COMMAND in
    reload)
        mylogger kern.info "$g_product reloaded"
        ;;
-    refresh)
-        mylogger kern.info "$g_product refreshed"
-        ;;
    restore)
        mylogger kern.info "$g_product restored"
        ;;
@@ -617,8 +582,8 @@ sub compile_info_command() {
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 , $inline ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
+       ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );

    $export         = 0;
    $test           = 0;
@@ -647,7 +612,6 @@ sub compiler {
 		  timestamp     => { store => \$timestamp,     validate => \&validate_boolean   } ,
 		  debug         => { store => \$debug,         validate => \&validate_boolean   } ,
 		  export        => { store => \$export ,       validate => \&validate_boolean   } ,
-		  chains        => { store => \$chains },
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
@@ -655,7 +619,6 @@ sub compiler {
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
-		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -689,9 +652,10 @@ sub compiler {
    set_timestamp( $timestamp );
    set_debug( $debug , $confess );
    #
+    #                                      S H O R E W A L L R C ,
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export , $update , $annotate , $inline );
+    get_configuration( $export , $update , $annotate );
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
@@ -793,13 +757,10 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
    }

-    disable_script;
    #
    #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
-    enable_script;
-    #
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
@@ -817,7 +778,7 @@ sub compiler {
    #
    # Setup Masquerade/SNAT
    #
-    setup_snat( $update );
+    setup_snat;
    #
    # Setup Nat
    #
@@ -898,7 +859,7 @@ sub compiler {

 	optimize_level0;

-	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
+	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -920,7 +881,7 @@ sub compiler {
 	#                          N E T F I L T E R   L O A D
 	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
-	generate_script_3( $chains );
+	generate_script_3();
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Config.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Config.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -30,17 +30,97 @@
 #   into those files (emitters) and finalizing those files (renaming
 #   them to their final name and setting their mode appropriately).
 #
+#   A significant portion of this module is dedicated to the preprocessor:
+#
+#	process_compiler_directive() - processes compiler directives
+#
+#	embedded_shell() - handles embedded shell scripting
+#
+#	embedded_perl() - handles embedded perl scripting
+#
+#	read_a_line() - Reads the next configuration file record to
+#			be passed to the function processing the file.
+#
+#	    - Detects compiler directives and passes then to
+#	      process_compiler_directive() for handling.
+#
+#	    - Handles line continuation
+#
+#	    - Invokes a callback when the first (concatinated) non-directive
+#	      record is read from a file.
+#
+#	    - Conditionally expands variables.
+#
+#	    - Conditionally detects embedded Shell and Perl and passes them
+#	      off to embedded_shell() and embedded_perl() respectively.
+#
+#	    - Conditionally detects and handles [?}INCLUDE directives.
+#
+#	    - Conditionally detects and handles ?SECTION directives.
+#	      File processing functions can supply a callback to be
+#	      called during this processing.
+#
+#   File processing routines may need to open a second (third, fourth, ...)
+#   file while processing the main file (macro and/or action files). Two
+#   functions are provided to make that possible:
+#
+#      push_open() - open a file while leaving the current file open.
+#
+#      pop_open() - close the current file, and make the previous
+#		    file (if any) the current one.
+#
+#   Because this module expands variables, it must be aware of action
+#   parameters.
+#
+#	push_action_params() - populates the %actparams hash and
+#			       returns a reference to the previous
+#			       contents of that hash. The caller is
+#			       expected to store those contents locally.
+#
+#	pop_action_params()  - Restores the %actparams hash from
+#			       the reference returned by
+#			       push_action_params().
+#
+#   The following routines are provided for INLINE PERL within
+#   action bodies:
+#
+#	default_action_params() - called to fill in omitted
+#				  arguments when a DEFAULTS
+#				  line is encountered.
+#
+#	get_action_params() - returns an array of arguments.
+#
+#	setup_audit_action() - helper for A_* actions.
+#
+#	get_action_logging() - returns log level and tag
+#			       from the action's invocation.
+#
+#	get_action_chain_name() - returns chain name.
+#
+#	set_action_name_to_caller() - replace chain name
+#				      with that of invoking
+#				      chain for logging purposes.
+#
+#	set_action_disposition() - set the current action
+#				   disposition for logging purposes.
+#
+#	get_action_disposition() - get the current action disposition.
+#
+#	set_action_param() - set the value of an argument.
+#
 package Shorewall::Config;

 use strict;
 use warnings;
 use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
+use File::Glob ':globally';
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
+use Errno qw(:POSIX);

 our @ISA = qw(Exporter);
 #
@@ -109,6 +189,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 		                       in_hex8
 		                       in_hexp
 				       emit
+				       emithd
 				       emitstd
 				       emit_unindented
 				       save_progress_message
@@ -222,10 +303,10 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
                                       DO_SECTION
 				       NORMAL_READ

+				       OPTIMIZE_MASK
 				       OPTIMIZE_POLICY_MASK
 				       OPTIMIZE_POLICY_MASK2n4
 				       OPTIMIZE_RULESET_MASK
-				       OPTIMIZE_USE_FIRST
 				       OPTIMIZE_ALL
 				     ) , ] ,
 		   protocols => [ qw (
@@ -315,7 +396,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -333,7 +414,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		                    'Old conntrack match syntax',
 		 NEW_CONNTRACK_MATCH =>
 		                    'Extended Connection Tracking Match',
-		 USEPKTTYPE      => 'Packet Type Match',
 		 POLICY_MATCH    => 'Policy Match',
 		 PHYSDEV_MATCH   => 'Physdev Match',
 		 PHYSDEV_BRIDGE  => 'Physdev-is-bridged support',
@@ -414,7 +494,12 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                 NETMAP_TARGET   => 'NETMAP Target',
                 NFLOG_SIZE      => '--nflog-size support',
-
+		 RESTORE_WAIT_OPTION
+				 => 'iptables-restore --wait option',
+                 NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
+		 #
+		 # Helpers
+		 #
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -462,9 +547,8 @@ use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
 	       OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
 	       OPTIMIZE_RULESET_MASK   => 0x1C , # Call optimize_ruleset()
+               OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
-
-	       OPTIMIZE_USE_FIRST      => 0x1000 # Always use interface 'first' chains -- undocumented
 	     };

 our %helpers = ( amanda          => UDP,
@@ -478,7 +562,9 @@ our %helpers = ( amanda          => UDP,
 		 sip             => UDP,
 		 snmp            => UDP,
 		 tftp            => UDP,
-	       );
+    );
+
+use constant { INCLUDE_LIMIT     => 20 };

 our %helpers_map;

@@ -509,8 +595,6 @@ our %config_files = ( #accounting      => 1,
 		      policy	       => 1,
 		      providers	       => 1,
 		      proxyarp	       => 1,
-		      refresh	       => 1,
-		      refreshed	       => 1,
 		      restored	       => 1,
 		      rawnat	       => 1,
 		      route_rules      => 1,
@@ -585,7 +669,6 @@ our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
-our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive

 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
@@ -594,6 +677,7 @@ our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.

 our $family;                 # Protocol family (4 or 6)
+our $export;                 # True when compiling for export
 our $toolname;               # Name of the tool to use (iptables or iptables6)
 our $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
@@ -627,13 +711,13 @@ our %validlevels;            # Valid log levels.
 # Deprecated options with their default values
 #
 our %deprecated = (
-		   LEGACY_RESTART => 'no'
+		   LEGACY_RESTART => 'no' ,
 		  );
 #
 # Deprecated options that are eliminated via update
 #
 our %converted = (
-		  LEGACY_RESTART => 1
+		    LEGACY_RESTART => 1 ,
 		 );
 #
 # Eliminated options
@@ -647,6 +731,9 @@ our %eliminated = ( LOGRATE          => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
+                    MODULE_SUFFIX    => 1,
+                    MAPOLDACTIONS    => 1,
+		    INLINE_MATCHES   => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -706,8 +793,8 @@ sub add_variables( \% );
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$$) {
-    ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+sub initialize( $;$$$) {
+    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;

    if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -751,8 +838,8 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.5-RC1",
-		    CAPVERSION              => 50105 ,
+		    VERSION                 => '5.2.0-Beta1',
+		    CAPVERSION              => 50200 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -796,6 +883,7 @@ sub initialize( $;$$) {
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  LOG_LEVEL => undef,
+	  LOG_ZONE => undef,
 	  #
 	  # Location of Files
 	  #
@@ -847,7 +935,6 @@ sub initialize( $;$$) {
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
-	  MODULE_SUFFIX => undef,
 	  DISABLE_IPV6 => undef,
 	  DYNAMIC_ZONES => undef,
 	  PKTTYPE=> undef,
@@ -855,7 +942,6 @@ sub initialize( $;$$) {
 	  MACLIST_TTL => undef,
 	  SAVE_IPSETS => undef,
 	  SAVE_ARPTABLES => undef,
-	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
 	  IPSET_WARNINGS => undef,
@@ -898,7 +984,6 @@ sub initialize( $;$$) {
 	  USE_RT_NAMES => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
-	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
 	  WORKAROUNDS => undef ,
 	  LEGACY_RESTART => undef ,
@@ -912,6 +997,7 @@ sub initialize( $;$$) {
 	  BALANCE_PROVIDERS => undef ,
 	  PERL_HASH_SEED => undef ,
 	  USE_NFLOG_SIZE => undef ,
+	  RENAME_COMBINED => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -969,7 +1055,6 @@ sub initialize( $;$$) {
 	       CONNTRACK_MATCH => undef,
 	       NEW_CONNTRACK_MATCH => undef,
 	       OLD_CONNTRACK_MATCH => undef,
-	       USEPKTTYPE => undef,
 	       POLICY_MATCH => undef,
 	       PHYSDEV_MATCH => undef,
 	       PHYSDEV_BRIDGE => undef,
@@ -1007,7 +1092,7 @@ sub initialize( $;$$) {
 	       CONNLIMIT_MATCH => undef,
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
-	       LOG_TARGET => 1,         # Assume that we have it.
+	       LOG_TARGET => undef,
 	       ULOG_TARGET => undef,
 	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
@@ -1046,6 +1131,8 @@ sub initialize( $;$$) {
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
 	       NFLOG_SIZE => undef,
+	       RESTORE_WAIT_OPTION => undef,
+	       NAT_INPUT_CHAIN => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1605,6 +1692,7 @@ sub emit {
 		$line =~ s/^\n// if $lastlineblank;
 		$line =~ s/^/$indent/gm if $indent;
 		$line =~ s/        /\t/gm;
+		$line =~ s/[ \t]+\n/\n/gm;
 		print $script "$line\n" if $script;
 		$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );

@@ -1625,6 +1713,15 @@ sub emit {
    }
 }

+#
+# Used to emit a 'here documents' string without introducing an unwanted blank line at the end
+#
+sub emithd( $ ) {
+    my ( $line ) = @_; #make writable
+    chomp $line;
+    emit $line;
+}
+
 #
 # Version of emit() that writes to standard out unconditionally
 #
@@ -1635,6 +1732,7 @@ sub emitstd {
 	    $line =~ s/^\n// if $lastlineblank;
 	    $line =~ s/^/$indent/gm if $indent;
 	    $line =~ s/        /\t/gm;
+	    $line =~ s/[ \t]+\n/\n/gm;
 	    print "$line\n";
 	    $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 	} else {
@@ -1990,6 +2088,7 @@ sub find_file($)
    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
+	$!{ENOENT} || fatal_error "Unable to access $file: " . $!; 
    }

    "$config_path[0]$filename";
@@ -2296,8 +2395,6 @@ sub clear_comment();
 sub split_line2( $$;$$$ ) {
    my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;

-    my $inlinematches = $config{INLINE_MATCHES};
-
    my ( $columns, $pairs, $rest );

    my $currline = $currentline;
@@ -2320,16 +2417,20 @@ sub split_line2( $$;$$$ ) {
 	    fatal_error "Only one set of double semicolons (';;') allowed on a line" if defined $rest;

 	    $currline = $columns;
+	    #
+	    # Remove trailing white space
+	    #
+	    $currline =~ s/\s*$//;

 	    $inline_matches = $pairs;
 	    #
 	    # Don't look for matches below
 	    #
-	    $inline = $inlinematches = '';
+	    $inline = '';
 	}
    }
    #
-    # Next, see if there is a semicolon on the line; what follows will be column/value pairs or raw iptables input
+    # Next, see if there is a single semicolon on the line; what follows will be column/value pairs
    #
    ( $columns, $pairs, $rest ) = split( ';', $currline );

@@ -2338,42 +2439,6 @@ sub split_line2( $$;$$$ ) {
 	# Found it -- be sure there wasn't more than one.
 	#
 	fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
-
-	if ( $inlinematches ) {
-	    fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)" unless $inline;
-
-	    $inline_matches = $pairs;
-
-	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
-		#
-		# Pairs are enclosed in curly brackets.
-		#
-		$columns = $1;
-		$pairs   = $2;
-	    } else {
-		$pairs = '';
-	    }
-	} elsif ( $inline ) {
-	    #
-	    # This file supports INLINE or IPTABLES
-	    #
-	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
-		$inline_matches = $pairs;
-
-		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
-		    #
-		    # Pairs are enclosed in curly brackets.
-		    #
-		    $columns = $1;
-		    $pairs   = $2;
-		} else {
-		    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes" if $checkinline;
-		    $pairs = '';
-		}
-	    } 
-	} elsif ( $checkinline ) {
-	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
-	}
    } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
@@ -2572,7 +2637,7 @@ sub open_file( $;$$$$ ) {
 	$max_format       = supplied $mf ? $mf : 1;
 	$comments_allowed = supplied $ca ? $ca : 0;
 	$nocomment        = $nc;
-	do_open_file $fname;;
+	do_open_file $fname;
    } else {
 	$ifstack = @ifstack;
 	'';
@@ -2961,9 +3026,9 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2 || 'chain';
 		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
 		      my $val = $actparams{$var} = evaluate_expression ( $expression,
-									$filename,
-									$linenumber,
-									0  );
+									 $filename,
+									 $linenumber,
+									 0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
@@ -3257,7 +3322,7 @@ sub copy1( $ ) {
 			my @line = split / /;

 			fatal_error "Invalid INCLUDE command"    if @line != 2;
-			fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+			fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;

 			my $filename = find_file $line[1];

@@ -3467,7 +3532,7 @@ sub read_a_line($);
 sub embedded_shell( $ ) {
    my $multiline = shift;

-    fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+    fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
    my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );

    $directive_callback->( 'SHELL', $currentline ) if $directive_callback;
@@ -3554,7 +3619,7 @@ sub embedded_perl( $ ) {
    $embedded--;

    if ( $perlscript ) {
-	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+	fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;

 	assert( close $perlscript );

@@ -3908,7 +3973,7 @@ sub read_a_line($) {
 		my @line = split ' ', $currentline;

 		fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
+		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= INCLUDE_LIMIT;

 		my $filename = find_file $line[1];

@@ -4285,7 +4350,7 @@ sub which( $ ) {
 # Load the kernel modules defined in the 'modules' file.
 #
 sub load_kernel_modules( ) {
-    my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );
+    my $moduleloader = which( 'modprobe' ) || which( 'insmod' );

    my $modulesdir = $config{MODULESDIR};

@@ -4318,25 +4383,20 @@ sub load_kernel_modules( ) {

 	close LSMOD;

-	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
-
-	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
-
+      MODULE:
 	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
-		for my $directory ( @moduledirectories ) {
-		    for my $suffix ( @suffixes ) {
-			my $modulefile = "$directory/$module.$suffix";
-			if ( -f $modulefile ) {
-			    if ( $moduleloader eq 'insmod' ) {
-				system ("insmod $modulefile $arguments" );
-			    } else {
-				system( "modprobe $module $arguments" );
-			    }
-
+		if ( $moduleloader =~ /modprobe$/ ) {
+		    system( "modprobe -q $module $arguments" );
+		    $loadedmodules{ $module } = 1;
+		} else {
+		    for my $directory ( @moduledirectories ) {
+			for my $modulefile ( <$directory/$module.*> ) {
+			    system ("insmod $modulefile $arguments" );
 			    $loadedmodules{ $module } = 1;
+			    next MODULE;
 			}
 		    }
 		}
@@ -4367,6 +4427,12 @@ sub Nat_Enabled() {
    qt1( "$iptables $iptablesw -t nat -L -n" );
 }

+sub Nat_Input_Chain {
+    have_capability( 'NAT_ENABLED' ) || return '';
+
+    qt1( "$iptables $iptablesw -t nat -L INPUT -n" );
+}
+
 sub Persistent_Snat() {
    have_capability( 'NAT_ENABLED' ) || return '';

@@ -4690,10 +4756,6 @@ sub IPSET_V5() {
    $result;
 }

-sub Usepkttype() {
-    qt1( "$iptables $iptablesw -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
-}
-
 sub Addrtype() {
    qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }
@@ -4948,6 +5010,10 @@ sub Cpu_Fanout() {
    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }

+sub Restore_Wait_Option() {
+    length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0;
+}
+
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -5008,6 +5074,7 @@ our %detect_capability =
      MASQUERADE_TGT => \&Masquerade_Tgt,
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
+      NAT_INPUT_CHAIN => \&Nat_Input_Chain,
      NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
      NETMAP_TARGET => \&Netmap_Target,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -5028,6 +5095,7 @@ our %detect_capability =
      REALM_MATCH => \&Realm_Match,
      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
+      RESTORE_WAIT_OPTION => \&Restore_Wait_Option,
      RPFILTER_MATCH => \&RPFilter_Match,
      SANE_HELPER => \&SANE_Helper,
      SANE0_HELPER => \&SANE0_Helper,
@@ -5043,7 +5111,6 @@ our %detect_capability =
      TIME_MATCH => \&Time_Match,
      TPROXY_TARGET => \&Tproxy_Target,
      UDPLITEREDIRECT => \&Udpliteredirect,
-      USEPKTTYPE => \&Usepkttype,
      XCONNMARK_MATCH => \&Xconnmark_Match,
      XCONNMARK => \&Xconnmark,
      XMARK => \&Xmark,
@@ -5106,6 +5173,7 @@ sub determine_capabilities() {
 	#
 	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
 	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
+	$capabilities{NAT_INPUT_CHAIN} = detect_capability( 'NAT_INPUT_CHAIN' );
 	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );

 	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
@@ -5153,7 +5221,6 @@ sub determine_capabilities() {
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
-	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
 	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
 	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
@@ -5195,6 +5262,8 @@ sub determine_capabilities() {
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
+	$capabilities{RESTORE_WAIT_OPTION}
+				       = detect_capability( 'RESTORE_WAIT_OPTION' );

 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5243,7 +5312,13 @@ sub ensure_config_path() {
 	fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH};
    }

-    @config_path = split /:/, $config{CONFIG_PATH};
+    my $path = $config{CONFIG_PATH};
+
+    my $chop = ( $path =~ s/^:// );
+
+    @config_path = split /:/, $path;
+
+    shift @config_path if $chop && ( $export || $> != 0 );

    #
    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
@@ -5382,7 +5457,33 @@ sub update_config_file( $ ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
    } else {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
-    }	
+    }
+
+    for ( qw/DROP_DEFAULT REJECT_DEFAULT/ ) {
+	my $policy = $config{ $_ };
+
+	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
+	    if ( $family == F_IPV4 ) {
+		$policy =~ s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
+	    } else {
+		$policy =~ s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+	    }
+	} elsif ( $policy =~ /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
+	    if ( $family == F_IPV4 ) {
+		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
+	    } else {
+		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+	    }
+	} elsif ( $policy =~ /\b(?:Drop|Reject)\b/ ) {
+	    if ( $family == F_IPV4 ) {
+		$policy =~ s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
+	    } else {
+		$policy =~ s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
+	    }
+	}
+
+	$config{$_} = $policy;
+    }

    my $fn;

@@ -5423,7 +5524,13 @@ sub update_config_file( $ ) {
 			#
 			# OPTION='' - use default if 'Yes' or 'No'
 			#
-			$config{$var} = $val = $default if $default eq 'Yes' || $default eq 'No';
+			if ( $default eq 'Yes' || $default eq 'No' ) {
+			    $config{$var} = $val = $default;
+			} elsif ( $var eq 'CONFIG_PATH' ) {
+			    $val =~ s|^/etc/|\${CONFDIR}|;
+			    $val =~ s|:/etc/|:\${CONFDIR}/g|;
+			    $val =~ s|:/usr/share/|:\${SHAREDIR}|g;
+			}
 		    } else {
 			#
 			# Wasn't mentioned in old file - use default value
@@ -5431,7 +5538,6 @@ sub update_config_file( $ ) {
 			$config{$var} = $val = $default;

 		    }
-
 		}
 		if ( supplied $val ) {
 		    #
@@ -5912,9 +6018,12 @@ sub export_params() {
 }

 #
-# Walk the CONFIG_PATH converting FORMAT and COMMENT lines to compiler directives
+# Walk the CONFIG_PATH converting
+# - FORMAT and COMMENT lines to compiler directives
+# - single semicolons to double semicolons in lines beginning with 'INLINE', IPTABLES or IP6TABLES
+# - Rename macros/actions to their 5.2 counterparts
 #
-sub convert_to_directives() {
+sub convert_to_version_5_2() {
    my $sharedir = $shorewallrc{SHAREDIR};
    #
    # Make a copy of @config_path so that the for-loop below doesn't clobber that list
@@ -5925,7 +6034,7 @@ sub convert_to_directives() {

    my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;

-    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives...";
+    progress_message3 "Performing Shorewall 5.2 conversions...";

    for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -5936,40 +6045,129 @@ sub convert_to_directives() {

 		opendir( my $dirhandle, $dir ) || fatal_error "Cannot open directory $dir for reading:$!";

-		while ( my $file = readdir( $dirhandle ) ) {
-		    unless ( $file eq 'capabilities'       ||
-			     $file eq 'params'             ||
-			     $file =~ /^shorewall6?.conf$/ ||
-			     $file =~ /\.bak$/ ) {
-			$file = "$dir/$file";
-		
-			if ( -f $file && -w _ ) {
+		while ( my $fname = readdir( $dirhandle ) ) {
+		    unless ( $fname eq 'capabilities'       ||
+			     $fname eq 'params'             ||
+			     $fname =~ /^shorewall6?.conf$/ ||
+			     $fname =~ /\.bak$/ ) {
+			#
+			# File we are interested in
+			#
+			my $fullname = "$dir/$fname";
+
+			if ( -f $fullname && -w _ ) {
 			    #
 			    # writeable regular file
 			    #
-			    my $result = system << "EOF";
-			    perl -pi.bak -e '/^\\s*FORMAT\\s+/ && s/FORMAT/?FORMAT/;
-                                             /^\\s*SECTION\\s+/ && s/SECTION/?SECTION/;
-                                             if ( /^\\s*COMMENT\\s+/ ) {
-                                                 s/COMMENT/?COMMENT/;
-                                             } elsif ( /^\\s*COMMENT\\s*\$/ ) {
-                                                 s/COMMENT/?COMMENT/;
-                                             }' $file
-EOF
-			    if ( $result == 0 ) {
-				if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
-				    progress_message3 "   File $file updated - old file renamed ${file}.bak";
-				} elsif ( rename "${file}.bak" , $file ) {
-				    progress_message "   File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found";
-				    progress_message "   File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found";
+			    my $v5_2_update = ( $fname eq 'rules'          ||
+						$fname =~ /^action\./      ||
+						$fname =~ /^macro\./       ||
+						$fname eq 'snat'           ||
+						$fname eq 'mangle'         ||
+						$fname eq 'conntrack'      ||
+						$fname eq 'accounting'     ||
+						$fname eq 'masq'           ||
+						$fname eq 'policy' );
+			    my $is_policy   = ( $fname eq 'policy' );
+			    my @file;
+			    my ( $ifile, $ofile );
+			    my $omitting = 0;
+			    my $changed;
+
+			    open $ifile, '<', "$fullname" or fatal_error "Unable to open $fullname: $!";
+
+			    while ( <$ifile> ) {
+				if ( $omitting ) {
+				    $omitting = 0, next if /\s*\??end\s+(?:perl|shell)/i;
 				} else {
-				    warning message "Unable to rename ${file}.bak to $file:$!";
+				    $omitting = 1, next if /\s*\??begin\s+(?:perl|shell)/i;
 				}
+
+				unless ( $omitting || /^\s*[#?]/ ) {
+				    if ( /^\s*FORMAT\s+/ ) {
+					s/FORMAT/?FORMAT/;
+					$changed = 1;
+				    }
+
+				    if ( /^\s*SECTION\s+/ ) {
+					s/SECTION/?SECTION/;
+					$changed = 1;
+				    }
+
+				    if ( /^\s*COMMENT\s+/ ) {
+					s/COMMENT/?COMMENT/;
+					$changed = 1;
+				    } elsif ( /^\\s*COMMENT\\s*\$/ ) {
+					s/COMMENT/?COMMENT/;
+				    }
+
+				    if ( $v5_2_update ) {
+					if ( /\bA_AllowICMPs\b/ ) {
+					    s/A_AllowICMPs/AllowICMPs(A_ACCEPT)/;
+					    $changed = 1;
+					}
+
+					if ( $is_policy ) {
+					    if ( /\bA_(?:Drop|Reject)\b/ ) {
+						if ( $family == F_IPV4 ) {
+						    s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
+						} else {
+						    s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+						}
+
+						$changed = 1;
+					    } elsif ( /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
+						if ( $family == F_IPV4 ) {
+						    s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
+						} else {
+						    s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
+						}
+
+						$changed = 1;
+					    } elsif ( /\b(?:Drop|Reject)\b/ ) {
+						if ( $family == F_IPV4 ) {
+						    s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
+						} else {
+						    s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
+						}
+
+						$changed = 1;
+					    }
+					} else {
+					    unless ( /;;/ ) {
+						if ( /^\s*(?:INLINE|IP6?TABLES)/ ) {
+						    s/;/;;/;
+						    $changed = 1;
+						} elsif ( /^[^#]*;\s*-[mgj]/ ) {
+						    s/;/;;/;
+						    $changed = 1;
+						}
+					    }
+
+					    if ( /\bSMTPTrap\b/ ) {
+						s/SMTPTrap/SMTPtrap/;
+						$changed = 1;
+					    }
+					}
+				    }
+				}
+
+				push @file, $_;
+			    }
+
+			    close $ifile;
+
+			    if ( $changed ) {
+				fatal_error "Can't rename $fullname to $fullname.bak" unless rename $fullname, "$fullname.bak";
+				open $ofile, '>', "$fullname" or fatal_error "Unable to open $fullname: $!";
+				print $ofile $_ for @file;
+				close $ofile;
+				progress_message3 "   File $fullname updated - old file renamed ${fullname}.bak";
 			    } else {
-				warning_message ("Unable to update file $file" );
+				progress_message "   File $file not updated -- no update required";
 			    }
 			} else {
-			    warning_message( "$file skipped (not writeable)" ) unless -d _;
+			    warning_message( "$fullname skipped (not writeable)" ) unless -d _;
 			}
 		    }
 		}
@@ -5986,9 +6184,9 @@ EOF
 # - Read the capabilities file, if any
 # - establish global hashes %params, %config , %globals and %capabilities
 #
-sub get_configuration( $$$$ ) {
+sub get_configuration( $$$ ) {

-    ( my ( $export, $update, $annotate ) , $checkinline ) = @_;
+    my ( $export, $update, $annotate ) = @_;

    $globals{EXPORT} = $export;

@@ -6061,7 +6259,6 @@ sub get_configuration( $$$$ ) {
    #
    # get_capabilities requires that the true settings of these options be established
    #
-    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';

    if ( ! $export && $> == 0 ) {
@@ -6247,7 +6444,7 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_VERBOSITY} = -1;
    }

-    default_yes_no 'ADD_IP_ALIASES'             , 'Yes';
+    default_yes_no 'ADD_IP_ALIASES'             , $family == F_IPV4 ? 'Yes' : '';
    default_yes_no 'ADD_SNAT_ALIASES'           , '';
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
@@ -6291,7 +6488,6 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
-    default_yes_no 'MAPOLDACTIONS'              , 'Yes';

    warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};

@@ -6347,6 +6543,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
+    default_yes_no 'RENAME_COMBINED'            , 'Yes';

    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6366,7 +6563,6 @@ sub get_configuration( $$$$ ) {
 	$origin{$_} ||= '';
    }
 	    
-    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
    default_yes_no 'DOCKER'                     , '';
@@ -6399,11 +6595,14 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'MANGLE_ENABLED'             , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
    default_yes_no 'USE_DEFAULT_RT'             , '';
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
-    default_yes_no 'AUTOMAKE'                   , '';
-    default_yes_no 'TRACK_PROVIDERS'            , '';
+    default_yes_no 'TRACK_PROVIDERS'            , 'Yes';
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
    default_yes_no 'USE_NFLOG_SIZE'             , '';

+    if ( ( $val = $config{AUTOMAKE} ) !~ /^[Rr]ecursive$/ ) {
+	default_yes_no( 'AUTOMAKE' , '' ) unless $val && $val =~ /^\d{1,2}$/;
+    }
+
    if ( $config{USE_NFLOG_SIZE} ) {
 	if ( have_capability( 'NFLOG_SIZE' ) ) {
 	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
@@ -6600,6 +6799,13 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_BACKEND} = $val;
    }

+    if ( supplied( $val = $config{LOG_ZONE} ) ) {
+	fatal_error "Invalid LOG_ZONE setting ($val)" unless $val =~ /^(src|dst|both)$/i;
+	$config{LOG_ZONE} = lc( $val );
+    } else {
+	$config{LOG_ZONE} = 'both';
+    }
+
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};

    default_log_level 'SMURF_LOG_LEVEL',     '';
@@ -6776,7 +6982,7 @@ sub get_configuration( $$$$ ) {
    } else {
 	$val = numeric_value $config{OPTIMIZE};

-	fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ~OPTIMIZE_USE_FIRST ) <= OPTIMIZE_ALL;
+	fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && $val <= OPTIMIZE_ALL;
    }

    require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16;
@@ -6833,13 +7039,19 @@ sub get_configuration( $$$$ ) {
 	}
    }

+    if ( supplied( $val = $config{MUTEX_TIMEOUT} ) ) {
+	fatal_error "Invalid value ($val) for MUTEX_TIMEOUT" unless $val && $val =~ /^\d+$/;
+    } else {
+	$config{MUTEX_TIMEOUT} = 60;
+    }
+
    add_variables %config;

    while ( my ($var, $val ) = each %renamed ) {
 	$variables{$var} = $config{$val};
    }

-    convert_to_directives if $update;
+    convert_to_version_5_2 if $update;

    cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY};
 }
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,6 +60,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  decompose_net
 		  decompose_net_u32
 		  compare_nets
+		  loopback_address
 		  validate_host
 		  validate_range
 		  ip_range_explicit
@@ -98,12 +99,14 @@ our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
+our $loopback_address;

 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
+	       IPv4_LOOPBACK       => '127.0.0.1' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
@@ -370,6 +373,10 @@ sub rfc1918_networks() {
    @rfc1918_networks
 }

+sub loopback_address() {
+    $loopback_address;
+}
+
 #
 # Protocol/port validation
 #
@@ -755,6 +762,7 @@ sub initialize( $ ) {
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$vlsm_width       = VLSMv4;
+	$loopback_address = IPv4_LOOPBACK;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -767,6 +775,7 @@ sub initialize( $ ) {
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$vlsm_width       = VLSMv6;
+	$loopback_address = IPv6_LOOPBACK;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -667,6 +667,7 @@ sub create_docker_rules() {

    my $chainref = $filter_table->{FORWARD};

+    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );

    if ( my $dockerref = known_interface('docker0') ) {
@@ -717,7 +718,7 @@ sub add_common_rules ( $ ) {

    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
-	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+	fatal_error( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
    } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
@@ -2447,7 +2448,7 @@ sub setup_mss( ) {
    my $clampmss = $config{CLAMPMSS};
    my $option;
    my @match;
-    my $chainref = $filter_table->{FORWARD};
+    my $chainref = $mangle_table->{FORWARD};

    if ( $clampmss ) {
 	if ( "\L$clampmss" eq 'yes' ) {
@@ -2553,9 +2554,6 @@ EOF
 	        reload)
 	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
-	        refresh)
-	            mylogger kern.err "ERROR:$g_product refresh failed"
-	            ;;
                enable)
                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
@@ -2645,7 +2643,6 @@ EOF

        rm -f ${VARDIR}/proxyarp
    fi
-
 EOF
    } else {
 	emit <<'EOF';
@@ -2659,7 +2656,6 @@ EOF

        rm -f ${VARDIR}/proxyndp
    fi
-
 EOF
    }

--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -37,7 +37,7 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();

 Exporter::export_ok_tags('rules');
@@ -587,11 +587,11 @@ EOF
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
+    my $have_masq_rules;
+
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );

-	my $have_masq_rules;
-
 	directive_callback(
 	    sub ()
 	    {
@@ -647,6 +647,8 @@ sub convert_masq() {

 	close $snat, directive_callback( 0 );
    }
+
+    $have_masq_rules;
 }

 #
@@ -941,7 +943,17 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-	    my @servers = validate_address $server, 1;
+
+	    my @servers;
+
+	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
+		$server = record_runtime_address( $1, $2 );
+		$server =~ s/ $//;
+		@servers = ( $server );
+	    } else {
+		@servers = validate_address $server, 1;
+	    }
+
 	    $server = join ',', @servers;
 	}

--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -125,7 +125,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $mask   = in_hex( $globals{PROVIDER_MASK} );
    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
@@ -161,6 +161,15 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
+
+		if ( have_ipsec ) {
+		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
+			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
+			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    }
+		}
+
 		$marked_interfaces{$interface} = 1;
 	    }

@@ -329,22 +338,22 @@ sub balance_default_route( $$$$ ) {
    if ( $first_default_route ) {
 	if ( $balanced_providers == 1 ) {
 	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+		emit qq(DEFAULT_ROUTE="via $gateway dev $interface $realm");
 	    } else {
-		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+		emit qq(DEFAULT_ROUTE="dev $interface $realm");
 	    }
 	} elsif ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="nexthop dev $interface weight $weight $realm");
 	}

 	$first_default_route = 0;
    } else {
 	if ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\"";
+	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm");
 	}
    }
 }
@@ -359,22 +368,22 @@ sub balance_fallback_route( $$$$ ) {
    if ( $first_fallback_route ) {
 	if ( $fallback_providers == 1 ) {
 	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+		emit qq(FALLBACK_ROUTE="via $gateway dev $interface $realm");
 	    } else {
-		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+		emit qq(FALLBACK_ROUTE="dev $interface $realm");
 	    }
 	} elsif ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="nexthop dev $interface weight $weight $realm");
 	}

 	$first_fallback_route = 0;
    } else {
 	if ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm\"";
+	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm");
 	}
    }
 }
@@ -502,7 +511,7 @@ sub process_a_provider( $ ) {

    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, 1 );
+	$gateway = get_interface_gateway( $interface, undef, $number );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
@@ -512,6 +521,9 @@ sub process_a_provider( $ ) {
 	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
+
+	$gateway = $1 if $family == F_IPV6 && $gateway =~ /^\[(.+)\]$/;
+
 	validate_address $gateway, 0;

 	if ( defined $mac ) {
@@ -602,6 +614,7 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'nohostroute' ) {
 		$hostroute = 0;
 	    } elsif ( $option eq 'persistent' ) {
+		warning_message "When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option may not work as expected" if $config{RESTORE_DEFAULT_ROUTE};
 		$persistent = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -688,7 +701,6 @@ sub process_a_provider( $ ) {
 	    
 	    $pref = 10000 + $number - 1;
 	}
-
    }

    unless ( $loose || $pseudo ) {
@@ -847,7 +859,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}

@@ -863,8 +875,8 @@ sub add_a_provider( $$ ) {
 		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }

-	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
-	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
+	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( qq(echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}

 	if ( ! $noautosrc ) {
@@ -873,24 +885,25 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" );
-		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
+		emit  ( '',
+			"find_interface_addresses $physical | while read address; do",
+			"    qt \$IP -$family rule del from \$address",
+			"    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
 			'done'
 		      );
 	    }
+	}

-	    if ( @{$providerref->{persistent_routes}} ) {
-		emit '';
-		emit $_ for @{$providers{$table}->{persistent_routes}};
-	    }
+	if ( @{$providerref->{persistent_routes}} ) {
+	    emit '';
+	    emit $_ for @{$providers{$table}->{persistent_routes}};
+	}

-	    if ( @{$providerref->{persistent_rules}} ) {
-		emit '';
-		emit $_ for @{$providers{$table}->{persistent_rules}};
-	    }
+	if ( @{$providerref->{persistent_rules}} ) {
+	    emit '';
+	    emit $_ for @{$providers{$table}->{persistent_rules}};
 	}

 	pop_indent;
@@ -898,7 +911,6 @@ sub add_a_provider( $$ ) {
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );

-
 	pop_indent;

 	emit( "}\n" );
@@ -924,7 +936,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}
    }
@@ -956,7 +968,7 @@ CEOF
 	my $hexmark = in_hex( $mark );
 	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';

-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $persistent || $config{DELETE_THEN_ADD};

 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
@@ -985,7 +997,7 @@ CEOF
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}

-	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	emit "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm";
    }

    if ( $balance ) {
@@ -997,14 +1009,16 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route add default table $id dev $physical metric $number);
+	    emit qq(run_ip route replace default table $id dev $physical metric $number);
 	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}

+	emit( 'g_fallback=Yes' ) if $persistent;
+
 	$metrics = 1;
    }

@@ -1026,12 +1040,13 @@ CEOF
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
 		if ( $persistent ) {
-		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
+		    emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),
+			  qq(    qt \$IP -$family rule del from $address pref 20000),
 			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
-		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		    emit  "qt \$IP -$family rule del from $address" if $persistent || $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
@@ -1089,9 +1104,20 @@ CEOF
 	}

 	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
-	      'run_enabled_exit'
+	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
 	    );

+	if ( ! $pseudo && $config{USE_DEFAULT_RT} && $config{RESTORE_DEFAULT_ROUTE} ) {
+	    emit  ( '#',
+		    '# We now have a viable default route in the \'default\' table so delete any default routes in the main table',
+		    '#',
+		    'while qt \$IP -$family route del default table ' . MAIN_TABLE . '; do',
+		    '    true',
+		    'done',
+		    ''
+		);
+	}
+
 	emit_started_message( '', 2, $pseudo, $table, $number );

 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1225,7 +1251,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled",
 		   "fi\n",
 		 );
 	}
@@ -1237,13 +1263,13 @@ CEOF
 	}

 	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      'run_disabled_exit'
+	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
 	    );

 	if ( $pseudo ) {
-	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
+	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
 	} else {
-	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	    emit( "progress_message2 \"Provider $table ($number) stopped\"" );
 	}

 	pop_indent;
@@ -1344,7 +1370,7 @@ sub add_an_rtrule1( $$$$$ ) {

    $priority = "pref $priority";

-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $persistent || $config{DELETE_THEN_ADD};
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";

    if ( $persistent ) {
@@ -1442,22 +1468,22 @@ sub add_a_route( ) {

    if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes,            qq(run_ip route add $dest via $gateway dev $physical table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway dev $physical table $id) if $persistent;
+	    push @$routes,            qq(run_ip route replace $dest via $gateway dev $physical table $id);
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway dev $physical table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} elsif ( $null ) {
-	    push @$routes,            qq(run_ip route add $null $dest table $id);
-	    push @$persistent_routes, qq(run_ip route add $null $dest table $id) if $persistent;
+	    push @$routes,            qq(run_ip route replace $null $dest table $id);
+	    push @$persistent_routes, qq(run_ip route replace $null $dest table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes,            qq(run_ip route add $dest via $gateway table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway table $id) if $persistent;
+	    push @$routes,            qq(run_ip route replace $dest via $gateway table $id);
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
    } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes,            qq(run_ip route add $dest dev $physical table $id);
-	push @$persistent_routes, qq(run_ip route add $dest dev $physical table $id) if $persistent;
+	push @$routes,            qq(run_ip route replace $dest dev $physical table $id);
+	push @$persistent_routes, qq(run_ip route replace $dest dev $physical table $id) if $persistent;
 	push @$routes,             q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
    }

@@ -1559,7 +1585,7 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        while qt \$IP -6 route delete default table $table; do true; done",
 		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
 		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
@@ -1568,7 +1594,8 @@ sub finish_providers() {
 	}

 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit  ( "    while qt \$IP -$family route del default table $main; do",
+	    emit  ( '',
+		    "    while qt \$IP -$family route del default table $main; do",
 		    '        true',
 		    '    done',
 		    ''
@@ -1580,7 +1607,7 @@ sub finish_providers() {
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );

 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit qq(    [ -z "\${FALLBACK_ROUTE}\${g_fallback}" ] && restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -1607,7 +1634,7 @@ sub finish_providers() {
 	}

 	emit ( '#',
-	       '# Delete any routes in the \'balance\' table',
+	       '# Delete any default routes with metric 0 in the \'balance\' table',
 	       '#',
 	       "while qt \$IP -$family route del default table $balance; do",
 	       '    true',
@@ -1622,7 +1649,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}

@@ -1635,7 +1662,10 @@ sub finish_providers() {
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( "delete_default_routes $default",
+	emit( '#',
+	      '# No balanced fallback routes - delete any routes with metric 0 from the \'default\' table',
+	      '#',
+	      "delete_default_routes $default",
 	      ''
 	    );
    }
@@ -1680,7 +1710,7 @@ sub process_providers( $ ) {
    }

    if ( $providers ) {
-	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
+	fatal_error q(Either all 'fallback' providers must specify a weight or none of them can specify a weight) if $fallback && $metrics;

 	my $fn = open_file( 'route_rules' );

@@ -1711,7 +1741,7 @@ sub process_providers( $ ) {

    add_a_provider( $providers{$_}, $tcdevices ) for @providers;

-    emit << 'EOF';;
+    emithd << 'EOF';;

 #
 # Enable an optional provider
@@ -1757,12 +1787,11 @@ EOF
    pop_indent;
    pop_indent;

-    emit << 'EOF';;
+    emithd << 'EOF';;
        *)
            startup_error "$g_interface is not an optional provider or interface"
            ;;
    esac
-
 }

 #
@@ -1866,20 +1895,19 @@ sub setup_providers() {

 	start_providers;

-	setup_null_routing if $config{NULL_ROUTE_RFC1918};
+	setup_null_routing, emit '' if $config{NULL_ROUTE_RFC1918};

-	emit '';
-
-	emit "start_$providers{$_}->{what}_$_" for @providers;
-
-	emit '';
+	if ( @providers ) {
+	    emit "start_$providers{$_}->{what}_$_" for @providers;
+	    emit '';
+	}

 	finish_providers;

 	emit "\nrun_ip route flush cache";

 	pop_indent;
-	emit "fi\n";
+	emit 'fi';

 	setup_route_marking if @routemarked_interfaces || @load_interfaces;
    } else {
@@ -1890,9 +1918,10 @@ sub setup_providers() {
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
+	    emit '';
 	}

-	emit "\nundo_routing";
+	emit "undo_routing";
 	emit "restore_default_route $config{USE_DEFAULT_RT}";

 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
@@ -1917,9 +1946,8 @@ sub setup_providers() {

 	pop_indent;

-	emit "fi\n";
+	emit 'fi';
    }
-
 }

 #
@@ -2168,17 +2196,13 @@ sub provider_realm( $ ) {
 }

 #
-# This function is called by the compiler when it is generating the detect_configuration() function.
-# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
-# ..._IS_USABLE interface variables appropriately for the  optional interfaces
+# Perform processing related to optional interfaces. Returns true if there are optional interfaces.
+
 #
-# Returns true if there were required or optional interfaces
-#
-sub handle_optional_interfaces( $ ) {
+sub handle_optional_interfaces() {

    my @interfaces;
    my $wildcards;
-
    #
    # First do the provider interfacess. Those that are real providers will never have wildcard physical
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
@@ -2202,10 +2226,6 @@ sub handle_optional_interfaces( $ ) {

    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
-	my $gencase     = shift;
-
-	verify_required_interfaces( $gencase );
-	emit '' if $gencase;

 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -2348,7 +2368,7 @@ sub handle_optional_interfaces( $ ) {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
-		  '        start|reload|restore|refresh)'
+		  '        start|reload|restore)'
 		);

 	    if ( $family == F_IPV4 ) {
@@ -2369,8 +2389,6 @@ sub handle_optional_interfaces( $ ) {

 	return 1;
    }
-
-    verify_required_interfaces( shift );
 }

 #
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,6 +96,7 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
    }

    emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
+	   '' ,
 	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );

    push @proxyarp, "$address $interface $external $haveroute";
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -91,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {

    my $disposition = $action;
    my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
+
    my $level = '';

    if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
@@ -138,6 +138,14 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {

 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';

+	if ( $proto ne '-' ) {
+	    if ( $proto =~ s/:all$// ) {
+		fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
+	    } else {
+		$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
+	    }
+	}
+
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
@@ -199,7 +207,9 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
    expand_rule( $chainref ,
 		 $restriction ,
 		 '',
-		 $rule,
+		 do_proto( $proto, $ports, $sports ) . 
+		 do_user ( $user ) . 
+		 do_condition( $switch , $chainref->{name} ),
 		 $source ,
 		 $dest ,
 		 '' ,
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -225,11 +225,11 @@ sub handle_in_bandwidth( $$$ ) {
    if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
-		  "    police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
+		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst drop\n" );
 	} else {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
 		  "    estimator $in_interval $in_decay basic \\",
-		  "    police drop avrate ${in_avrate}kbit\n" );
+		  "    police avrate ${in_avrate}kbit drop\n" );
 	}
    } else {
 	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
@@ -85,8 +85,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+		$inchainref  = ensure_rules_chain( ${zone}, ${fw} );
+		$outchainref = ensure_rules_chain( ${fw}, ${zone} );

 		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  p => 50, @$source;
@@ -250,8 +250,8 @@ sub setup_tunnels() {

 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );

-	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+	my $inchainref  = ensure_rules_chain( ${zone}, ${fw}   );
+	my $outchainref = ensure_rules_chain( ${fw},   ${zone} );

 	$gateways = ALLIP if $gateways eq '-';

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,9 +90,8 @@ our @EXPORT = ( qw( NOTHING
 		    interface_is_optional
 		    interface_is_required
 		    find_interfaces_by_option
-		    find_interfaces_by_option1
 		    get_interface_option
-                    get_interface_origin
+		    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    interface_zone
@@ -114,31 +113,31 @@ our $VERSION = 'MODULEVERSION';
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
 #     %zones{<zone1> => {name =>       <name>,
-#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
-#                        complex =>    0|1
-#                        super   =>    0|1
-#                        options =>    { in_out  => < policy match string >
-#                                        in      => < policy match string >
-#                                        out     => < policy match string >
-#                                      }
-#                        parents =>    [ <parents> ]      Parents, Children and interfaces are listed by name
-#                        children =>   [ <children> ]
-#                        interfaces => { <interfaces1> => 1, ... }
-#                        bridge =>     <bridge>
-#                        hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
-#                                                                  options => { <option1> => <value1>
-#                                                                               ...
-#                                                                             }
-#                                                                  hosts   => [ <net1> , <net2> , ... ]
-#                                                                  exclusions => [ <net1>, <net2>, ... ]
-#                                                                  origin   => <where defined>
-#                                                                }
-#                                                <interface2> => ...
-#                                              }
-#                                            ]
-#                       }
-#             <zone2> => ...
-#           }
+#			 type =>       <zone type>	 FIREWALL, IP, IPSEC, BPORT;
+#			 complex =>    0|1
+#			 super	 =>    0|1
+#			 options =>    { in_out	 => < policy match string >
+#					 in	 => < policy match string >
+#					 out	 => < policy match string >
+#				       }
+#			 parents =>    [ <parents> ]	  Parents, Children and interfaces are listed by name
+#			 children =>   [ <children> ]
+#			 interfaces => { <interfaces1> => 1, ... }
+#			 bridge =>     <bridge>
+#			 hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
+#								   options => { <option1> => <value1>
+#										...
+#									      }
+#								   hosts   => [ <net1> , <net2> , ... ]
+#								   exclusions => [ <net1>, <net2>, ... ]
+#								   origin   => <where defined>
+#								 }
+#						 <interface2> => ...
+#					       }
+#					     ]
+#			}
+#	      <zone2> => ...
+#	    }
 #
 #     $firewall_zone names the firewall zone.
 #
@@ -160,27 +159,27 @@ our %reservedName = ( all => 1,
 #
 #     @interfaces lists the interface names in the order that they appear in the interfaces file.
 #
-#     %interfaces { <interface1> => { name        => <name of interface>
-#                                     root        => <name without trailing '+'>
-#                                     options     => { port => undef|1
-#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
-#                                                      ...
-#                                                    }
-#                                     zone        => <zone name>
-#                                     multizone   => undef|1   #More than one zone interfaces through this interface
-#                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
-#                                     ports       => <number of port on this bridge>
-#                                     ipsec       => undef|1 # Has an ipsec host group
-#                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
-#                                     number      => <ordinal position in the interfaces file>
-#                                     physical    => <physical interface name>
-#                                     base        => <shell variable base representing this interface>
-#                                     wildcard    => undef|1 # Wildcard Name
-#                                     zones       => { zone1 => 1, ... }
-#                                     origin      => <where defined>
-#                                   }
-#                 }
+#     %interfaces { <interface1> => { name	  => <name of interface>
+#				      root	  => <name without trailing '+'>
+#				      options	  => { port => undef|1
+#						     { <option1> } => <val1> ,		#See %validinterfaceoptions
+#						       ...
+#						     }
+#				      zone	  => <zone name>
+#				      multizone	  => undef|1   #More than one zone interfaces through this interface
+#				      nets	  => <number of nets in interface/hosts records referring to this interface>
+#				      bridge	  => <bridge name> # Same as ->{name} if not a bridge port.
+#				      ports	  => <number of port on this bridge>
+#				      ipsec	  => undef|1 # Has an ipsec host group
+#				      broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#				      number	  => <ordinal position in the interfaces file>
+#				      physical	  => <physical interface name>
+#				      base	  => <shell variable base representing this interface>
+#				      wildcard	  => undef|1 # Wildcard Name
+#				      zones	  => { zone1 => 1, ... }
+#				      origin	  => <where defined>
+#				    }
+#		  }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
@@ -253,6 +252,17 @@ use constant { NO_UPDOWN   => 1,

 our %validinterfaceoptions;

+our %procinterfaceoptions=( accept_ra   => 1,
+			    arp_filter  => 1,
+			    arp_ignore  => 1,
+			    forward     => 1,
+			    logmartians => 1,
+			    proxyarp    => 1,
+			    proxyndp    => 1,
+			    routefilter => 1,
+			    sourceroute => 1,
+			  );
+
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -317,7 +327,7 @@ sub initialize( $$ ) {
    %mapbase = ();
    %mapbase1 = ();
    $baseseq = 0;
-    $minroot = 0;
+    $minroot = undef;
    $loopback_interface = '';

    %validzoneoptions = ( mss            => NUMERIC,
@@ -339,7 +349,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
-				  dbl         => ENUM_IF_OPTION,
+				  dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -363,9 +373,9 @@ sub initialize( $$ ) {
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
-				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
+				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST + IF_OPTION_WILDOK,
 				  unmanaged   => SIMPLE_IF_OPTION,
-				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				  wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -390,7 +400,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
-				    dbl         => ENUM_IF_OPTION,
+				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -402,18 +412,18 @@ sub initialize( $$ ) {
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER + IF_OPTION_WILDOK,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => BINARY_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK,
 				    unmanaged   => SIMPLE_IF_OPTION,
 				    upnp        => SIMPLE_IF_OPTION,
 				    upnpclient  => SIMPLE_IF_OPTION,
-				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				    wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -701,6 +711,40 @@ sub haveipseczones() {
    0;
 }

+#
+# Returns 1 if the two interfaces passed are related
+#
+sub interface_match( $$ ) {
+    my ( $piface, $ciface ) = @_;
+
+    return 1 if $piface eq $ciface;
+
+    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
+
+    return 1 if $piface eq $cifaceref->{bridge};
+    return 1 if $ciface eq $pifaceref->{bridge};
+
+    if ( defined $minroot ) {
+	if ( $piface =~ /\+$/ ) {
+	    my $root    = $pifaceref->{root};
+	    my $rlength = length( $root );
+	    while ( length( $ciface ) >= $rlength ) {
+		return 1 if $ciface eq $root;
+		chop $ciface;
+	    }
+	} elsif ( $ciface =~ /\+$/ ) {
+	    my $root    = $cifaceref->{root};
+	    my $rlength = length( $root );
+	    while ( length( $piface ) >= $rlength ) {
+		return 1 if $piface eq $root;
+		chop $piface;
+	    }
+	}
+    }
+
+    0;
+}
+
 #
 # Report about zones.
 #
@@ -738,7 +782,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
+				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
 			    }
 			    $printed = 1;
 			}
@@ -747,6 +791,17 @@ sub zone_report()
 	    }
 	}

+      PARENT:
+	for my $p ( @{$zoneref->{parents}} ) {
+	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
+		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
+		    next PARENT if interface_match( $pi, $ci );
+		}
+	    }
+
+	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
+	}
+
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -1159,15 +1214,16 @@ sub process_interface( $$ ) {
    }

    my $wildcard = 0;
+    my $physwild = 0;
    my $root;

    if ( $interface =~ /\+$/ ) {
-	$wildcard = 1;
+	$wildcard = $physwild = 1; # Default physical name is the logical name
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;

-	if ( $minroot ) {
+	if ( defined $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
 	    $minroot = $len;
@@ -1213,8 +1269,6 @@ sub process_interface( $$ ) {
 	my %hostoptions = ( dynamic => 0 );

 	for my $option (split_list1 $options, 'option' ) {
-	    next if $option eq '-';
-
 	    ( $option, my $value ) = split /=/, $option;

 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
@@ -1251,7 +1305,6 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
@@ -1275,7 +1328,6 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
-		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1327,7 +1379,9 @@ sub process_interface( $$ ) {

 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );

-		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
+		    $physwild = ( $value =~ /\+$/ );
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $physwild;
+
 		    $physical = $value;
 		} else {
 		    assert(0);
@@ -1355,6 +1409,14 @@ sub process_interface( $$ ) {
 	    $options{ignore} = 0;
 	}

+	for my $option ( keys %options ) {
+	    if ( $root ) {
+		warning_message( "The '$option' option is ignored when used with a wildcard physical name" ) if $physwild && $procinterfaceoptions{$option};
+	    } else {
+		warning_message( "The '$option' option is ignored when used with interface name '+'" ) unless $validinterfaceoptions{$option} & IF_OPTION_WILDOK;
+	    }
+	}
+
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
@@ -1413,6 +1475,7 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
+						   physwild   => $physwild, # Currently unused
 					         };

    $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1571,13 +1634,11 @@ sub known_interface($)

    my $iface = $interface;

-    if ( $minroot ) {
+    if ( defined $minroot ) {
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface > $minroot ) {
-	    chop $iface;
-
+	while ( length $iface >= $minroot ) {
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1599,6 +1660,8 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
+
+	    chop $iface;
 	}
    }

@@ -1812,7 +1875,8 @@ sub find_interfaces_by_option( $;$ ) {
    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};

-	next unless $interfaceref->{root};
+	next unless $interfaceref->{root};                                   # Don't return '+' interface
+	next if $procinterfaceoptions{$option} && $interfaceref->{physwild}; # Ignore /proc options on wildcard interface

 	my $optionsref = $interfaceref->{options};
 	if ( $nonzero ) {
@@ -1827,35 +1891,6 @@ sub find_interfaces_by_option( $;$ ) {
    \@ints;
 }

-#
-# Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
-#
-# - All entries in %interfaces are searched.
-# - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
-#
-sub find_interfaces_by_option1( $ ) {
-    my $option = $_[0];
-    my @ints = ();
-    my $wild = 0;
-
-    for my $interface ( @interfaces ) {
-	my $interfaceref = $interfaces{$interface};
-
-	next unless defined $interfaceref->{physical};
-
-	my $optionsref = $interfaceref->{options};
-
-	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= $interfaceref->{wildcard};
-	    push @ints , $interface
-	}
-    }
-
-    return unless defined wantarray;
-
-    wantarray ? ( \@ints, $wild ) : \@ints;
-}
-
 #
 # Return the value of an option for an interface
 #
@@ -1986,6 +2021,7 @@ sub verify_required_interfaces( $ ) {

 	emit( "esac\n" );

+	$returnvalue = 1;
    }

    $interfaces = find_interfaces_by_option( 'required' );
@@ -1995,7 +2031,7 @@ sub verify_required_interfaces( $ ) {
 	if ( $generate_case ) {
 	    emit( 'case "$COMMAND" in' );
 	    push_indent;
-	    emit( 'start|reload|restore|refresh)' );
+	    emit( 'start|reload|restore)' );
 	    push_indent;
 	}

@@ -2031,7 +2067,7 @@ sub verify_required_interfaces( $ ) {
 	    emit( ';;' );
 	    pop_indent;
 	    pop_indent;
-	    emit( 'esac' );
+	    emit( "esac\n" );
 	}

 	$returnvalue = 1;
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -32,7 +32,6 @@
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
-#         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
@@ -40,7 +39,6 @@
 #         --shorewallrc=<path>        # Path to global shorewallrc file.
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
-#         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
 #    If the <filename> is omitted, then a 'check' operation is performed.
@@ -64,7 +62,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --timestamp ]
    [ --debug ]
    [ --confess ]
-    [ --refresh=<chainlist> ]
    [ --log=<filename> ]
    [ --log-verbose={-1|0-2} ]
    [ --test ]
@@ -75,7 +72,6 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --shorewallrc=<pathname> ]
    [ --shorewallrc1=<pathname> ]
    [ --config_path=<path-list> ]
-    [ --inline ]
 _EOF_

 exit shift @_;
@@ -90,7 +86,6 @@ my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
 my $confess       = 0;
-my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
@@ -102,7 +97,6 @@ my $update        = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 my $shorewallrc1  = '';
-my $inline        = 0;

 Getopt::Long::Configure ('bundling');

@@ -117,8 +111,6 @@ my $result = GetOptions('h'               => \$help,
 			'timestamp'       => \$timestamp,
 			't'               => \$timestamp,
 		        'debug'           => \$debug,
-			'r=s'             => \$chains,
-			'refresh=s'       => \$chains,
 			'log=s'           => \$log,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
@@ -132,7 +124,6 @@ my $result = GetOptions('h'               => \$help,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
-			'inline'          => \$inline,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -147,7 +138,6 @@ compiler( script          => $ARGV[0] || '',
 	  timestamp       => $timestamp,
 	  debug           => $debug,
 	  export          => $export,
-	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
@@ -159,5 +149,4 @@ compiler( script          => $ARGV[0] || '',
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc,
 	  shorewallrc1    => $shorewallrc1,
-	  inline          => $inline,
 	);
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1,4 +1,4 @@
-#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -369,7 +369,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 delete_default_routes() # $1 = table number
 {
    $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
-	qt $IP -$g_family route del $route
+	qt $IP -$g_family route del $route table $1
    done
 } 

@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {

    if [ -n "$g_purge" ]; then
-	if [ -n $(mywhich conntrack) ]; then
+	if [ -n "$(mywhich conntrack)" ]; then
            conntrack -F
 	else
            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -899,7 +899,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface
+detect_gateway() # $1 = interface $2 = table number
 {
    local interface
    interface=$1
@@ -912,6 +912,8 @@ detect_gateway() # $1 = interface
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
+
+    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
@@ -1063,8 +1065,6 @@ clear_firewall() {
    run_iptables -F
    qt $IPTABLES -t raw -F

-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
    if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
@@ -1373,8 +1373,6 @@ clear_firewall() {
    run_iptables -F
    qt $IP6TABLES -t raw -F

-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
    run_clear_exit

    set_state "Cleared"
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -1,5 +1,23 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
+#
+#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#
+#	This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#	Free Software Foundation, either version 2 of the license or, at your
+#	option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
 ###############################################################################
 #
 # Give Usage Information
@@ -78,11 +96,13 @@ reload_command() {
    detect_configuration
    define_firewall
    status=$?
-    if [ -n "$SUBSYSLOCK" ]; then
- 	[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-    fi

-    [ $status -eq 0 ] && progress_message3 "done."
+    if [ $status -eq 0 ]; then
+	[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+	progress_message3 "done."
+    else
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+    fi
 }

 ################################################################################
@@ -127,8 +147,10 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
+g_dockeringress=
 g_dockernetwork=
 g_forcereload=
+g_fallback=

 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=

@@ -264,8 +286,10 @@ case "$COMMAND" in
 	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
-	    $g_tool -Z
-	    $g_tool -t mangle -Z
+	    for table in raw mangle nat filter; do
+		qt $g_tool -t $table -Z
+	    done
+
 	    date > ${VARDIR}/restarted
 	    status=0
 	    progress_message3 "$g_product Counters Reset"
@@ -349,6 +373,7 @@ case "$COMMAND" in
    clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
+	detect_configuration
 	clear_firewall
 	status=0
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -418,9 +443,12 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
+	    COMMAND=disable
 	    detect_configuration $1
-	    COMMAND=enable  disable_provider $1 Yes
-	    COMMAND=disable enable_provider  $1 Yes
+	    disable_provider $1 Yes
+	    COMMAND=enable
+	    detect_configuration $1
+	    enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -45,6 +45,8 @@ LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

+LOG_ZONE=Both
+
 LOGALLNEW=

 LOGFILE=/var/log/messages
@@ -77,7 +79,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -183,8 +185,6 @@ IGNOREUNKNOWNVARIABLES=No

 IMPLICIT_CONTINUE=No

-INLINE_MATCHES=Yes
-
 IPSET_WARNINGS=Yes

 IP_FORWARDING=On
@@ -199,14 +199,10 @@ MACLIST_TTL=

 MANGLE_ENABLED=Yes

-MAPOLDACTIONS=No
-
 MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -221,6 +217,8 @@ PERL_HASH_SEED=0

 REJECT_ACTION=

+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=Yes

 RESTART=restart
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,4 +14,4 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
+net     NET_IF          dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=eth0
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -56,6 +56,8 @@ LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

+LOG_ZONE=Both
+
 LOGALLNEW=

 LOGFILE=/var/log/messages
@@ -88,7 +90,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -194,8 +196,6 @@ IGNOREUNKNOWNVARIABLES=No

 IMPLICIT_CONTINUE=No

-INLINE_MATCHES=Yes
-
 IPSET_WARNINGS=Yes

 IP_FORWARDING=Off
@@ -210,14 +210,10 @@ MACLIST_TTL=

 MANGLE_ENABLED=Yes

-MAPOLDACTIONS=No
-
 MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -232,6 +228,8 @@ PERL_HASH_SEED=0

 REJECT_ACTION=

+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No

 RESTART=restart
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
-dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
+net     NET_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+dmz     DMZ_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -53,6 +53,8 @@ LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

+LOG_ZONE=Both
+
 LOGALLNEW=

 LOGFILE=/var/log/messages
@@ -85,7 +87,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -191,8 +193,6 @@ IGNOREUNKNOWNVARIABLES=No

 IMPLICIT_CONTINUE=No

-INLINE_MATCHES=Yes
-
 IPSET_WARNINGS=Yes

 IP_FORWARDING=On
@@ -207,14 +207,10 @@ MACLIST_TTL=

 MANGLE_ENABLED=Yes

-MAPOLDACTIONS=No
-
 MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -229,6 +225,8 @@ PERL_HASH_SEED=0

 REJECT_ACTION=

+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No

 RESTART=restart
--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		eth0
+			192.168.0.0/16		NET_IF
--- a/Shorewall/Samples/three-interfaces/stoppedrules
+++ b/Shorewall/Samples/three-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2015 by the Shorewall Team
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,8 +13,8 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
-ACCEPT		eth2		-
-ACCEPT		-		eth2
+ACCEPT		LOC_IF		-
+ACCEPT		-		LOC_IF
+ACCEPT		DMZ_IF		-
+ACCEPT		-		DMZ_IF

--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,5 +14,5 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
+net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -56,6 +56,8 @@ LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

+LOG_ZONE=Both
+
 LOGALLNEW=

 LOGFILE=/var/log/messages
@@ -88,7 +90,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -194,8 +196,6 @@ IGNOREUNKNOWNVARIABLES=No

 IMPLICIT_CONTINUE=No

-INLINE_MATCHES=Yes
-
 IPSET_WARNINGS=Yes

 IP_FORWARDING=On
@@ -210,14 +210,10 @@ MACLIST_TTL=

 MANGLE_ENABLED=Yes

-MAPOLDACTIONS=No
-
 MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No

-MODULE_SUFFIX="ko ko.xz"
-
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -232,6 +228,8 @@ PERL_HASH_SEED=0

 REJECT_ACTION=

+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No

 RESTART=restart
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		eth0
+			192.168.0.0/16		NET_IF
--- a/Shorewall/Samples/two-interfaces/stoppedrules
+++ b/Shorewall/Samples/two-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012-2015 by the Shorewall Team
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,5 +13,5 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
+ACCEPT		LOC_IF		-
+ACCEPT		-		LOC_IF
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,11 +8,8 @@
 #
 ###############################################################################
 #ACTION
-A_AllowICMPs inline		# Audited version of AllowICMPs
-A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
-A_Reject			# Audited Default action for REJECT policy
 AllowICMPs   inline		# Allow Required ICMP packets
 allowBcast   inline		# Silently Allow Broadcast
 allowinUPnP  inline		# Allow UPnP inbound (to firewall) traffic
@@ -21,35 +18,44 @@ allowMcast   inline		# Silently Allow Multicast
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
+?if __ADDRTYPE
+Broadcast    inline,audit	# Handles Broadcast/Anycast
+?else
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
-DNSAmp				# Matches one-question recursive DNS queries
-Drop				# Default Action for DROP policy (deprecated)
+?endif
+DNSAmp	     proto=17		# Matches one-question recursive DNS queries
 dropBcast    inline		# Silently Drop Broadcast
-dropBcasts    inline		# Silently Drop Broadcast
+dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
-DropDNSrep   inline		# Drops DNS replies
+dropNotSyn   noinline,proto=6	# Silently Drop Non-syn TCP packets
+DropDNSrep   inline,proto=17	# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
-FIN	     inline,audit	# Handles ACK,FIN,PSH packets
+FIN	     inline,audit,\	# Handles ACK,FIN packets
+	     proto=6
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
 Limit	     noinline		# Limit the rate of connections from each individual IP address
+?if __ADDRTYPE
+Multicast    inline,audit	# Handles Multicast
+?else
 Multicast    noinline,audit	# Handles Multicast
+?endif
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
-rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
-Reject				# Default Action for REJECT policy (deprecated)
+NotSyn	     inline,audit,\	# Handles TCP packets which do not have SYN=1 and ACK=0
+	     proto=6
+rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit	# Handle packets with RST set
+RST	     inline,audit,\	# Handle packets with RST set
+	     proto=6
 SetEvent     inline		# Initialize an event
-TCPFlags			# Handle bad flag combinations.
+TCPFlags     proto=6		# Handle bad flag combinations.
 Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED	#
--- a/Shorewall/configfiles/disabled
+++ b/Shorewall/configfiles/disabled
@@ -0,0 +1,12 @@
+#
+# Shorewall -- /etc/shorewall/disabled
+#
+# Add commands below that you want executed when an optional
+# interface is successfully disabled using the 'disable' command
+#
+# When the commands are invoked:
+#
+#  $1 contains the physical name of the interface
+#  $2 contains the logical name of the interface
+#  $3 contains the name of the provider associated with the interface,
+      if any
--- a/Shorewall/configfiles/enabled
+++ b/Shorewall/configfiles/enabled
@@ -0,0 +1,12 @@
+#
+# Shorewall -- /etc/shorewall/enabled
+#
+# Add commands below that you want executed when an optional
+# interface is successfully enabled using the 'enable' command
+#
+# When the commands are invoked:
+#
+#  $1 contains the physical name of the interface
+#  $2 contains the logical name of the interface
+#  $3 contains the name of the provider associated with the interface,
+      if any
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -1,10 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/masq
-#
-# For information about entries in this file, type "man shorewall-masq"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-masq.html
-#
-###################################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -45,6 +45,8 @@ LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

+LOG_ZONE=Both
+
 LOGALLNEW=

 LOGFILE=/var/log/messages
@@ -77,7 +79,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

@@ -183,8 +185,6 @@ IGNOREUNKNOWNVARIABLES=No

 IMPLICIT_CONTINUE=No

-INLINE_MATCHES=No
-
 IPSET_WARNINGS=Yes

 IP_FORWARDING=Keep
@@ -199,14 +199,10 @@ MACLIST_TTL=

 MANGLE_ENABLED=Yes

-MAPOLDACTIONS=No
-
 MARK_IN_FORWARD_CHAIN=No

 MINIUPNPD=No

-MODULE_SUFFIX=ko
-
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -221,6 +217,8 @@ PERL_HASH_SEED=0

 REJECT_ACTION=

+RENAME_COMBINED=Yes
+
 REQUIRE_INTERFACE=No

 RESTART=restart
@@ -243,7 +241,7 @@ TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-TRACK_PROVIDERS=No
+TRACK_PROVIDERS=Yes

 TRACK_RULES=No

--- a/Shorewall/configpath
+++ b/Shorewall/configpath
@@ -3,4 +3,4 @@
 #
 # /usr/share/shorewall/configpath
 #
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.cli-std.
+# Shorewall 5.2 -- /usr/share/shorewall/lib.cli-std
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -47,11 +47,10 @@ get_config() {
 	fi
    fi

-    if [ "$(id -u)" -eq 0 ]; then
-	config=$(find_file ${PRODUCT}.conf)
-    else
-	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+    if [ -n "$g_shorewalldir" ]; then
 	config="$g_shorewalldir/$PRODUCT.conf"
+    else
+	config=$(find_file ${PRODUCT}.conf)
    fi

    if [ -f $config ]; then
@@ -211,30 +210,35 @@ get_config() {
 	LOG_VERBOSITY=-1
    fi

-    if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then
-	if [ ! -x "$SHOREWALL_SHELL" ]; then
-	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
-	    SHOREWALL_SHELL=/bin/sh
+    if [ -z "${g_export}${g_test}" ]; then
+	if [ -n "$SHOREWALL_SHELL" ]; then
+	    if [ ! -x "$SHOREWALL_SHELL" ]; then
+		echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
+		SHOREWALL_SHELL=/bin/sh
+	    fi
 	fi
-    fi

-    if [ -n "$IP" ]; then
-	case "$IP" in
-	    */*)
-		if [ ! -x "$IP" ] ; then
-		    fatal_error "The program specified in IP ($IP) does not exist or is not executable"
-		fi
-		;;
-	    *)
-		prog="$(mywhich $IP 2> /dev/null)"
-		if [ -z "$prog" ] ; then
-		    fatal_error "Can't find $IP executable"
-		fi
-		IP=$prog
-		;;
-	esac
+	if [ -n "$IP" ]; then
+	    case "$IP" in
+		*/*)
+		    if [ ! -x "$IP" ] ; then
+			fatal_error "The program specified in IP ($IP) does not exist or is not executable"
+		    fi
+		    ;;
+		*)
+		    prog="$(mywhich $IP 2> /dev/null)"
+		    if [ -z "$prog" ] ; then
+			fatal_error "Can't find $IP executable"
+		    fi
+		    IP=$prog
+		    ;;
+	    esac
+	else
+	    IP='ip'
+	fi
    else
-	IP='ip'
+	[ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh
+	[ -n "$IP" ]              || IP='ip'
    fi

    case $VERBOSITY in
@@ -277,10 +281,18 @@ get_config() {

    case $AUTOMAKE in
 	Yes|yes)
+	    AUTOMAKE=1
 	    ;;
 	No|no)
 	    AUTOMAKE=
 	    ;;
+	[1-9])
+	    ;;
+	[1-9][0-9])
+	    ;;
+	[Rr]ecursive)
+	    AUTOMAKE=recursive
+	    ;;
 	*)
 	    if [ -n "$AUTOMAKE" ]; then
 		fatal_error "Invalid AUTOMAKE setting ($AUTOMAKE)"
@@ -337,8 +349,12 @@ get_config() {
 	fi
    fi

-    if [ -n "$DYNAMIC_BLACKLIST" ]; then
-	setup_dbl
+    if [ -n "$DYNAMIC_BLACKLIST" -a "$(id -u)" = 0 ]; then
+	case $COMMAND in
+	    blacklist|allow|drop|logdrop|reject)
+		setup_dbl
+		;;
+	esac
    fi

    if [ -z "$PERL_HASH_SEED" ]; then
@@ -358,6 +374,17 @@ get_config() {
    [ -f $lib ] && . $lib
 }

+#
+# Ensure that the effective UID is 0 or that we are dealing with a private configuration
+#
+ensure_root() {
+    if [ $(id -u) -ne 0 ]; then
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
+	    startup_error "Ordinary users may not $COMMAND the default $PRODUCT configuration"
+	fi
+    fi
+}
+
 #
 # Determine if there are config files newer than the passed object
 #
@@ -365,20 +392,35 @@ uptodate() {
    [ -x $1 ] || return 1

    local dir
-    local ifs
+    local busybox
+    local find

-    ifs="$IFS"
-    IFS=':'
+    find=$(mywhich find)

-    for dir in $g_shorewalldir $CONFIG_PATH; do
-	if [ -n "$(find ${dir} -newer $1)" ]; then
-	    IFS="$ifs"
+    [ -n "${find}" ] || return 1
+    [ -h "${find}" ] && busybox=Yes
+
+    for dir in $g_shorewalldir $(split $CONFIG_PATH); do
+	if [ -n "${busybox}" ]; then
+	    #
+	    # Busybox 'find' doesn't support -quit.
+	    #
+	    if [ $AUTOMAKE = recursive ]; then
+		if [ -n "$(${find} ${dir} -newer $1 -print)" ]; then
+		    return 1;
+		fi
+	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
+		return 1;
+	    fi
+	elif [ $AUTOMAKE = recursive ]; then
+	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
+		return 1;
+	    fi
+	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
 	    return 1;
 	fi
    done

-    IFS="$ifs"
-
    return 0
 }

@@ -408,11 +450,7 @@ compiler() {

    pc=${LIBEXECDIR}/shorewall/compiler.pl

-    if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
-	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
-	fi
-    fi
+    ensure_root
    #
    # We've now set g_shorewalldir so recalculate CONFIG_PATH
    #
@@ -423,7 +461,7 @@ compiler() {
    get_config Yes

    case $COMMAND in
-	*start|try|refresh|reload|restart|safe-*)
+	*start|try|reload|restart|safe-*)
 	    ;;
 	*)
 	    STARTUP_LOG=
@@ -465,11 +503,9 @@ compiler() {
    [ -n "$g_test" ]           && options="$options --test"
    [ -n "$g_preview" ]        && options="$options --preview"
    [ "$g_debugging" = trace ] && options="$options --debug"
-    [ -n "$g_refreshchains" ]  && options="$options --refresh=$g_refreshchains"
    [ -n "$g_confess" ]        && options="$options --confess"
    [ -n "$g_update" ]         && options="$options --update"
    [ -n "$g_annotate" ]       && options="$options --annotate"
-    [ -n "$g_inline" ]         && options="$options --inline"

    if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -574,10 +610,6 @@ start_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
@@ -619,24 +651,24 @@ start_command() {
    esac

    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if ! uptodate ${VARDIR}/firewall; then
+	if ! uptodate $g_firewall; then
 	    g_fast=
 	    AUTOMAKE=
 	fi
    fi

    if [ -n "$AUTOMAKE" ]; then
-	[ -n "$nolock" ] || mutex_on
-	run_it ${VARDIR}/firewall $g_debugging start
+	[ -n "$g_nolock" ] || mutex_on
+	run_it $g_firewall $g_debugging start
 	rc=$?
-	[ -n "$nolock" ] || mutex_off
+	[ -n "$g_nolock" ] || mutex_off
    else
 	g_file="${VARDIR}/.start"
-	if compiler $g_debugging $nolock compile "$g_file"; then
-	    [ -n "$nolock" ] || mutex_on
+	if compiler $g_debugging $g_nolock compile "$g_file"; then
+	    [ -n "$g_nolock" ] || mutex_on
 	    run_it ${VARDIR}/.start $g_debugging start
 	    rc=$?
-	    [ -n "$nolock" ] || mutex_off
+	    [ -n "$g_nolock" ] || mutex_off
 	else
 	    rc=$?
 	    mylogger kern.err "ERROR:$g_product start failed"
@@ -688,10 +720,6 @@ compile_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			-)
 			    finished=1
 			    option=
@@ -712,7 +740,7 @@ compile_command() {

    case $# in
 	0)
-	    [ -n "$g_export" ] && g_file=firewall || g_file=${VARDIR}/firewall
+	    [ -n "$g_export" ] && g_file=firewall || g_file=$g_firewall
 	    ;;
 	1)
 	    g_file=$1
@@ -770,6 +798,10 @@ check_command() {
 			    g_profile=Yes
 			    option=${option#p}
 			    ;;
+			t*)
+			    g_test=Yes
+			    option=${option#t}
+			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -782,10 +814,6 @@ check_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -822,7 +850,7 @@ check_command() {

    g_doing="Checking"

-    compiler $g_debugging $nolock check
+    compiler $g_debugging $g_nolock check
 }

 #
@@ -854,6 +882,10 @@ update_command() {
 			    g_profile=Yes
 			    option=${option#p}
 			    ;;
+			t*)
+			    g_test=Yes
+			    option=${option#t}
+			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -866,16 +898,11 @@ update_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			a*)
 			    g_annotate=Yes
 			    option=${option#a}
 			    ;;
 			A*)
-			    g_inline=Yes
 			    option=${option#A}
 			    ;;
 			*)
@@ -914,7 +941,7 @@ update_command() {

    g_doing="Updating"

-    compiler $g_debugging $nolock check
+    compiler $g_debugging $g_nolock check
 }

 #
@@ -965,7 +992,6 @@ restart_command() {
 			    option=${option#T}
 			    ;;
 			i*)
-			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
@@ -1011,114 +1037,27 @@ restart_command() {
    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"

    if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then
-	uptodate ${VARDIR}/firewall && g_fast=Yes
+	uptodate $g_firewall && g_fast=Yes
    fi

    g_file="${VARDIR}/.${COMMAND}"

    if [ -z "$g_fast" ]; then
-	if compiler $g_debugging $nolock compile "$g_file"; then
-	    [ -n "$nolock" ] || mutex_on
+	if compiler $g_debugging $g_nolock compile "$g_file"; then
+	    [ -n "$g_nolock" ] || mutex_on
 	    run_it ${VARDIR}/.${COMMAND} $g_debugging ${COMMAND}
 	    rc=$?
-	    [ -n "$nolock" ] || mutex_off
+	    [ -n "$g_nolock" ] || mutex_off
 	else
 	    rc=$?
 	    mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
 	fi
    else
-	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
-	[ -n "$nolock" ] || mutex_on
-	run_it ${VARDIR}/firewall $g_debugging $COMMAND
-	rc=$?
-	[ -n "$nolock" ] || mutex_off
-    fi
-
-    return $rc
-}
-
-#
-# Refresh Command Executor
-#
-refresh_command() {
-    local finished
-    finished=0
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			d*)
-			    g_debug=Yes
-			    option=${option#d}
-			    ;;
-			n*)
-			    g_noroutes=Yes
-			    option=${option#n}
-			    ;;
-			T*)
-			    g_confess=Yes
-			    option=${option#T}
-			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
-			D)
-			    if [ $# -gt 1 ]; then
-				g_shorewalldir="$2"
-				option=
-				shift
-			    else
-				fatal_error "The -D option requires a directory name"
-			    fi
-			    ;;
-			*)
-			    option_error $option
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    if [ $# -gt 0 ]; then
-	g_refreshchains=$1
-	shift
-
-	while [ $# -gt 0 ]; do
-	    g_refreshchains="$g_refreshchains,$1"
-	    shift
-	done
-    else
-	g_refreshchains=:refresh:
-    fi
-
-    product_is_started || fatal_error "$g_product is not running"
-
-    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
-
-    g_file="${VARDIR}/.refresh"
-
-    if compiler $g_debugging $nolock compile "$g_file"; then
-	[ -n "$nolock" ] || mutex_on
-	run_it ${VARDIR}/.refresh $g_debugging refresh
-	rc=$?
-	[ -n "$nolock" ] || mutex_off
-    else
+	[ -x $g_firewall ] || fatal_error "No $g_firewall file found"
+	[ -n "$g_nolock" ] || mutex_on
+	run_it $g_firewall $g_debugging $COMMAND
 	rc=$?
+	[ -n "$g_nolock" ] || mutex_off
    fi

    return $rc
@@ -1246,7 +1185,7 @@ safe_commands() {
 	    ;;
    esac

-    [ -n "$nolock" ] || mutex_on
+    [ -n "$g_nolock" ] || mutex_on

    if run_it ${VARDIR}/.$command $g_debugging $command; then

@@ -1261,7 +1200,7 @@ safe_commands() {
 		run_it ${VARDIR}/.$command clear
 	    fi

-	    [ -n "$nolock" ] || mutex_off
+	    [ -n "$g_nolock" ] || mutex_off

 	    echo "New configuration has been rejected and the old one restored"
 	    exit 2
@@ -1269,7 +1208,7 @@ safe_commands() {

    fi

-    [ -n "$nolock" ] || mutex_off
+    [ -n "$g_nolock" ] || mutex_off
 }

 #
@@ -1359,7 +1298,7 @@ try_command() {

    g_file="${VARDIR}/.$command"

-    if ! compiler $g_debugging $nolock compile "$g_file"; then
+    if ! compiler $g_debugging $g_nolock compile "$g_file"; then
 	status=$?
 	exit $status
    fi
@@ -1379,7 +1318,7 @@ try_command() {
 	    ;;
    esac

-    [ -n "$nolock" ] || mutex_on
+    [ -n "$g_nolock" ] || mutex_on

    if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
 	sleep $timeout
@@ -1391,7 +1330,7 @@ try_command() {
 	fi
    fi

-    [ -n "$nolock" ] || mutex_off
+    [ -n "$g_nolock" ] || mutex_off

    return 0
 }
@@ -1409,10 +1348,165 @@ rcp_command() {
    eval $RCP_COMMAND
 }

+#
+# Remote-{getcaps|getrc} command executer
+#
+remote_capture() # $* = original arguments less the command.
+{
+    local verbose
+    verbose=$(make_verbose)
+    local finished
+    finished=0
+    local system
+    local getrc
+    getrc=
+    local getcaps
+    getcaps=
+    local remote_sw_dir_path
+    remote_sw_dir_path=
+    local root
+    root=root
+    local libexec
+    libexec=${LIBEXECDIR}
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			R*)
+			    getrc=Yes
+			    option=${option#R}
+			    ;;
+			c*)
+			    getcaps=Yes
+			    option=${option#c}
+			    ;;
+			r)
+			    [ $# -gt 1 ] || fatal_error "Missing Root User name"
+			    root=$2
+			    option=
+			    shift
+			    ;;
+			D)
+			    [ $# -gt 1 ] || fatal_error "Missing directory name"
+			    g_shorewalldir=$2
+			    option=
+			    shift
+			    ;;
+			p)
+			    [ $# -gt 1 ] || fatal_error "Missing directory name"
+			    remote_sw_dir_path=$2
+			    option=
+			    shift
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			*)
+			    option_error $option
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    case $# in
+	0)
+	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
+	    ;;
+	1)
+	    g_shorewalldir="."
+	    system=$1
+	    ;;
+	2)
+	    g_shorewalldir=$1
+	    system=$2
+	    ;;
+	*)
+	    too_many_arguments $3
+	    ;;
+    esac
+
+    [ -f $g_shorewalldir/${PRODUCT}.conf ] || fatal_error "Missing file: $g_shorewalldir/${PRODUCT}.conf."
+
+    g_export=Yes
+
+    ensure_config_path
+
+    get_config No
+
+    g_haveconfig=Yes
+
+    if [ -z "$system" ]; then
+        system=$FIREWALL
+        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
+    fi
+
+    case $COMMAND in
+        remote-getrc)
+            getrc=Yes
+            ;;
+        remote-getcaps)
+            getcaps=Yes
+            ;;
+    esac
+
+    [ -n "$getcaps" ] && getrc=Yes
+
+    if [ -n "$getrc" -o ! -s $g_shorewalldir/shorewallrc ]; then
+        progress_message2 "Getting RC file on system $system..."
+
+        if [ -n "$remote_sw_dir_path" ]; then
+            if ! rsh_command "/sbin/shorewall-lite show rc $remote_sw_dir_path" > $g_shorewalldir/shorewallrc; then
+                fatal_error "Capturing RC file on system $system failed"
+            fi
+        elif ! rsh_command "/sbin/shorewall-lite show rc" > $g_shorewalldir/shorewallrc; then
+            fatal_error "Capturing RC file on system $system failed"
+        fi
+    fi
+
+    remote_sw_dir_path=
+
+    if [ -n "$getcaps" -o ! -s $g_shorewalldir/capabilities ]; then
+        if [ -f $g_shorewalldir/shorewallrc -a -s $g_shorewalldir/shorewallrc ]; then
+            . $g_shorewalldir/shorewallrc
+            libexec="$LIBEXECDIR"
+
+            [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
+
+            progress_message2 "Getting Capabilities on system $system..."
+
+            if [ $g_family -eq 4 ]; then
+                if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+                    fatal_error "Capturing capabilities on system $system failed"
+                fi
+            elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+                fatal_error "Capturing capabilities on system $system failed"
+            fi
+        else
+            fatal_error "$g_shorewalldir/shorewallrc is not present."
+        fi
+    fi
+}
+
 #
 # Remote-{start|reload|restart} command executor
 #
-remote_reload_command() # $* = original arguments less the command.
+remote_commands() # $* = original arguments less the command.
 {
    local verbose
    verbose=$(make_verbose)
@@ -1478,10 +1572,6 @@ remote_reload_command() # $* = original arguments less the command.
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
-			i*)
-			    g_inline=Yes
-			    option=${option#i}
-			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -1527,6 +1617,8 @@ remote_reload_command() # $* = original arguments less the command.
 	litedir="${VARDIR}-lite"
    fi

+    g_export=Yes
+
    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
@@ -1548,7 +1640,7 @@ remote_reload_command() # $* = original arguments less the command.

    if [ -z "$getcaps" ]; then
 	capabilities=$(find_file capabilities)
-	[ -f $capabilities ] || getcaps=Yes
+	[ ! -f $capabilities -o ! -s $capabilities ] && getcaps=Yes
    fi

    if [ -n "$getcaps" ]; then
@@ -1556,18 +1648,16 @@ remote_reload_command() # $* = original arguments less the command.

 	progress_message "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
-	    if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
 	    fi
-	elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+	elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
 	    fatal_error "Capturing capabilities on system $system failed"
 	fi
    fi

    file=$(resolve_file $g_shorewalldir/firewall)

-    g_export=Yes
-
    program=$sbindir/${PRODUCT}-lite
    #
    # Handle nonstandard remote VARDIR
@@ -1712,11 +1802,11 @@ export_command() # $* = original arguments less the command.
 }

 run_command() {
-    if [ -x ${VARDIR}/firewall ] ; then
-	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
-	run_it ${VARDIR}/firewall $g_debugging $@
+    if [ -x $g_firewall ] ; then
+	uptodate $g_firewall || echo "   WARNING: $g_firewall is not up to date" >&2
+	run_it $g_firewall $g_debugging $@
    else
-	fatal_error "${VARDIR}/firewall does not exist or is not executable"
+	fatal_error "$g_firewall does not exist or is not executable"
    fi
 }

@@ -1727,11 +1817,6 @@ compiler_command() {
 	    shift
 	    compile_command $@
 	    ;;
-	refresh)
-	    get_config Yes Yes
-	    shift
-	    refresh_command $@
-	    ;;
 	check|ck)
 	    shift
 	    check_command $@
@@ -1742,22 +1827,28 @@ compiler_command() {
 	    ;;
 	remote-start|remote-reload|remote-restart)
 	    shift
-	    remote_reload_command $@
+	    remote_commands $@
 	    ;;
 	export)
 	    shift
 	    export_command $@
 	    ;;
 	try)
+	    only_root
 	    get_config Yes
 	    shift
 	    try_command $@
 	    ;;
 	safe-reload|safe-restart|safe-start)
+	    only_root
 	    get_config Yes
 	    shift
 	    safe_commands $@
 	    ;;
+        remote-getrc|remote-getcaps)
+            shift
+            remote_capture $@
+            ;;
 	*)
 	    fatal_error "Invalid command: $COMMAND"
 	    ;;
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -791,11 +791,7 @@
    <title>See ALSO</title>

    <para><ulink
-    url="/Accounting.html">http://www.shorewall.net/Accounting.html
-    </ulink></para>
-
-    <para><ulink
-    url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
+    url="shorewall-logging.htm">shorewall-logging(5)</ulink></para>

    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -191,6 +191,27 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><option>proto</option>=<replaceable>protocol</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.10. Specifies that the action is
+                only usable with the specified
+                <replaceable>protocol</replaceable> (name or number). When the
+                action is invoked with no protocol specified in the PROTO
+                column, or if the action is used as a Policy Action, the named
+                <replaceable>protocol</replaceable> will be assumed. If a
+                protocol is specified in the PROTO column of an invocation,
+                then it must match the named
+                <replaceable>protocol</replaceable>.</para>
+
+                <para>The <option>proto</option> option has no effect if the
+                <option>inline</option> or <option>builtin</option> option is
+                specified. A warning is issued if <option>proto</option> is
+                specified along with <option>builtin</option>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><option>section</option></term>

--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -167,7 +167,7 @@
              <listitem>
                <para>queues matching packets to a back end logging daemon via
                a netlink socket then continues to the next rule. See <ulink
-                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
              </listitem>
            </varlistentry>

@@ -258,7 +258,7 @@
          <para>You may also specify <emphasis role="bold">NFLOG</emphasis>
          (must be in upper case) as a log level.This will log to the NFLOG
          target for routing to a separate log through use of ulogd (<ulink
-          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
+          url="shorewall-logging.html">shorewall-logging.htm</ulink>).</para>

          <para>Actions specifying logging may be followed by a log tag (a
          string of alphanumeric characters) which is appended to the string
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -84,7 +84,7 @@
        role="bold">CT</emphasis>:<emphasis
        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
        role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new</emphasis><emphasis
-        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IPTABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
+        role="bold">|CT:notrack</emphasis>|DROP|LOG|ULOG(<replaceable>ulog-parameters</replaceable>):NFLOG(<replaceable>nflog-parameters</replaceable>)|IP[6]TABLES(<replaceable>target</replaceable>)}[<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
          <para>This column is only present when FORMAT &gt;= 2. Values other
@@ -272,9 +272,32 @@
              will also be logged at that level.</para>
            </listitem>

+            <listitem>
+              <para><option>IP6TABLES</option>(<replaceable>target</replaceable>)</para>
+
+              <para>IPv6 only.</para>
+
+              <para>Added in Shorewall 4.6.0. Allows you to specify any
+              iptables <replaceable>target</replaceable> with target options
+              (e.g., "IP6TABLES(AUDIT --type drop)"). If the target is not one
+              recognized by Shorewall, the following error message will be
+              issued:</para>
+
+              <simplelist>
+                <member>ERROR: Unknown target
+                (<replaceable>target</replaceable>)</member>
+              </simplelist>
+
+              <para>This error message may be eliminated by adding
+              <replaceable>target</replaceable> as a builtin action in <ulink
+              url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
+            </listitem>
+
            <listitem>
              <para><option>IPTABLES</option>(<replaceable>target</replaceable>)</para>

+              <para>IPv4 only.</para>
+
              <para>Added in Shorewall 4.6.0. Allows you to specify any
              iptables <replaceable>target</replaceable> with target options
              (e.g., "IPTABLES(AUDIT --type drop)"). If the target is not one
@@ -447,7 +470,7 @@

              <listitem>
                <para>This form combines the preceding two and requires that
-                both the incoming interace and source address match.</para>
+                both the incoming interface and source address match.</para>
              </listitem>
            </varlistentry>

@@ -543,7 +566,7 @@

              <listitem>
                <para>This form combines the preceding two and requires that
-                both the outgoing interace and destination address
+                both the outgoing interface and destination address
                match.</para>
              </listitem>
            </varlistentry>
@@ -579,14 +602,23 @@

        <listitem>
          <para>A protocol name from <filename>/etc/protocols</filename> or a
-          protocol number.</para>
+          protocol number. tcp and 6 may be optionally followed by <emphasis
+          role="bold">:syn </emphasis>to match only the SYN packet (first
+          packet in the three-way handshake).</para>

-          <para>Beginning with Shorewall 4.5.12, this column is labeled
-          <emphasis role="bold">PROTOS</emphasis> and can accept a
-          comma-separated list of protocols. Either <emphasis
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols and either <emphasis
          role="bold">proto</emphasis> or <emphasis
          role="bold">protos</emphasis> is accepted in the alternate input
          format.</para>
+
+          <para>Beginning with Shorewall 5.1.11, when <emphasis
+          role="bold">tcp</emphasis> or <emphasis role="bold">6</emphasis> is
+          specified and the ACTION is <emphasis role="bold">CT</emphasis>, the
+          compiler will default to <emphasis role="bold">:syn</emphasis>. If
+          you wish the rule to match packets with any valid combination of TCP
+          flags, you may specify <emphasis role="bold">tcp:all</emphasis> or
+          <emphasis role="bold">6:all</emphasis>.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -104,9 +104,7 @@ loc     eth2            -</programlisting>
          <para>You may use wildcards here by specifying a prefix followed by
          the plus sign ("+"). For example, if you want to make an entry that
          applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
-          ppp1, ppp2, … Please note that the '+' means '<emphasis
-          role="bold">one</emphasis> or more additional characters' so 'ppp'
-          does not match 'ppp+'.</para>
+          ppp1, ppp2, …</para>

          <para>When using Shorewall versions before 4.1.4, care must be
          exercised when using wildcards where there is another zone that uses
@@ -114,7 +112,10 @@ loc     eth2            -</programlisting>
          url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
          for a discussion of this problem.</para>

-          <para>Shorewall allows '+' as an interface name.</para>
+          <para>Shorewall allows '+' as an interface name, but that usage is
+          deprecated. A better approach is to specify
+          '<option>physical</option>=+' in the OPTIONS column (see
+          below).</para>

          <para>There is no need to define the loopback interface (lo) in this
          file.</para>
@@ -195,6 +196,54 @@ loc     eth2            -</programlisting>
          should have no embedded white-space.</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">accept_ra</emphasis>[={0|1|2}]</term>
+
+              <listitem>
+                <para>IPv6 only; added in Shorewall 4.5.16. Values are:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>0</term>
+
+                    <listitem>
+                      <para>Do not accept Router Advertisements.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>1</term>
+
+                    <listitem>
+                      <para>Accept Route Advertisements if forwarding is
+                      disabled.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>2</term>
+
+                    <listitem>
+                      <para>Overrule forwarding behavior. Accept Route
+                      Advertisements even if forwarding is enabled.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+
+                <para>If the option is specified without a value, then the
+                value 1 is assumed.</para>
+
+                <note>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
+                </note>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>

@@ -211,12 +260,12 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

-                <para/>
-
                <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                </note>
              </listitem>
            </varlistentry>
@@ -245,16 +294,14 @@ loc     eth2            -</programlisting>

                <para>8 - do not reply for all local addresses</para>

-                <para/>
-
                <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                </note>

-                <para/>
-
                <warning>
                  <para>Do not specify <emphasis
                  role="bold">arp_ignore</emphasis> for any interface involved
@@ -432,6 +479,25 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
+
+              <listitem>
+                <para>IPv6 only Sets the
+                /proc/sys/net/ipv6/conf/interface/forwarding option to the
+                specified value. If no value is supplied, then 1 is
+                assumed.</para>
+
+                <note>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
+                </note>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">ignore[=1]</emphasis></term>

@@ -498,9 +564,11 @@ loc     eth2            -</programlisting>
                <para/>

                <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                </note>

                <blockquote>
@@ -627,7 +695,10 @@ loc     eth2            -</programlisting>

                <para>If the <emphasis>interface</emphasis> name is a wildcard
                name (ends with '+'), then the physical
-                <emphasis>name</emphasis> must also end in '+'.</para>
+                <emphasis>name</emphasis> must also end in '+'. The physical
+                <replaceable>name</replaceable> may end in '+' (or be exactly
+                '+') when the <replaceable>interface</replaceable> name is not
+                a wildcard name.</para>

                <para>If <option>physical</option> is not specified, then it's
                value defaults to the <emphasis>interface</emphasis>
@@ -649,9 +720,13 @@ loc     eth2            -</programlisting>
                url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
                </ulink></para>

-                <para><emphasis role="bold">Note</emphasis>: This option does
-                not work with a wild-card <replaceable>interface</replaceable>
-                name (e.g., eth0.+) in the INTERFACE column.</para>
+                <note>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
+                </note>

                <para>Only those interfaces with the <option>proxyarp</option>
                option will have their setting changed; the value assigned to
@@ -667,9 +742,13 @@ loc     eth2            -</programlisting>
                <para>IPv6 only. Sets
                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>

-                <para><emphasis role="bold">Note</emphasis>: This option does
-                not work with a wild-card <replaceable>interface</replaceable>
-                name (e.g., eth0.+) in the INTERFACE column.</para>
+                <note>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
+                </note>

                <para>Only those interfaces with the <option>proxyndp</option>
                option will have their setting changed; the value assigned to
@@ -733,9 +812,11 @@ loc     eth2            -</programlisting>
                filtering.</para>

                <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                </note>

                <para>This option can also be enabled globally via the
@@ -844,9 +925,11 @@ loc     eth2            -</programlisting>
                specified (if any) or 1 if no value is given.</para>

                <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                </note>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-logging.xml
+++ b/Shorewall/manpages/shorewall-logging.xml
@@ -0,0 +1,385 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-logging</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>logging</refname>
+
+    <refpurpose>Shorewall logging</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command><replaceable>action</replaceable>:<replaceable>level</replaceable></command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>NFLOG(<replaceable>nflog-parameters</replaceable>)</command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>ULOG(<replaceable>ulog-parameters</replaceable>)</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The disposition of packets entering a Shorewall firewall is
+    determined by one of a number of Shorewall facilities. Only some of these
+    facilities permit logging.</para>
+
+    <orderedlist>
+      <listitem>
+        <para>The packet is part of an established connection. While the
+        packet can be logged using LOG rules in the ESTABLISHED section of
+        <ulink
+        url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that
+        is not recommended because of the large amount of information that may
+        be logged.</para>
+      </listitem>
+
+      <listitem>
+        <para>The packet represents a connection request that is related to an
+        established connection (such as a <ulink url="FTP.html">data
+        connection associated with an FTP control connection</ulink>). These
+        packets may be logged using LOG rules in the RELATED section of <ulink
+        url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
+      </listitem>
+
+      <listitem>
+        <para>The packet is rejected because of an option in <ulink
+        url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) or <ulink
+        url="manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
+        These packets can be logged by setting the appropriate logging-related
+        option in <ulink
+        url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>.</para>
+      </listitem>
+
+      <listitem>
+        <para>The packet matches a rule in <ulink
+        url="manpages/shorewall-rules.html">shorewall-rules</ulink>(5). By
+        including a syslog level (see below) in the ACTION column of a rule
+        (e.g., <quote>ACCEPT<emphasis role="bold">:info</emphasis> net $FW tcp
+        22</quote>), the connection attempt will be logged at that
+        level.</para>
+      </listitem>
+
+      <listitem>
+        <para>The packet doesn't match a rule so it is handled by a policy
+        defined in <ulink
+        url="manpages/shorewall-policy.html">shorewall-policy(5)</ulink>.
+        These may be logged by specifying a syslog level in the LOG LEVEL
+        column of the policy's entry (e.g., <quote>loc net ACCEPT <emphasis
+        role="bold">info</emphasis></quote>).</para>
+      </listitem>
+    </orderedlist>
+  </refsect1>
+
+  <refsect1>
+    <title>Default Logging</title>
+
+    <para>By default, Shorewall directs Netfilter to log using syslog (8).
+    Syslog classifies log messages by a <emphasis>facility</emphasis> and a
+    <emphasis>priority</emphasis> (using the notation
+    <emphasis>facility.priority</emphasis>).</para>
+
+    <para>The facilities defined by syslog are <emphasis>auth, authpriv, cron,
+    daemon, kern, lpr, mail, mark, news, syslog, user, uucp</emphasis> and
+    <emphasis>local0</emphasis> through <emphasis>local7.</emphasis></para>
+
+    <para>Throughout the Shorewall documentation, the term
+    <emphasis>level</emphasis> rather than <emphasis>priority is used,
+    </emphasis>since <emphasis>level</emphasis> is the term used by Netfilter.
+    The syslog documentation uses the term
+    <emphasis>priority</emphasis>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Syslog Levels</title>
+
+    <para>Syslog levels are a method of describing to syslog (8) the
+    importance of a message. A number of Shorewall parameters have a syslog
+    level as their value.</para>
+
+    <para>Valid levels are:</para>
+
+    <simplelist>
+      <member>7 - <emphasis role="bold">debug</emphasis> (Debug-level
+      messages)</member>
+
+      <member>6 - <emphasis role="bold">info</emphasis>
+      (Informational)</member>
+
+      <member>5 - <emphasis role="bold">notice</emphasis> (Normal but
+      significant Condition)</member>
+
+      <member>4 - <emphasis role="bold">warning</emphasis> (Warning
+      Condition)</member>
+
+      <member>3 - <emphasis role="bold">err</emphasis> (Error
+      Condition)</member>
+
+      <member>2 - <emphasis role="bold">crit</emphasis> (Critical
+      Conditions)</member>
+
+      <member>1 - <emphasis role="bold">alert</emphasis> (must be handled
+      immediately)</member>
+
+      <member>0 - <emphasis role="bold">emerg</emphasis> (System is
+      unusable)</member>
+    </simplelist>
+
+    <para>For most Shorewall logging, a level of 6 (info) is appropriate.
+    Shorewall log messages are generated by Netfilter and are logged using the
+    <emphasis>kern</emphasis> facility and the level that you specify. If you
+    are unsure of the level to choose, 6 (info) is a safe bet. You may specify
+    levels by name or by number.</para>
+
+    <para>Beginning with Shorewall 4.5.5, the <replaceable>level</replaceable>
+    name or number may be optionally followed by a comma-separated list of one
+    or more<replaceable> log options</replaceable>. The list is enclosed in
+    parentheses. Log options cause additional information to be included in
+    each log message.</para>
+
+    <para>Valid log options are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ip_options</emphasis></term>
+
+        <listitem>
+          <para>Log messages will include the option settings from the IP
+          header.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">macdecode</emphasis></term>
+
+        <listitem>
+          <para>Decode the MAC address and protocol.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">tcp_sequence</emphasis></term>
+
+        <listitem>
+          <para>Include TCP sequence numbers.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">tcp_options</emphasis></term>
+
+        <listitem>
+          <para>Include options from the TCP header.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">uid</emphasis></term>
+
+        <listitem>
+          <para>Include the UID of the sending program; only valid for packets
+          originating on the firewall itself.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>Example: <emphasis
+    role="bold">info(tcp_options,tcp_sequence)</emphasis></para>
+
+    <para>Syslogd writes log messages to files (typically in <filename
+    class="directory">/var/log/</filename>*) based on their facility and
+    level. The mapping of these facility/level pairs to log files is done in
+    /etc/syslog.conf (5). If you make changes to this file, you must restart
+    syslogd before the changes can take effect.</para>
+
+    <para>Syslog may also write to your system console. See <ulink
+    url="FAQ.htm#faq16">Shorewall FAQ 16</ulink> for ways to avoid having
+    Shorewall messages written to the console.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Configuring a Separate Log for Shorewall Messages (ulogd)</title>
+
+    <para>There are a couple of limitations to syslogd-based logging:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>If you give, for example, kern.info its own log destination then
+        that destination will also receive all kernel messages of levels 5
+        (notice) through 0 (emerg).</para>
+      </listitem>
+
+      <listitem>
+        <para>All kernel.info messages will go to that destination and not
+        just those from Netfilter.</para>
+      </listitem>
+
+      <listitem>
+        <para>Netfilter (Shorewall) messages show up in
+        <command>dmesg</command>.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>If your kernel has NFLOG target support (and most vendor-supplied
+    kernels do), you may also specify a log level of NFLOG (must be all caps).
+    When NFLOG is used, Shorewall will direct Netfilter to log the related
+    messages via the NFLOG target which will send them to a process called
+    <quote>ulogd</quote>. The ulogd program is included in most
+    distributions.</para>
+
+    <note>
+      <para>The NFLOG logging mechanism is <emphasis
+      role="underline">completely separate</emphasis> from syslog. Once you
+      switch to NFLOG, the settings in <filename>/etc/syslog.conf</filename>
+      have absolutely no effect on your Shorewall logging (except for
+      Shorewall status messages which still go to syslog).</para>
+    </note>
+
+    <para>You will need to change all instances of log levels (usually
+    <quote>info</quote>) in your Shorewall configuration files to
+    <quote>NFLOG</quote> - this includes entries in the policy, rules and
+    shorewall.conf files. If you initially installed using Shorewall 5.1.2 or
+    later, you can simply change the setting of LOG_LEVEL in
+    shorewall.conf.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Understanding the Contents of Shorewall Log Messages</title>
+
+    <para>For general information on the contents of Netfilter log messages,
+    see <ulink
+    url="http://logi.cc/en/2010/07/netfilter-log-format/">http://logi.cc/en/2010/07/netfilter-log-format/</ulink>.</para>
+
+    <para>For Shorewall-specific information, see <ulink
+    url="/FAQ.htm#faq17">FAQ #17</ulink>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Customizing the Content of Shorewall Log Messages</title>
+
+    <para>In a Shorewall logging rule, the log level can be followed by a
+    <firstterm>log tag</firstterm> as in "DROP:NFLOG:junk". The generated log
+    message will include "<emphasis>chain-name</emphasis> junk DROP".</para>
+
+    <para>By setting the LOGTAGONLY option to Yes in <ulink
+    url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
+    url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
+    disposition ('DROP' in the above example) will be omitted. Consider the
+    following rule:</para>
+
+    <programlisting>#ACTION                                    SOURCE          DEST           PROTO
+REJECT(icmp-proto-unreachable):notice:IPv6 loc             net            41      # who's using IPv6 tunneling</programlisting>
+
+    <para>This rule generates the following warning at compile time:</para>
+
+    <simplelist>
+      <member>WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p "
+      /etc/shorewall/rules (line 212)</member>
+    </simplelist>
+
+    <para>and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp-p
+    ".</para>
+
+    <para>Now consider this similar rule:</para>
+
+    <programlisting>#ACTION                                              SOURCE          DEST           PROTO
+REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net            41      # who's using IPv6 tunneling</programlisting>
+
+    <para>With LOGTAGONLY=Yes, no warning is generated and the prefix becomes
+    "Shorewall:IPv6:tunneling:"</para>
+
+    <para>See the <ulink url="shorewall.conf.html">shorewall[6].conf man
+    page</ulink> for further information about how LOGTAGONLY=Yes can be
+    used.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Log Backends</title>
+
+    <para>Netfilter logging allows configuration of multiple backends. Logging
+    backends provide the The low-level forward of log messages. There are
+    currently three backends:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>LOG (ipt_LOG and ip6t_LOG).</term>
+
+        <listitem>
+          <para>Normal kernel-based logging to a syslog daemon.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>ULOG (ipt_ULOG)</term>
+
+        <listitem>
+          <para>ULOG logging as described ablve. Only available for
+          IPv4.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>netlink (nfnetlink_log)</term>
+
+        <listitem>
+          <para>The logging backend behind NFLOG, defined above.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>The currently-available and currently-selected IPv4 and IPv6
+    backends are shown in /proc/sys/net/netfilter/nf_log:</para>
+
+    <programlisting>cat /proc/net/netfilter/nf_log
+ 0 NONE (nfnetlink_log)
+ 1 NONE (nfnetlink_log)
+ 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
+ 3 NONE (nfnetlink_log)
+ 4 NONE (nfnetlink_log)
+ 5 NONE (nfnetlink_log)
+ 6 NONE (nfnetlink_log)
+ 7 NONE (nfnetlink_log)
+ 8 NONE (nfnetlink_log)
+ 9 NONE (nfnetlink_log)
+10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
+11 NONE (nfnetlink_log)
+12 NONE (nfnetlink_log)</programlisting>
+
+    <para>The magic numbers (0-12) are Linux address family numbers (AF_INET
+    is 2 and AF_INET6 is 10).</para>
+
+    <para>The name immediately following the number is the currently-selected
+    backend, and the ones in parentheses are the ones that are available. You
+    can change the currently selected backend by echoing it's name into
+    /proc/net/netfilter/nf_log.<replaceable>number</replaceable>.</para>
+
+    <para>Example - change the IPv4 backend to LOG:</para>
+
+    <programlisting>sysctl net.netfilter.nf_log.2=ipt_LOG</programlisting>
+
+    <para>Beginning with Shorewall 4.6.4, you can configure the backend using
+    the LOG_BACKEND option in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
+    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+
+    <para><ulink
+    url="/shorewall_logging.htm">http://www.shorewall.net/shorewall_logging.html</ulink></para>
+  </refsect1>
+</refentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -374,7 +374,8 @@ DIVERTHA        -               -               tcp</programlisting>

              <listitem>
                <para>Allows you to place your own ip[6]tables matches at the
-                end of the line following a semicolon (";"). If an
+                end of the line following a semicolon (";") (deprecated) or
+                two semicolons (";;") (preferred since Shoreall 5.0.0). If an
                <replaceable>action</replaceable> is specified, the compiler
                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
@@ -391,22 +392,10 @@ DIVERTHA        -               -               tcp</programlisting>

                <programlisting>2:P                   eth0              -         tcp 22
 INLINE(MARK(2)):P     eth0              -         tcp 22
-INLINE(MARK(2)):P     eth0              -                 ; -p tcp
-INLINE                eth0              -         tcp 22  ; -j MARK --set-mark 2
-INLINE                eth0              -                 ; -p tcp -j MARK --set-mark 2
+INLINE(MARK(2)):P     eth0              -                 ;; -p tcp
+INLINE                eth0              -         tcp 22  ;; -j MARK --set-mark 2
+INLINE                eth0              -                 ;; -p tcp -j MARK --set-mark 2
 </programlisting>
-
-                <para>If INLINE_MATCHES=Yes in <ulink
-                url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
-                then the third rule above can be specified as follows:</para>
-
-                <programlisting>MARK(2):P             eth0              -                 ; -p tcp</programlisting>
-
-                <para>Beginning with Shorewall 5.0.0, the rule may also be
-                written this way, irrespective of the setting of
-                INLINE_MATCHES:</para>
-
-                <programlisting>MARK(2):P             eth0              -                 ;; -p tcp</programlisting>
              </listitem>
            </varlistentry>

@@ -518,12 +507,39 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">IP6TABLES({<replaceable>target</replaceable>
+              [<replaceable>option</replaceable> ...])</emphasis></term>
+
+              <listitem>
+                <para>IPv6 only.</para>
+
+                <para>This action allows you to specify an iptables target
+                with options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'.
+                If the target is not one recognized by Shorewall, the
+                following error message will be issued:</para>
+
+                <simplelist>
+                  <member>ERROR: Unknown target
+                  (<replaceable>target</replaceable>)</member>
+                </simplelist>
+
+                <para>This error message may be eliminated by adding the
+                <replaceable>target</replaceable> as a builtin action in
+                <ulink
+                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">IPTABLES({<replaceable>target</replaceable>
              [<replaceable>option</replaceable> ...])</emphasis></term>

              <listitem>
+                <para>IPv4 only.</para>
+
                <para>This action allows you to specify an iptables target
                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
                the target is not one recognized by Shorewall, the following
@@ -674,6 +690,43 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">TCPMSS</emphasis>([<replaceable>mss</replaceable>[,<replaceable>ipsec</replaceable>]])</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.9. This target only applies to
+                TCP traffic and alters the MSS value in SYN packets. It may be
+                used in the FORWARD and POSTROUTING chains; the default is
+                FORWARD.</para>
+
+                <para>The <replaceable>mss</replaceable> parameter may be
+                either <option>pmtu</option> or an integer in the range
+                500:65533. The value <option>pmtu</option> automatically
+                clamps the MSS value to (path_MTU - 40 for IPv4; -60 for
+                IPv6). This may not function as desired where asymmetric
+                routes with differing path MTU exist — the kernel uses the
+                path MTU which it would use to send packets from itself to the
+                source and destination IP addresses. Prior to Linux 2.6.25,
+                only the path MTU to the destination IP address was considered
+                by this option; subsequent kernels also consider the path MTU
+                to the source IP address. If an integer is given, the MSS
+                option is set to the specified value. If the MSS of the packet
+                is already lower than <replaceable>mss</replaceable>, it will
+                not be increased (from Linux 2.6.25 onwards) to avoid more
+                problems with hosts relying on a proper MSS. If
+                <replaceable>mss</replaceable> is omitted,
+                <option>pmtu</option> is assumed.</para>
+
+                <para>The <replaceable>ipsec</replaceable> parameter
+                determines whether the rule applies to IPSEC traffic
+                (<option>ipsec</option> is passed), non-IPSEC traffic
+                (<option>none</option> is passed) or both
+                (<option>all</option> is passed). If omitted,
+                <option>all</option> is assumed.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</term>
@@ -710,7 +763,7 @@ Normal-Service       =&gt; 0x00</programlisting>

            <varlistentry>
              <term><emphasis
-              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])</term>
+              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>[,<replaceable>address</replaceable>]])</term>

              <listitem>
                <para>Transparently redirects a packet without altering the IP
--- a/Show More
+++ b/Show More