Correct multiple fallback providers

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Don't generate multihop routes unnecessarily
2017-06-23 07:55:17 -07:00 · 2017-06-18 09:30:51 -07:00 · 2017-06-12 07:44:34 -07:00 · 2017-06-09 08:49:17 -07:00
130 changed files with 17905 additions and 3151 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -190,7 +190,7 @@ for p in ${!params[@]}; do
 done

 echo '#'                                                                 > shorewallrc
-echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
+echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc

--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -173,12 +173,7 @@ my $outfile;

 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";

-if ( $ENV{SOURCE_DATE_EPOCH} ) {
-    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date  --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
-} else {
-    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
-}
-
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
 print $outfile "# rc file: $rcfilename\n#\n";

 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=50106
+SHOREWALL_CAPVERSION=50100

 if [ -z "$g_basedir" ]; then
    #
@@ -2803,8 +2803,6 @@ determine_capabilities() {
    WAIT_OPTION=
    CPU_FANOUT=
    NETMAP_TARGET=
-    NFLOG_SIZE=
-    RESTORE_WAIT_OPTION=

    AMANDA_HELPER=
    FTP_HELPER=
@@ -2828,11 +2826,9 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi

-    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
-
    if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	g_tool="$g_tool --wait"
+	tool="$tool --wait"
    fi

    chain=fooX$$
@@ -3140,13 +3136,10 @@ determine_capabilities() {
    qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
    qt $g_tool -A $chain -j LOG || LOG_TARGET=
    qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
+    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
    qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
-    if qt $g_tool -A $chain -j NFLOG; then
-	NFLOG_TARGET=Yes
-	qt $g_tool -A $chain -j NFLOG --nflog-size 64 && NFLOG_SIZE=Yes
-    fi

    if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -3302,11 +3295,9 @@ report_capabilities_unsorted() {
    if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
-	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
-	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    fi

    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3314,7 +3305,6 @@ report_capabilities_unsorted() {
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
-    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE

    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3421,8 +3411,6 @@ report_capabilities_unsorted1() {
    report_capability1 WAIT_OPTION
    report_capability1 CPU_FANOUT
    report_capability1 NETMAP_TARGET
-    report_capability1 NFLOG_SIZE
-    report_capability1 RESTORE_WAIT_OPTION

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -269,48 +269,53 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
    local modulename
    modulename=$1
-    shift
-    local moduleoptions
-    moduleoptions=$*
    local modulefile
    local suffix

    if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		case $moduleloader in
-		    insmod)
-			for directory in $moduledirectories; do
-			    for modulefile in $directory/${modulename}.*; do
-				if [ -f $modulefile ]; then
-				    insmod $modulefile $moduleoptions
-				    return
-				fi
-			    done
-			done
-			;;
-		    *)
-			modprobe -q $modulename $moduleoptions
-			;;
-		esac
-	    fi
-	fi
-    elif ! list_search $modulename $DONT_LOAD $MODULES; then
-	case $moduleloader in
-	    insmod)
-		for directory in $moduledirectories; do
-		    for modulefile in $directory/${modulename}.*; do
+		shift
+
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
+
 			if [ -f $modulefile ]; then
-			    insmod $modulefile $moduleoptions
-			    return
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
 			fi
 		    done
 		done
-		;;
-	    *)
-		modprobe -q $modulename $moduleoptions
-		;;
-	esac
+	    fi
+	fi
+    elif ! list_search $modulename $DONT_LOAD $MODULES; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
    fi
 }

@@ -333,6 +338,8 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi

+    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
+
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -387,6 +394,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi

+    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
+
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -3173,8 +3173,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/</para>
-
-    <para>/etc/shorewall6/</para>
  </refsect1>

  <refsect1>
@@ -3184,17 +3182,13 @@
    url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>

    <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
-    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-mangle(5),
-    shorewall-masq(5), shorewall-modules(5), shorewall-nat(5),
-    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall6-proxyndp(5), shorewall-routes(5), shorewall-rtrules(5),
-    shorewall-rtrules(5), shorewall-rules(5), shorewall-secmarks(5),
-    shorewall-snat(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcfilters(5), shorewall-tcinterfaces(5), shorewall-tcpri(5),
-    shorewall-tunnels(5), shorewall-vardir(5), shorewall-zones(5)</para>
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,6 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall/Actions/action.FIN
+++ b/Shorewall/Actions/action.FIN
@@ -1,33 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.FIN
-#
-# FIN Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# FIN[([<action>])]
-#
-# Default action is ACCEPT
-#
-###############################################################################
-
-DEFAULTS ACCEPT,-
-
-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH
--- a/Shorewall/Actions/action.dropBcasts
+++ b/Shorewall/Actions/action.dropBcasts
@@ -1,39 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropBcasts
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropBcasts[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Broadcast(A_DROP)
-    ?else
-	?error "Invalid argument (@1) to dropBcasts"
-    ?endif
-?else
-    Broadcast(DROP)
-?endif
-
--- a/Shorewall/Macros/macro.RDP
+++ b/Shorewall/Macros/macro.RDP
@@ -6,5 +6,4 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

-PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -195,7 +195,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';

-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT_SECTION;
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;

    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
    my $prerule = '';
@@ -266,7 +266,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    if ( $source eq 'any' || $source eq 'all' ) {
        $source = ALLIP;
    } else {
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT_SECTION || ! $asection );
+	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
    }

    if ( have_bridges && ! $asection ) {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -32,7 +32,6 @@ require Exporter;
 use Scalar::Util 'reftype';
 use Digest::SHA qw(sha1_hex);
 use File::Basename;
-use Socket;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
@@ -138,12 +137,6 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE

-				       validate_port
-				       validate_portpair
-				       validate_portpair1
-				       validate_port_list
-				       expand_port_range
-
 				       PREROUTING
 				       INPUT
 				       FORWARD
@@ -516,7 +509,6 @@ our $idiotcount1;
 our $hashlimitset;
 our $global_variables;
 our %address_variables;
-our %port_variables;
 our $ipset_rules;

 #
@@ -792,7 +784,6 @@ sub initialize( $$$ ) {
    %interfaceacasts    = ();
    %interfacegateways  = ();
    %address_variables  = ();
-    %port_variables     = ();

    $global_variables   = 0;
    $idiotcount         = 0;
@@ -828,211 +819,6 @@ sub initialize( $$$ ) {
    #
 }

-sub record_runtime_port( $ ) {
-    my ( $variable ) = @_;
-
-    if ( $variable =~ /^{([a-zA-Z_]\w*)}$/ ) {
-	fatal_error "Variable %variable is already used as an address variable" if $address_variables{$1};
-	$port_variables{$1} = 1;
-    } else {
-	fatal_error( "Invalid port variable (%$variable)" );
-    }
-
-    "\$$variable";
-}
-
-################################################################################
-# Functions moved from IPAddrs.pm in 5.1.5				       #
-################################################################################
-
-sub validate_port( $$ ) {
-    my ($proto, $port) = @_;
-
-    my $value;
-
-    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
-	$value = numeric_value $port;
-
-	if ( defined $value ) {
-	    if ( $value && $value <= 65535 ) {
-		return $value;
-	    } else {
-		$value = undef;
-	    }
-	}
-    } elsif ( $port =~ /^%(.*)/ ) {
-	$value = record_runtime_port( $1 );
-    } else {
-	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
-	$value = getservbyname( $port, $proto );
-    }
-
-    return $value if defined $value;
-
-    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
-
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
-}
-
-sub validate_portpair( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-    my $pair = $portpair;
-    #
-    # Accept '-' as a port-range separator
-    #
-    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
-
-    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
-
-    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
-
-    my @ports = split /:/, $pair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-
-	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
-	    fatal_error "Invalid port range ($_[1])" unless $ports[0] < $ports[1];
-	}
-    } else {
-	$what = 'port';
-    }
-
-    fatal_error "Using a $what ( $_[1] ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP     ||
-			       $protonum == UDP     ||
-			       $protonum == UDPLITE ||
-			       $protonum == SCTP    ||
-			       $protonum == DCCP );
-    join ':', @ports;
-
-}
-
-sub validate_portpair1( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
-
-    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
-
-    my @ports = split /-/, $portpair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-
-	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
-	    fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
-	}
-    } else {
-	$what = 'port';
-	fatal_error 'Invalid port number (0)' unless $portpair;
-    }
-
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP  ||
-			       $protonum == UDP  ||
-			       $protonum == SCTP ||
-			       $protonum == DCCP );
-    join '-', @ports;
-
-}
-
-sub validate_port_list( $$ ) {
-    my $result = '';
-    my ( $proto, $list ) = @_;
-    my @list   = split_list( $list, 'port' );
-
-    if ( @list > 1 && $list =~ /[:-]/ ) {
-	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
-    }
-
-    $proto = proto_name $proto;
-
-    for ( @list ) {
-	my $value = validate_portpair( $proto , $_ );
-	$result = $result ? join ',', $result, $value : $value;
-    }
-
-    $result;
-}
-
-#
-# Expands a port range into a minimal list of ( port, mask ) pairs.
-# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
-#
-# Example:
-#
-#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
-#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
-#
-sub expand_port_range( $$ ) {
-    my ( $proto, $range ) = @_;
-
-    if ( $range =~ /^(.*):(.*)$/ ) {
-	my ( $first, $last ) = ( $1, $2);
-	my @result;
-
-	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
-	#
-	# Supply missing first/last port number
-	#
-	$first = 0     if $first eq '';
-	$last  = 65535 if $last eq '';
-	#
-	# Validate the ports
-	#
-	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
-
-	$last++; #Increment last address for limit testing.
-	#
-	# Break the range into groups:
-	#
-	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
-	#      - Otherwise, find the largest power of two P that divides the first address such that
-	#        the remaining range has less than or equal to P ports. The next group is
-	#        ( <first> , ~( P-1 ) ).
-	#
-	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
-	    my $mask = 0xffff;         #Mask for current ports in group.
-	    my $y    = 2;              #Next power of two to test
-	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
-
-	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
-		$mask <<= 1;
-		$z  = $y;
-		$y <<= 1;
-	    }
-	    #
-	    #
-	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
-	    $first += $z;
-	}
-
-	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
-
-	@result;
-
-    } else {
-	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
-    }
-}
-
-################################################################################
-# End functions moved from IPAddrs.pm in 5.1.5				       #
-################################################################################
-
 #
 # Functions to manipulate cmdlevel
 #
@@ -1345,6 +1131,8 @@ sub format_rule( $$;$ ) {
 	    } else {
 		$rule .= join( '' , ' --', $_, ' ', $value );
 	    }
+
+	    next;
 	} elsif ( $type == EXPENSIVE ) {
 	    #
 	    # Only emit expensive matches now if there are '-m nfacct' or '-m recent' matches in the rule
@@ -1927,7 +1715,7 @@ sub delete_reference( $$ ) {

    assert( $toref );

-    delete $toref->{references}{$fromref->{name}} if --$toref->{references}{$fromref->{name}} <= 0;
+    delete $toref->{references}{$fromref->{name}} unless --$toref->{references}{$fromref->{name}} > 0;
 }

 #
@@ -2065,7 +1853,7 @@ sub adjust_reference_counts( $$$ ) {
    my ($toref, $name1, $name2) = @_;

    if ( $toref ) {
-	delete $toref->{references}{$name1} if --$toref->{references}{$name1} <= 0;
+	delete $toref->{references}{$name1} unless --$toref->{references}{$name1} > 0;
 	$toref->{references}{$name2}++;
    }
 }
@@ -3898,15 +3686,6 @@ sub optimize_level8( $$$ ) {
 		    }

 		    $combined{ $chainref1->{name} } = $chainref->{name};
-		    #
-		    # While rare, it is possible for a policy chain to be combined with a non-policy chain. So we need to preserve
-		    # the policy attributes in the combined chain
-		    #
-		    if ( $chainref->{policychain} ) {
-			@{$chainref1}{qw(policychain policy)} = @{$chainref}{qw(policychain policy)} unless $chainref1->{policychain};
-		    } elsif ( $chainref1->{policychain} ) {
-			@{$chainref}{qw(policychain policy)} = @{$chainref1}{qw(policychain policy)} unless $chainref->{policychain};
-		    }
 		}
 	    }
 	}
@@ -4833,7 +4612,7 @@ sub do_proto( $$$;$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
+				$ports   = validate_portpair $pname , $ports;
 				$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
 			    }
 			}
@@ -5040,7 +4819,7 @@ sub do_iproto( $$$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
+				$ports   = validate_portpair $pname , $ports;

 				if ( $srcndst ) {
 				    push @output, multiport => "${invert}--ports ${ports}";
@@ -5979,7 +5758,6 @@ sub record_runtime_address( $$;$$ ) {

    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
-	fatal_error "Variable %variable is already used as a port variable" if $port_variables{$1};
 	$address_variables{$1} = $addrtype;
 	return '$' . "$1 ";
    }
@@ -6325,7 +6103,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
    }

-    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
+    $net = validate_net $net, 1;
    $net eq ALLIP ? '' : "-d $net ";
 }

@@ -6406,7 +6184,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
    }

-    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
+    $net = validate_net $net, 1;
    $net eq ALLIP ? () : ( d =>  $net );
 }

@@ -7065,8 +6843,6 @@ sub interface_gateway( $ ) {
 sub get_interface_gateway ( $;$$ ) {
    my ( $logical, $protect, $provider ) = @_;

-    $provider = '' unless defined $provider;
-
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
    my $gateway  = get_interface_option( $interface, 'gateway' );
@@ -7080,9 +6856,9 @@ sub get_interface_gateway ( $;$$ ) {
    }

    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

@@ -7269,19 +7045,6 @@ sub verify_address_variables() {
 	      qq(    startup_error "Invalid value ($address) for address variable $variable"),
 	      qq(fi\n) );
    }
-
-    for my $variable( keys %port_variables ) {
-	my $port = "\$$variable";
-	my $type = $port_variables{$variable};
-
-	emit( qq(if [ -z "$port" ]; then) ,
-	      qq(    $variable=255) ,
-	      qq(elif qt \$g_tool -A INPUT -p 6 --dport $port; then) ,
-	      qq(    qt \$g_tool -D INPUT -p 6 --dport $variable) ,
-	      qq(else) ,
-	      qq(    startup_error "Invalid valid ($port) for port variable $variable") ,
-	      qq(fi\n) );
-    }
 }

 #
@@ -7531,11 +7294,6 @@ sub isolate_dest_interface( $$$$ ) {

 	    $rule .= "-d $variable ";
 	}
-    } elsif ( $dest =~ /^\$/ ) {
-	#
-	# Runtime address variable
-	#
-	$dnets  = $dest;
    } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
@@ -8916,15 +8674,9 @@ sub create_netfilter_load( $ ) {
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';

    emit( '',
-	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then' );
-
-    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
-	emit( '    option="--counters --wait "' . $config{MUTEX_TIMEOUT} );
-    } else {
-	emit( '    option="--counters"' );
-    }
-
-    emit( '',
+	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
+	  '    option="--counters"',
+	  '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
@@ -8932,11 +8684,7 @@ sub create_netfilter_load( $ ) {

    push_indent;

-    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
-	emit 'option="--wait "' . $config{MUTEX_TIMEOUT};
-    } else {
-	emit 'option=';
-    }
+    emit 'option=';

    save_progress_message "Preparing $utility input...";

@@ -9351,11 +9099,7 @@ sub create_stop_load( $ ) {

    enter_cmd_mode;

-    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
-	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' --wait ' . $config{MUTEX_TIMEOUT} . '"' );
-    } else {
-	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
-    }
+    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );

    emit( '',
 	  'progress_message2 "Running $command..."',
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -109,7 +109,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF

-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -209,8 +209,6 @@ sub generate_script_2() {
    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
-    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
-    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );

    emit 'TEMPFILE=';

--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -36,7 +36,6 @@ use strict;
 use warnings;
 use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
-use File::Glob ':globally';
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
@@ -316,7 +315,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -414,9 +413,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                 WAIT_OPTION     => 'iptables --wait option',
                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                 NETMAP_TARGET   => 'NETMAP Target',
-                 NFLOG_SIZE      => '--nflog-size support',
-		 RESTORE_WAIT_OPTION
-				 => 'iptables-restore --wait option',
+
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -491,55 +488,53 @@ our %helpers_aliases;
 our %helpers_enabled;

 our %config_files = ( #accounting      => 1,
-		      actions	       => 1,
-		      blacklist	       => 1,
-		      clear	       => 1,
-		      conntrack	       => 1,
-		      ecn	       => 1,
-		      findgw	       => 1,
-		      hosts	       => 1,
-		      init	       => 1,
-		      initdone	       => 1,
+		      actions          => 1,
+		      blacklist        => 1,
+		      clear            => 1,
+		      conntrack        => 1,
+		      ecn              => 1,
+		      findgw           => 1,
+		      hosts            => 1,
+		      init             => 1,
+		      initdone         => 1,
 		      interfaces       => 1,
-		      isusable	       => 1,
-		      maclist	       => 1,
-		      mangle	       => 1,
-		      masq	       => 1,
-		      nat	       => 1,
-		      netmap	       => 1,
-		      params	       => 1,
-		      policy	       => 1,
-		      providers	       => 1,
-		      proxyarp	       => 1,
-		      refresh	       => 1,
-		      refreshed	       => 1,
-		      restored	       => 1,
-		      rawnat	       => 1,
+		      isusable         => 1,
+		      maclist          => 1,
+		      masq             => 1,
+		      nat              => 1,
+		      netmap           => 1,
+		      params           => 1,
+		      policy           => 1,
+		      providers        => 1,
+		      proxyarp         => 1,
+		      refresh          => 1,
+		      refreshed        => 1,
+		      restored         => 1,
+		      rawnat           => 1,
 		      route_rules      => 1,
-		      routes	       => 1,
+		      routes           => 1,
 		      routestopped     => 1,
-		      rtrules	       => 1,
-		      rules	       => 1,
-		      scfilter	       => 1,
-		      secmarks	       => 1,
-		      snat	       => 1,
-		      start	       => 1,
-		      started	       => 1,
-		      stop	       => 1,
-		      stopped	       => 1,
+		      rtrules          => 1,
+		      rules            => 1,
+		      scfilter         => 1,
+		      secmarks         => 1,
+		      start            => 1,
+		      started          => 1,
+		      stop             => 1,
+		      stopped          => 1,
 		      stoppedrules     => 1,
-		      tcclasses	       => 1,
-		      tcclear	       => 1,
-		      tcdevices	       => 1,
-		      tcfilters	       => 1,
+		      tcclasses        => 1,
+		      tcclear          => 1,
+		      tcdevices        => 1,
+		      tcfilters        => 1,
 		      tcinterfaces     => 1,
-		      tcpri	       => 1,
-		      tcrules	       => 1,
-		      tos	       => 1,
-		      tunnels	       => 1,
-		      zones	       => 1 );
+		      tcpri            => 1,
+		      tcrules          => 1,
+		      tos              => 1,
+		      tunnels          => 1,
+		      zones            => 1 );
 #
-# Options that involve the AUDIT target
+# Options that involve the the AUDIT target
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
@@ -649,7 +644,6 @@ our %eliminated = ( LOGRATE          => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
-                    MODULE_SUFFIX    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -754,8 +748,8 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.5-RC1",
-		    CAPVERSION              => 50106 ,
+		    VERSION                 => "5.1.4-Beta1",
+		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -850,6 +844,7 @@ sub initialize( $;$$) {
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
+	  MODULE_SUFFIX => undef,
 	  DISABLE_IPV6 => undef,
 	  DYNAMIC_ZONES => undef,
 	  PKTTYPE=> undef,
@@ -913,7 +908,6 @@ sub initialize( $;$$) {
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
 	  PERL_HASH_SEED => undef ,
-	  USE_NFLOG_SIZE => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1047,8 +1041,6 @@ sub initialize( $;$$) {
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
-	       NFLOG_SIZE => undef,
-	       RESTORE_WAIT_OPTION => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1174,7 +1166,7 @@ sub initialize( $;$$) {
    #
    # Process the global shorewallrc file
    #
-    #   Note: The build script calls this function passing only the protocol family
+    #   Note: The build file executes this function passing only the protocol family
    #
    process_shorewallrc( $shorewallrc,
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
@@ -1225,9 +1217,10 @@ sub compiletime() {
 # Create 'currentlineinfo'
 #
 sub currentlineinfo() {
+    my $linenumber = $currentlinenumber || 1;
+
    if ( $currentfilename ) {
-	my $linenumber = $currentlinenumber || 1;
-	my $lineinfo   = " $currentfilename ";
+	my $lineinfo = " $currentfilename ";
 	
 	if ( $linenumber eq 'EOF' ) {
 	    $lineinfo .= '(EOF)'
@@ -2347,7 +2340,7 @@ sub split_line2( $$;$$$ ) {

 	    $inline_matches = $pairs;

-	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
+	    if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
 		#
 		# Pairs are enclosed in curly brackets.
 		#
@@ -2363,7 +2356,7 @@ sub split_line2( $$;$$$ ) {
 	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;

-		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
+		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
 		    #
 		    # Pairs are enclosed in curly brackets.
 		    #
@@ -2377,7 +2370,7 @@ sub split_line2( $$;$$$ ) {
 	} elsif ( $checkinline ) {
 	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
 	}
-    } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
+    } elsif ( $currline =~ /^(\s*|.*[^&@%]){(.*)}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
 	#
@@ -4052,7 +4045,7 @@ sub make_mask( $ ) {
    0xffffffff >> ( 32 - $_[0] );
 }

-my @suffixes;
+my @suffixes = qw(group range threshold nlgroup cprange qthreshold);

 #
 # Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate"
@@ -4321,20 +4314,25 @@ sub load_kernel_modules( ) {

 	close LSMOD;

-      MODULE:
+	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
+
+	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
+
 	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
-		if ( $moduleloader eq 'modprobe' ) {
-		    system( "modprobe -q $module $arguments" );
-		    $loadedmodules{ $module } = 1;
-		} else {
-		    for my $directory ( @moduledirectories ) {
-			for my $modulefile ( <$directory/$module.*> ) {
-			    system ("insmod $modulefile $arguments" );
+		for my $directory ( @moduledirectories ) {
+		    for my $suffix ( @suffixes ) {
+			my $modulefile = "$directory/$module.$suffix";
+			if ( -f $modulefile ) {
+			    if ( $moduleloader eq 'insmod' ) {
+				system ("insmod $modulefile $arguments" );
+			    } else {
+				system( "modprobe $module $arguments" );
+			    }
+
 			    $loadedmodules{ $module } = 1;
-			    next MODULE;
 			}
 		    }
 		}
@@ -4819,10 +4817,6 @@ sub NFLog_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -j NFLOG" );
 }

-sub NFLog_Size() {
-    have_capability( 'NFLOG_TARGET' ) && qt1( "$iptables $iptablesw -A $sillyname -j NFLOG --nflog-size 64" );
-}
-
 sub Logmark_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -j LOGMARK" );
 }
@@ -4946,10 +4940,6 @@ sub Cpu_Fanout() {
    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }

-sub Restore_Wait_Option() {
-    length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0;
-}
-
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -5002,7 +4992,6 @@ our %detect_capability =
      LOG_TARGET => \&Log_Target,
      ULOG_TARGET => \&Ulog_Target,
      NFLOG_TARGET => \&NFLog_Target,
-      NFLOG_SIZE => \&NFLog_Size,
      MANGLE_ENABLED => \&Mangle_Enabled,
      MANGLE_FORWARD => \&Mangle_Forward,
      MARK => \&Mark,
@@ -5030,7 +5019,6 @@ our %detect_capability =
      REALM_MATCH => \&Realm_Match,
      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
-      RESTORE_WAIT_OPTION => \&Restore_Wait_Option,
      RPFILTER_MATCH => \&RPFilter_Match,
      SANE_HELPER => \&SANE_Helper,
      SANE0_HELPER => \&SANE0_Helper,
@@ -5197,9 +5185,6 @@ sub determine_capabilities() {
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
-	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
-	$capabilities{RESTORE_WAIT_OPTION}
-				       = detect_capability( 'RESTORE_WAIT_OPTION' );

 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5377,11 +5362,11 @@ sub update_config_file( $ ) {
 	update_default( 'BALANCE_PROVIDERS', 'Yes' );
    }

-    update_default( 'EXPORTMODULES',         'No' );
-    update_default( 'RESTART',               'reload' );
-    update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
-    update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
-    update_default( 'LOGLIMIT',              '' );
+    update_default( 'EXPORTMODULES',     'No' );
+    update_default( 'RESTART',           'reload' );
+    update_default( 'PAGER',             $shorewallrc1{DEFAULT_PAGER} );
+    update_default( 'LOGFORMAT',         'Shorewall:%s:%s:' );
+    update_default( 'LOGLIMIT',          '' );

    if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
@@ -6066,6 +6051,7 @@ sub get_configuration( $$$$ ) {
    #
    # get_capabilities requires that the true settings of these options be established
    #
+    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';

    if ( ! $export && $> == 0 ) {
@@ -6406,17 +6392,6 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'TRACK_PROVIDERS'            , '';
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
-    default_yes_no 'USE_NFLOG_SIZE'             , '';
-
-    if ( $config{USE_NFLOG_SIZE} ) {
-	if ( have_capability( 'NFLOG_SIZE' ) ) {
-	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
-	} else {
-	    fatal_error "USE_NFLOG_SIZE=Yes, but the --nflog-size capabiity is not present";
-	}
-    } else {
-	@suffixes = qw(group range threshold nlgroup cprange qthreshold);
-    }

    unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6837,12 +6812,6 @@ sub get_configuration( $$$$ ) {
 	}
    }

-    if ( supplied( $val = $config{MUTEX_TIMEOUT} ) ) {
-	fatal_error "Invalid value ($val) for MUTEX_TIMEOUT" unless $val && $val =~ /^\d+$/;
-    } else {
-	$config{MUTEX_TIMEOUT} = 60;
-    }
-
    add_variables %config;

    while ( my ($var, $val ) = each %renamed ) {
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -63,6 +63,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  validate_host
 		  validate_range
 		  ip_range_explicit
+		  expand_port_range
 		  allipv4
 		  allipv6
 		  allip
@@ -73,6 +74,10 @@ our @EXPORT = ( qw( ALLIPv4
 		  resolve_proto
 		  resolve_dnsname
 		  proto_name
+		  validate_port
+		  validate_portpair
+		  validate_portpair1
+		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
 		 ) );
@@ -406,6 +411,114 @@ sub proto_name( $ ) {
    $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
 }

+sub validate_port( $$ ) {
+    my ($proto, $port) = @_;
+
+    my $value;
+
+    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+	$port = numeric_value $port;
+	return $port if defined $port && $port && $port <= 65535;
+    } else {
+	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
+	$value = getservbyname( $port, $proto );
+    }
+
+    return $value if defined $value;
+
+    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
+
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+}
+
+sub validate_portpair( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
+
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+
+    my @ports = split /:/, $pair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP     ||
+			       $protonum == UDP     ||
+			       $protonum == UDPLITE ||
+			       $protonum == SCTP    ||
+			       $protonum == DCCP );
+    join ':', @ports;
+
+}
+
+sub validate_portpair1( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
+
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+
+    my @ports = split /-/, $portpair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP  ||
+			       $protonum == UDP  ||
+			       $protonum == SCTP ||
+			       $protonum == DCCP );
+    join '-', @ports;
+
+}
+
+sub validate_port_list( $$ ) {
+    my $result = '';
+    my ( $proto, $list ) = @_;
+    my @list   = split_list( $list, 'port' );
+
+    if ( @list > 1 && $list =~ /[:-]/ ) {
+	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
+    }
+
+    $proto = proto_name $proto;
+
+    for ( @list ) {
+	my $value = validate_portpair( $proto , $_ );
+	$result = $result ? join ',', $result, $value : $value;
+    }
+
+    $result;
+}
+
 my %icmp_types = ( any                          => 'any',
 		   'echo-reply'                 => 0,
 		   'destination-unreachable'    => 3,
@@ -459,6 +572,67 @@ sub validate_icmp( $ ) {
    fatal_error "Invalid ICMP Type ($type)"
 }

+#
+# Expands a port range into a minimal list of ( port, mask ) pairs.
+# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
+#
+# Example:
+#
+#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
+#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
+#
+sub expand_port_range( $$ ) {
+    my ( $proto, $range ) = @_;
+
+    if ( $range =~ /^(.*):(.*)$/ ) {
+	my ( $first, $last ) = ( $1, $2);
+	my @result;
+
+	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
+	#
+	# Supply missing first/last port number
+	#
+	$first = 0     if $first eq '';
+	$last  = 65535 if $last eq '';
+	#
+	# Validate the ports
+	#
+	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+
+	$last++; #Increment last address for limit testing.
+	#
+	# Break the range into groups:
+	#
+	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
+	#      - Otherwise, find the largest power of two P that divides the first address such that
+	#        the remaining range has less than or equal to P ports. The next group is
+	#        ( <first> , ~( P-1 ) ).
+	#
+	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
+	    my $mask = 0xffff;         #Mask for current ports in group.
+	    my $y    = 2;              #Next power of two to test
+	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
+
+	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
+		$mask <<= 1;
+		$z  = $y;
+		$y <<= 1;
+	    }
+	    #
+	    #
+	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
+	    $first += $z;
+	}
+
+	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
+
+	@result;
+
+    } else {
+	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
+    }
+}
+
 sub valid_6address( $ ) {
    my $address = $_[0];

--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -941,17 +941,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-
-	    my @servers;
-
-	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
-		$server = record_runtime_address( $1, $2 );
-		$server =~ s/ $//;
-		@servers = ( $server );
-	    } else {
-		@servers = validate_address $server, 1;
-	    }
-
+	    my @servers = validate_address $server, 1;
 	    $server = join ',', @servers;
 	}

--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -502,7 +502,7 @@ sub process_a_provider( $ ) {

    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, $number );
+	$gateway = get_interface_gateway( $interface, undef, 1 );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
@@ -1088,10 +1088,7 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}

-	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
-	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
-	    );
-
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );

 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1236,9 +1233,7 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}

-	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
-	    );
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );

 	if ( $pseudo ) {
 	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -5642,23 +5642,15 @@ sub process_snat( )
 sub setup_snat( $ ) # Convert masq->snat if true
 {
    my $fn;
-    my $have_masq;

-    if ( $_[0] ) {
-	convert_masq();
-    } elsif ( $fn = open_file( 'masq', 1, 1 ) ) {
+    convert_masq() if $_[0];
+
+    if ( $fn = open_file( 'masq', 1, 1 ) ) {
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
-	process_one_masq(0), $have_masq = 1 while read_a_line( NORMAL_READ );
-    }
-
-    unless ( $have_masq ) {
-	#
-	# Masq file empty or didn't exist
-	#
-	if ( $fn = open_file( 'snat', 1, 1 ) ) {
-	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
-	    process_snat while read_a_line( NORMAL_READ );
-	}
+	process_one_masq(0) while read_a_line( NORMAL_READ );
+    } elsif ( $fn = open_file( 'snat', 1, 1 ) ) {
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
+	process_snat while read_a_line( NORMAL_READ );
    }
 }

--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {

 	    while ( @sportlist ) {
 		my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
-		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
+		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
 		$rule .= ' or' if @sportlist;
 	    }

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -92,7 +92,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interfaces_by_option
 		    find_interfaces_by_option1
 		    get_interface_option
-		    get_interface_origin
+                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    interface_zone
@@ -114,31 +114,31 @@ our $VERSION = 'MODULEVERSION';
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
 #     %zones{<zone1> => {name =>       <name>,
-#			 type =>       <zone type>	 FIREWALL, IP, IPSEC, BPORT;
-#			 complex =>    0|1
-#			 super	 =>    0|1
-#			 options =>    { in_out	 => < policy match string >
-#					 in	 => < policy match string >
-#					 out	 => < policy match string >
-#				       }
-#			 parents =>    [ <parents> ]	  Parents, Children and interfaces are listed by name
-#			 children =>   [ <children> ]
-#			 interfaces => { <interfaces1> => 1, ... }
-#			 bridge =>     <bridge>
-#			 hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
-#								   options => { <option1> => <value1>
-#										...
-#									      }
-#								   hosts   => [ <net1> , <net2> , ... ]
-#								   exclusions => [ <net1>, <net2>, ... ]
-#								   origin   => <where defined>
-#								 }
-#						 <interface2> => ...
-#					       }
-#					     ]
-#			}
-#	      <zone2> => ...
-#	    }
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#                        complex =>    0|1
+#                        super   =>    0|1
+#                        options =>    { in_out  => < policy match string >
+#                                        in      => < policy match string >
+#                                        out     => < policy match string >
+#                                      }
+#                        parents =>    [ <parents> ]      Parents, Children and interfaces are listed by name
+#                        children =>   [ <children> ]
+#                        interfaces => { <interfaces1> => 1, ... }
+#                        bridge =>     <bridge>
+#                        hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
+#                                                                  options => { <option1> => <value1>
+#                                                                               ...
+#                                                                             }
+#                                                                  hosts   => [ <net1> , <net2> , ... ]
+#                                                                  exclusions => [ <net1>, <net2>, ... ]
+#                                                                  origin   => <where defined>
+#                                                                }
+#                                                <interface2> => ...
+#                                              }
+#                                            ]
+#                       }
+#             <zone2> => ...
+#           }
 #
 #     $firewall_zone names the firewall zone.
 #
@@ -160,27 +160,27 @@ our %reservedName = ( all => 1,
 #
 #     @interfaces lists the interface names in the order that they appear in the interfaces file.
 #
-#     %interfaces { <interface1> => { name	  => <name of interface>
-#				      root	  => <name without trailing '+'>
-#				      options	  => { port => undef|1
-#						     { <option1> } => <val1> ,		#See %validinterfaceoptions
-#						       ...
-#						     }
-#				      zone	  => <zone name>
-#				      multizone	  => undef|1   #More than one zone interfaces through this interface
-#				      nets	  => <number of nets in interface/hosts records referring to this interface>
-#				      bridge	  => <bridge name> # Same as ->{name} if not a bridge port.
-#				      ports	  => <number of port on this bridge>
-#				      ipsec	  => undef|1 # Has an ipsec host group
-#				      broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
-#				      number	  => <ordinal position in the interfaces file>
-#				      physical	  => <physical interface name>
-#				      base	  => <shell variable base representing this interface>
-#				      wildcard	  => undef|1 # Wildcard Name
-#				      zones	  => { zone1 => 1, ... }
-#				      origin	  => <where defined>
-#				    }
-#		  }
+#     %interfaces { <interface1> => { name        => <name of interface>
+#                                     root        => <name without trailing '+'>
+#                                     options     => { port => undef|1
+#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
+#                                                      ...
+#                                                    }
+#                                     zone        => <zone name>
+#                                     multizone   => undef|1   #More than one zone interfaces through this interface
+#                                     nets        => <number of nets in interface/hosts records referring to this interface>
+#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
+#                                     ports       => <number of port on this bridge>
+#                                     ipsec       => undef|1 # Has an ipsec host group
+#                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#                                     number      => <ordinal position in the interfaces file>
+#                                     physical    => <physical interface name>
+#                                     base        => <shell variable base representing this interface>
+#                                     wildcard    => undef|1 # Wildcard Name
+#                                     zones       => { zone1 => 1, ... }
+#                                     origin      => <where defined>
+#                                   }
+#                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
@@ -701,40 +701,6 @@ sub haveipseczones() {
    0;
 }

-#
-# Returns 1 if the two interfaces passed are related
-#
-sub interface_match( $$ ) {
-    my ( $piface, $ciface ) = @_;
-
-    return 1 if $piface eq $ciface;
-
-    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
-
-    return 1 if $piface eq $cifaceref->{bridge};
-    return 1 if $ciface eq $pifaceref->{bridge};
-
-    if ( $minroot ) {
-	if ( $piface =~ /\+$/ ) {
-	    my $root    = $pifaceref->{root};
-	    my $rlength = length( $root );
-	    while ( length( $ciface ) >= $rlength ) {
-		return 1 if $ciface eq $root;
-		chop $ciface;
-	    }
-	} elsif ( $ciface =~ /\+$/ ) {
-	    my $root    = $cifaceref->{root};
-	    my $rlength = length( $root );
-	    while ( length( $piface ) >= $rlength ) {
-		return 1 if $piface eq $root;
-		chop $piface;
-	    }
-	}
-    }
-
-    0;
-}
-
 #
 # Report about zones.
 #
@@ -772,7 +738,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
+				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -781,17 +747,6 @@ sub zone_report()
 	    }
 	}

-      PARENT:
-	for my $p ( @{$zoneref->{parents}} ) {
-	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
-		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
-		    next PARENT if interface_match( $pi, $ci );
-		}
-	    }
-
-	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
-	}
-
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -1620,7 +1575,9 @@ sub known_interface($)
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface >= $minroot ) {
+	while ( length $iface > $minroot ) {
+	    chop $iface;
+
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1642,8 +1599,6 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
-
-	    chop $iface;
 	}
    }

--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {

    if [ -n "$g_purge" ]; then
-	if [ -n "$(mywhich conntrack)" ]; then
+	if [ -n $(mywhich conntrack) ]; then
            conntrack -F
 	else
            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -899,7 +899,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface $2 = table number
+detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
@@ -912,8 +912,6 @@ detect_gateway() # $1 = interface $2 = table number
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
-
-    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -205,6 +205,8 @@ MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No

+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -247,8 +249,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -216,6 +216,8 @@ MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No

+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -258,8 +260,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -213,6 +213,8 @@ MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No

+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -255,8 +257,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -216,6 +216,8 @@ MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No

+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -258,8 +260,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -25,7 +25,6 @@ Broadcast    noinline,audit	# Handles Broadcast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
-dropBcasts    inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
 dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
@@ -33,7 +32,6 @@ DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
-FIN	     inline,audit	# Handles ACK,FIN,PSH packets
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
--- a/Shorewall/configfiles/disabled
+++ b/Shorewall/configfiles/disabled
@@ -1,12 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/disabled
-#
-# Add commands below that you want executed when an optional
-# interface is successfully disabled using the 'disable' command
-#
-# When the commands are invoked:
-#
-#  $1 contains the physical name of the interface
-#  $2 contains the logical name of the interface
-#  $3 contains the name of the provider associated with the interface,
-      if any
--- a/Shorewall/configfiles/enabled
+++ b/Shorewall/configfiles/enabled
@@ -1,12 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/enabled
-#
-# Add commands below that you want executed when an optional
-# interface is successfully enabled using the 'enable' command
-#
-# When the commands are invoked:
-#
-#  $1 contains the physical name of the interface
-#  $2 contains the logical name of the interface
-#  $3 contains the name of the provider associated with the interface,
-      if any
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -205,6 +205,8 @@ MARK_IN_FORWARD_CHAIN=No

 MINIUPNPD=No

+MODULE_SUFFIX=ko
+
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -247,8 +249,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -492,11 +492,8 @@ fi
 #
 # Install the config file
 #
-run_install $OWNERSHIP -m 0644 $PRODUCT.conf            ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
-
-if [ $PRODUCT = shorewall ]; then
-    run_install $OWNERSHIP -m 0644 shorewall.conf.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
-fi
+run_install $OWNERSHIP -m 0644 $PRODUCT.conf           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 $PRODUCT.conf.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/

 if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
    run_install $OWNERSHIP -m 0600 ${PRODUCT}.conf${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
@@ -616,14 +613,8 @@ run_install $OWNERSHIP -m 0644 params.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/c
 if [ -f ${DESTDIR}${CONFDIR}/$PRODUCT/params ]; then
    chmod 0644 ${DESTDIR}${CONFDIR}/$PRODUCT/params
 else
-    case "$SPARSE" in
-	[Vv]ery)
-	;;
-	*)
-	    run_install $OWNERSHIP -m 0600 params${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/params
-	    echo "Parameter file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/params"
-	    ;;
-    esac
+    run_install $OWNERSHIP -m 0600 params${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/params
+    echo "Parameter file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/params"
 fi

 if [ $PRODUCT = shorewall ]; then
@@ -699,16 +690,10 @@ fi
 run_install $OWNERSHIP -m 0644 conntrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 run_install $OWNERSHIP -m 0644 conntrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles

-case "$SPARSE" in
-    [Vv]ery)
-    ;;
-    *)
-	if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
-	    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
-	    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
-	fi
-	;;
-esac
+if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
+    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
+    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
+fi

 #
 # Install the Mangle file
@@ -1162,39 +1147,13 @@ if [ -n "$MANDIR" ]; then

 cd manpages

-if [ $PRODUCT = shorewall ]; then
-    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
+[ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man5 0755

-    for f in *.5; do
-	gzip -9c $f > $f.gz
-	run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
-    done
-fi
-
-if [ $PRODUCT = shorewall6 ]; then
-    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
-
-    rm -f ${DESTDIR}${MANDIR}/man5/shorewall6*
-
-    for f in \
-	shorewall-accounting.5  shorewall-ipsets.5   shorewall-providers.5     shorewall-tcclasses.5     \
-	shorewall-actions.5     shorewall-maclist.5                            shorewall-tcdevices.5     \
-	                        shorewall-mangle.5   shorewall-proxyndp.5      shorewall-tcfilters.5     \
-	shorewall-blacklist.5   shorewall-masq.5     shorewall-routes.5        shorewall-tcinterfaces.5  \
-	shorewall-blrules.5     shorewall-modules.5  shorewall-routestopped.5  shorewall-tcpri.5         \
-	shorewall-conntrack.5   shorewall-nat.5      shorewall-rtrules.5       shorewall-tcrules.5       \
-                                shorewall-nesting.5  shorewall-rules.5         shorewall-tos.5           \
-	shorewall-exclusion.5   shorewall-netmap.5   shorewall-secmarks.5      shorewall-tunnels.5       \
-	shorewall-hosts.5       shorewall-params.5   shorewall-snat.5          shorewall-vardir.5        \
-	shorewall-interfaces.5  shorewall-policy.5   shorewall-stoppedrules.5  shorewall-zones.5
-    do
-	f6=shorewall6-${f#*-}
-	echo ".so man5/$f" > ${DESTDIR}${MANDIR}/man5/$f6
-    done
-
-    echo ".so man5/shorewall.conf.5" > ${DESTDIR}${MANDIR}/man5/shorewall6.conf.5
-fi
+for f in *.5; do
+    gzip -9c $f > $f.gz
+    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
+    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
+done

 [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755

--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1556,10 +1556,10 @@ remote_reload_command() # $* = original arguments less the command.

 	progress_message "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
-	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+	    if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
 	    fi
-	elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+	elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
 	    fatal_error "Capturing capabilities on system $system failed"
 	fi
    fi
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/accounting</command>
+      <command>/etc/shorewall/accounting</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -783,8 +783,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/accounting</para>
-
-    <para>/etc/shorewall6/accounting</para>
  </refsect1>

  <refsect1>
@@ -800,6 +798,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/actions</command>
+      <command>/etc/shorewall/actions</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -148,8 +148,8 @@
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
-                url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
-                rather than <ulink
+                url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
+                than <ulink
                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>
@@ -160,11 +160,11 @@
              <listitem>
                <para>Added in Shorewall 5.0.13. Specifies that this action is
                to be used in <ulink
-                url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink>
-                rather than <ulink
-                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.
-                The <option>mangle</option> and <option>nat</option> options
-                are mutually exclusive.</para>
+                url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink> rather
+                than <ulink
+                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>. The
+                <option>mangle</option> and <option>nat</option> options are
+                mutually exclusive.</para>
              </listitem>
            </varlistentry>

@@ -206,7 +206,7 @@
                <para>Given that neither the <filename>snat</filename> nor the
                <filename>mangle</filename> file is sectioned, this parameter
                has no effect when <option>mangle</option> or
-                <option>nat</option> is specified.</para>
+                <option>nat</option> is specified. </para>
              </listitem>
            </varlistentry>

@@ -239,8 +239,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/actions</para>
-
-    <para>/etc/shorewall6/actions</para>
  </refsect1>

  <refsect1>
@@ -249,6 +247,14 @@
    <para><ulink
    url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-arprules.xml
+++ b/Shorewall/manpages/shorewall-arprules.xml
@@ -25,8 +25,6 @@
  <refsect1>
    <title>Description</title>

-    <para>IPv4 only.</para>
-
    <para>This file was added in Shorewall 4.5.12 and is used to describe
    low-level rules managed by arptables (8). These rules only affect Address
    Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and
@@ -379,10 +377,4 @@ SNAT:10.1.10.11        -                       eth1:10.1.10.0/24   1</programlis

    <para>/etc/shorewall/arprules</para>
  </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para>shorewall(8)</para>
-  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/blrules</command>
+      <command>/etc/shorewall/blrules</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -27,9 +27,12 @@

    <para>This file is used to perform blacklisting and whitelisting.</para>

-    <para>Rules in this file are applied depending on the setting of BLACKLIST
-    in <ulink
-    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+    <para>Rules in this file are applied depending on the setting of
+    BLACKLISTNEWONLY in <ulink
+    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If
+    BLACKLISTNEWONLY=No, then they are applied regardless of the connection
+    tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
+    connections in the NEW and INVALID states.</para>

    <para>The format of rules in this file is the same as the format of rules
    in <ulink url="/manpages/shorewall-rules.html">shorewall-rules
@@ -115,10 +118,10 @@
            </varlistentry>

            <varlistentry>
-              <term>A_DROP</term>
+              <term>A_DROP and A_DROP!</term>

              <listitem>
-                <para>Audited version of DROP. Requires AUDIT_TARGET support
+                <para>Audited versions of DROP. Requires AUDIT_TARGET support
                in the kernel and ip6tables.</para>
              </listitem>
            </varlistentry>
@@ -273,11 +276,11 @@
  </refsect1>

  <refsect1>
-    <title>Examples</title>
+    <title>Example</title>

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>

        <listitem>
          <para>Drop Teredo packets from the net.</para>
@@ -287,28 +290,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2:</term>
-
-        <listitem>
-          <para>Don't subject packets from 2001:DB8::/64 to the remaining
-          rules in the file.</para>
-
-          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>Drop Teredo packets from the net.</para>
-
-          <programlisting>DROP          net:[2001::/32]            all</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 2:</term>
+        <term>Example 2:</term>

        <listitem>
          <para>Don't subject packets from 2001:DB8::/64 to the remaining
@@ -324,8 +306,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/blrules</para>
-
-    <para>/etc/shorewall6/blrules</para>
  </refsect1>

  <refsect1>
@@ -337,6 +317,12 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/conntrack</command>
+      <command>/etc/shorewall/conntrack</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -35,7 +35,7 @@
    <emphasis role="bold">conntrack</emphasis>.</para>

    <para>The file supports three different column layouts: FORMAT 1, FORMAT
-    2, and FORMAT 3 with FORMAT 1 being the default. The three differ as
+    2, and FORMAT 3, FORMAT 1 being the default. The three differ as
    follows:</para>

    <itemizedlist>
@@ -311,9 +311,9 @@
            <listitem>
              <para><option>ULOG</option></para>

-              <para>IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to
-              a backend logging daemon using the ULOG netfilter target with
-              the specified <replaceable>ulog-parameters</replaceable>.</para>
+              <para>Added in Shoreawll 4.6.0. Queues the packet to a backend
+              logging daemon using the ULOG netfilter target with the
+              specified <replaceable>ulog-parameters</replaceable>.</para>
            </listitem>
          </itemizedlist>

@@ -689,57 +689,31 @@
  <refsect1>
    <title>EXAMPLE</title>

-    <para>IPv4 Example 1:</para>
+    <para>Example 1:</para>

    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>

-    <para>IPv4 Example 2 (Shorewall 4.5.10 or later):</para>
+    <para>Example 2 (Shorewall 4.5.10 or later):</para>

    <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>

-    <programlisting>?FORMAT 2
+    <programlisting>FORMAT 2
 #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP                          all-:1.2.3.4       -
 DROP                          all                1.2.3.4</programlisting>

-    <para>or<programlisting>?FORMAT 3
+    <para>or<programlisting>FORMAT 3
 #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP:P                        1.2.3.4            -
 DROP:PO                       -                  1.2.3.4
 </programlisting></para>
-
-    <para>IPv6 Example 1:</para>
-
-    <para>Use the FTP helper for TCP port 21 connections from the firewall
-    itself.</para>
-
-    <programlisting>FORMAT 2
-#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
-CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
-
-    <para>IPv6 Example 2 (Shorewall 4.5.10 or later):</para>
-
-    <para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
-
-    <programlisting>FORMAT 2
-#ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
-DROP                          all-:2001:1.2.3::4 -
-DROP                          all                2001:1.2.3::4
-</programlisting>
-
-    <para>or<programlisting>FORMAT 3
-#ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
-DROP:P                        2001:1.2.3::4      -
-DROP:PO                       -                  2001:1.2.3::4</programlisting></para>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall/conntrack</para>
-
-    <para>/etc/shorewall6/conntrack</para>
  </refsect1>

  <refsect1>
@@ -748,6 +722,14 @@ DROP:PO                       -                  2001:1.2.3::4</programlisting><
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-ecn.xml
+++ b/Shorewall/manpages/shorewall-ecn.xml
@@ -25,12 +25,8 @@
  <refsect1>
    <title>Description</title>

-    <para>IPv4 only.</para>
-
    <para>Use this file to list the destinations for which you want to disable
-    ECN (Explicit Congestion Notification). Use of this file is deprecated in
-    favor of ECN rules in <ulink
-    url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(8).</para>
+    ECN (Explicit Congestion Notification).</para>

    <para>The columns in the file are as follows.</para>

@@ -69,6 +65,14 @@
  <refsect1>
    <title>See ALSO</title>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-exclusion.xml
+++ b/Shorewall/manpages/shorewall-exclusion.xml
@@ -49,10 +49,9 @@

    <para>Beginning in Shorewall 4.4.13, the second form of exclusion is
    allowed after <emphasis role="bold">all</emphasis> and <emphasis
-    role="bold">any</emphasis> in the SOURCE and DEST columns of <ulink
-    url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5). It allows
-    you to omit arbitrary zones from the list generated by those key
-    words.</para>
+    role="bold">any</emphasis> in the SOURCE and DEST columns of
+    /etc/shorewall/rules. It allows you to omit arbitrary zones from the list
+    generated by those key words.</para>

    <warning>
      <para>If you omit a sub-zone and there is an explicit or explicit
@@ -118,7 +117,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1 - All IPv4 addresses except 192.168.3.4</term>
+        <term>Example 1 - All IPv4 addresses except 192.168.3.4</term>

        <listitem>
          <para>!192.168.3.4</para>
@@ -126,8 +125,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2 - All IPv4 addresses except the network
-        192.168.1.0/24 and the host 10.2.3.4</term>
+        <term>Example 2 - All IPv4 addresses except the network 192.168.1.0/24
+        and the host 10.2.3.4</term>

        <listitem>
          <para>!192.168.1.0/24,10.1.3.4</para>
@@ -135,7 +134,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 3 - All IPv4 addresses except the range
+        <term>Example 3 - All IPv4 addresses except the range
        192.168.1.3-192.168.1.12 and the network 10.0.0.0/8</term>

        <listitem>
@@ -144,8 +143,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 4 - The network 192.168.1.0/24 except hosts
-        192.168.1.3 and 192.168.1.9</term>
+        <term>Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
+        and 192.168.1.9</term>

        <listitem>
          <para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>
@@ -177,6 +176,14 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
  <refsect1>
    <title>See ALSO</title>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/hosts</command>
+      <command>/etc/shorewall/hosts</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -270,8 +270,6 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    <title>FILES</title>

    <para>/etc/shorewall/hosts</para>
-
-    <para>/etc/shorewall6/hosts</para>
  </refsect1>

  <refsect1>
@@ -280,6 +278,14 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-init.xml
+++ b/Shorewall/manpages/shorewall-init.xml
@@ -165,6 +165,14 @@
  <refsect1>
    <title>See ALSO</title>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/interfaces</command>
+      <command>/etc/shorewall/interfaces</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -104,7 +104,9 @@ loc     eth2            -</programlisting>
          <para>You may use wildcards here by specifying a prefix followed by
          the plus sign ("+"). For example, if you want to make an entry that
          applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
-          ppp1, ppp2, …</para>
+          ppp1, ppp2, … Please note that the '+' means '<emphasis
+          role="bold">one</emphasis> or more additional characters' so 'ppp'
+          does not match 'ppp+'.</para>

          <para>When using Shorewall versions before 4.1.4, care must be
          exercised when using wildcards where there is another zone that uses
@@ -197,12 +199,11 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>

              <listitem>
-                <para>IPv4 only. If specified, this interface will only
-                respond to ARP who-has requests for IP addresses configured on
-                the interface. If not specified, the interface can respond to
-                ARP who-has requests for IP addresses on any of the firewall's
-                interface. The interface must be up when Shorewall is
-                started.</para>
+                <para>If specified, this interface will only respond to ARP
+                who-has requests for IP addresses configured on the interface.
+                If not specified, the interface can respond to ARP who-has
+                requests for IP addresses on any of the firewall's interface.
+                The interface must be up when Shorewall is started.</para>

                <para>Only those interfaces with the
                <option>arp_filter</option> option will have their setting
@@ -224,8 +225,8 @@ loc     eth2            -</programlisting>
              role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>

              <listitem>
-                <para>IPv4 only. If specified, this interface will respond to
-                arp requests based on the value of <emphasis>number</emphasis>
+                <para>If specified, this interface will respond to arp
+                requests based on the value of <emphasis>number</emphasis>
                (defaults to 1).</para>

                <para>1 - reply only if the target IP address is local address
@@ -410,8 +411,8 @@ loc     eth2            -</programlisting>

                  <listitem>
                    <para>the interface is a <ulink
-                    url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
-                    server on one port and DHCP clients on another
+                    url="/SimpleBridge.html">simple bridge</ulink> with a
+                    DHCP server on one port and DHCP clients on another
                    port.</para>

                    <note>
@@ -466,15 +467,15 @@ loc     eth2            -</programlisting>
              role="bold">logmartians[={0|1}]</emphasis></term>

              <listitem>
-                <para>IPv4 only. Turn on kernel martian logging (logging of
-                packets with impossible source addresses. It is strongly
-                suggested that if you set <emphasis
-                role="bold">routefilter</emphasis> on an interface that you
-                also set <emphasis role="bold">logmartians</emphasis>. Even if
-                you do not specify the <option>routefilter</option> option, it
-                is a good idea to specify <option>logmartians</option> because
-                your distribution may have enabled route filtering without you
-                knowing it.</para>
+                <para>Turn on kernel martian logging (logging of packets with
+                impossible source addresses. It is strongly suggested that if
+                you set <emphasis role="bold">routefilter</emphasis> on an
+                interface that you also set <emphasis
+                role="bold">logmartians</emphasis>. Even if you do not specify
+                the <option>routefilter</option> option, it is a good idea to
+                specify <option>logmartians</option> because your distribution
+                may have enabled route filtering without you knowing
+                it.</para>

                <para>Only those interfaces with the
                <option>logmartians</option> option will have their setting
@@ -575,8 +576,8 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">nosmurfs</emphasis></term>

              <listitem>
-                <para>IPv4 only. Filter packets for smurfs (packets with a
-                broadcast address as the source).</para>
+                <para>Filter packets for smurfs (packets with a broadcast
+                address as the source).</para>

                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
@@ -595,9 +596,9 @@ loc     eth2            -</programlisting>
                <itemizedlist>
                  <listitem>
                    <para>a <filename
-                    class="directory">/proc/sys/net/ipv[46]/conf/</filename>
+                    class="directory">/proc/sys/net/ipv4/conf/</filename>
                    entry for the interface cannot be modified (including for
-                    proxy ARP or proxy NDP).</para>
+                    proxy ARP).</para>
                  </listitem>

                  <listitem>
@@ -637,7 +638,7 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>

              <listitem>
-                <para>IPv4 only. Sets
+                <para>Sets
                /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
                Do NOT use this option if you are employing Proxy ARP through
                entries in <ulink
@@ -658,24 +659,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
-
-              <listitem>
-                <para>IPv6 only. Sets
-                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
-
-                <para><emphasis role="bold">Note</emphasis>: This option does
-                not work with a wild-card <replaceable>interface</replaceable>
-                name (e.g., eth0.+) in the INTERFACE column.</para>
-
-                <para>Only those interfaces with the <option>proxyndp</option>
-                option will have their setting changed; the value assigned to
-                the setting will be the value specified (if any) or 1 if no
-                value is given.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">required</emphasis></term>

@@ -717,8 +700,8 @@ loc     eth2            -</programlisting>
              role="bold">routefilter[={0|1|2}]</emphasis></term>

              <listitem>
-                <para>IPv4 only. Turn on kernel route filtering for this
-                interface (anti-spoofing measure).</para>
+                <para>Turn on kernel route filtering for this interface
+                (anti-spoofing measure).</para>

                <para>Only those interfaces with the
                <option>routefilter</option> option will have their setting
@@ -902,14 +885,11 @@ loc     eth2            -</programlisting>
                      <member><emphasis
                      role="bold">routefilter</emphasis></member>

-                      <member><emphasis
-                      role="bold">proxyarp</emphasis></member>
-
-                      <member><emphasis
-                      role="bold">proxyudp</emphasis></member>
-
                      <member><emphasis
                      role="bold">sourceroute</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">proxyndp</emphasis></member>
                    </simplelist>
                  </listitem>
                </itemizedlist>
@@ -922,9 +902,7 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Incoming requests from this interface may be remapped
                via UPNP (upnpd). See <ulink
-                url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.
-                Supported in IPv4 and in IPv6 in Shorewall 5.1.4 and
-                later.</para>
+                url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
              </listitem>
            </varlistentry>

@@ -938,8 +916,7 @@ loc     eth2            -</programlisting>
                causes Shorewall to detect the default gateway through the
                interface and to accept UDP packets from that gateway. Note
                that, like all aspects of UPnP, this is a security hole so use
-                this option at your own risk. Supported in IPv4 and in IPv6 in
-                Shorewall 5.1.4 and later.</para>
+                this option at your own risk.</para>
              </listitem>
            </varlistentry>

@@ -966,7 +943,7 @@ loc     eth2            -</programlisting>

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>

        <listitem>
          <para>Suppose you have eth0 connected to a DSL modem and eth1
@@ -979,7 +956,7 @@ loc     eth2            -</programlisting>

          <para>Your entries for this setup would look like:</para>

-          <programlisting>?FORMAT 1
+          <programlisting>FORMAT 1
 #ZONE   INTERFACE BROADCAST        OPTIONS
 net     eth0      206.191.149.223  dhcp
 loc     eth1      192.168.1.255
@@ -994,7 +971,7 @@ dmz     eth2      192.168.2.255</programlisting>
          <para>The same configuration without specifying broadcast addresses
          is:</para>

-          <programlisting>?FORMAT 2
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     eth0      dhcp
 loc     eth1      
@@ -1009,7 +986,7 @@ dmz     eth2</programlisting>
          <para>You have a simple dial-in system with no Ethernet
          connections.</para>

-          <programlisting>?FORMAT 2
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     ppp0      -</programlisting>
        </listitem>
@@ -1022,7 +999,7 @@ net     ppp0      -</programlisting>
          <para>You have a bridge with no IP address and you want to allow
          traffic through the bridge.</para>

-          <programlisting>?FORMAT 2
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 -       br0       bridge</programlisting>
        </listitem>
@@ -1034,8 +1011,6 @@ net     ppp0      -</programlisting>
    <title>FILES</title>

    <para>/etc/shorewall/interfaces</para>
-
-    <para>/etc/shorewall6/interfaces</para>
  </refsect1>

  <refsect1>
@@ -1044,6 +1019,13 @@ net     ppp0      -</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
+    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@@ -251,44 +251,34 @@

    <para>/etc/shorewall/accounting</para>

-    <para>/etc/shorewall6/accounting</para>
-
    <para>/etc/shorewall/blrules</para>

-    <para>/etc/shorewall6/blrules</para>
-
    <para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis>
    Multiple matches enclosed in +[...] may not be used in this file.</para>

-    <para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis>
-    Multiple matches enclosed in +[...] may not be used in this file.</para>
-
    <para>/etc/shorewall/maclist -- <emphasis role="bold">Note:</emphasis>
    Multiple matches enclosed in +[...] may not be used in this file.</para>

-    <para>/etc/shorewall6/maclist -- <emphasis role="bold">Note:</emphasis>
-    Multiple matches enclosed in +[...] may not be used in this file.</para>
+    <para>/etc/shorewall/masq</para>

    <para>/etc/shorewall/rules</para>

-    <para>/etc/shorewall6/rules</para>
-
    <para>/etc/shorewall/secmarks</para>

-    <para>/etc/shorewall6/secmarks</para>
-
    <para>/etc/shorewall/mangle</para>
-
-    <para>/etc/shorewall6/mangle</para>
-
-    <para>/etc/shorewall/snat</para>
-
-    <para>/etc/shorewall6/snat</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-maclist.xml
+++ b/Shorewall/manpages/shorewall-maclist.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/maclist</command>
+      <command>/etc/shorewall/maclist</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -97,8 +97,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/maclist</para>
-
-    <para>/etc/shorewall6/maclist</para>
  </refsect1>

  <refsect1>
@@ -110,6 +108,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -18,17 +18,31 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/mangle</command>
+      <command>/etc/shorewall/mangle</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

-    <para>This file was introduced in Shorewall 4.6.0 and replaces <ulink
+    <para>This file was introduced in Shorewall 4.6.0 and is intended to
+    replace <ulink
    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
    file is only processed by the compiler if:</para>

+    <orderedlist numeration="loweralpha">
+      <listitem>
+        <para>No file named 'tcrules' exists on the current CONFIG_PATH (see
+        <ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>);
+        or</para>
+      </listitem>
+
+      <listitem>
+        <para>The first file named 'tcrules' found on the CONFIG_PATH contains
+        no non-commentary entries.</para>
+      </listitem>
+    </orderedlist>
+
    <para>Entries in this file cause packets to be marked as a means of
    classifying them for traffic control or policy routing.</para>

@@ -103,7 +117,9 @@
          SOURCE is $FW, the generated rule is always placed in the OUTPUT
          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
          Additionally, a <replaceable>chain-designator</replaceable> may not
-          be specified in an action body.</para>
+          be specified in an action body unless the action is declared as
+          <option>inline</option> in <ulink
+          url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>

          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -349,9 +365,8 @@ DIVERTHA        -               -               tcp</programlisting>

              <listitem>
                <para>Added in Shorewall 5.0.6 as an alternative to entries in
-                <ulink
-                url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>.
-                If a PROTO is specified, it must be 'tcp' (6). If no PROTO is
+                <ulink url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
+                PROTO is specified, it must be 'tcp' (6). If no PROTO is
                supplied, TCP is assumed. This action causes all ECN bits in
                the TCP header to be cleared.</para>
              </listitem>
@@ -900,8 +915,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                Matches packets leaving the firewall through the named
                interface. May not be used in the PREROUTING chain (:P in the
                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
-                in <ulink
-                url="/manpages/shorewall.conf">shorewall.conf</ulink>
+                in <ulink url="/manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
@@ -1529,7 +1543,7 @@ Normal-Service       =&gt; 0x00</programlisting>

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>

        <listitem>
          <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
@@ -1558,7 +1572,7 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>

        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -1570,41 +1584,12 @@ Normal-Service       =&gt; 0x00</programlisting>
       #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
       CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW

-/etc/shorewall/snat:
+/etc/shorewall/masq:

-       #ACTION          SOURCE              DEST     ...
-       SNAT(1.1.1.1)    eth0:192.168.1.0/24 - { mark=1:C }
-       SNAT(1.1.1.3)    eth0:192.168.1.0/24 - { mark=2:C }
-       SNAT(1.1.1.4)    eth0:192.168.1.0/24 - { mark=3:C }</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
-          to peer traffic with packet mark 4.</para>
-
-          <para>This is a little more complex than otherwise expected. Since
-          the ipp2p module is unable to determine all packets in a connection
-          are P2P packets, we mark the entire connection as P2P if any of the
-          packets are determined to match.</para>
-
-          <para>We assume packet/connection mark 0 means unclassified.</para>
-
-          <programlisting>       #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
-       MARK(1):T  ::/0      ::/0         icmp    echo-request
-       MARK(1):T  ::/0      ::/0         icmp    echo-reply
-       RESTORE:T  ::/0      ::/0         all     -             -       -       0
-       CONTINUE:T ::/0      ::/0         all     -             -       -       !0
-       MARK(4):T  ::/0      ::/0         ipp2p:all
-       SAVE:T     ::/0      ::/0         all     -             -       -       !0</programlisting>
-
-          <para>If a packet hasn't been classified (packet mark is 0), copy
-          the connection mark to the packet mark. If the packet mark is set,
-          we're done. If the packet is P2P, set the packet mark to 4. If the
-          packet mark has been set, save it to the connection mark.</para>
+       #INTERFACE SOURCE         ADDRESS     ...
+       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
+       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
+       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -1614,8 +1599,6 @@ Normal-Service       =&gt; 0x00</programlisting>
    <title>FILES</title>

    <para>/etc/shorewall/mangle</para>
-
-    <para>/etc/shorewall6/mangle</para>
  </refsect1>

  <refsect1>
@@ -1633,6 +1616,14 @@ Normal-Service       =&gt; 0x00</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/masq</command>
+      <command>/etc/shorewall/masq</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -579,7 +579,7 @@

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>

        <listitem>
          <para>You have a simple masquerading setup where eth0 connects to a
@@ -594,7 +594,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>

        <listitem>
          <para>You add a router to your local network to connect subnet
@@ -607,7 +607,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 3:</term>
+        <term>Example 3:</term>

        <listitem>
          <para>You have an IPSEC tunnel through ipsec0 and you want to
@@ -620,7 +620,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 4:</term>
+        <term>Example 4:</term>

        <listitem>
          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@@ -634,7 +634,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 5:</term>
+        <term>Example 5:</term>

        <listitem>
          <para>You want all outgoing SMTP traffic entering the firewall from
@@ -654,7 +654,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 6:</term>
+        <term>Example 6:</term>

        <listitem>
          <para>Connections leaving on eth0 and destined to any host defined
@@ -667,7 +667,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 7:</term>
+        <term>Example 7:</term>

        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -689,7 +689,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 8:</term>
+        <term>Example 8:</term>

        <listitem>
          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
@@ -716,49 +716,6 @@
 </programlisting>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>You have a simple 'masquerading' setup where eth0 connects to
-          a DSL or cable modem and eth1 connects to your local network with
-          subnet 2001:470:b:787::0/64</para>
-
-          <para>Your entry in the file will be:</para>
-
-          <programlisting>        #INTERFACE   SOURCE                  ADDRESS
-        eth0         2001:470:b:787::0/64    -</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 2:</term>
-
-        <listitem>
-          <para>Your sit1 interface has two public IP addresses:
-          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
-          iptables statistics match to masquerade outgoing connections evenly
-          between these two addresses.</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          ::/0           2001:470:a:227::2 
-</programlisting>
-
-          <para>If INLINE_MATCHES=Yes in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
-          then these rules may be specified as follows:</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          ::/0           2001:470:a:227::2</programlisting>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

@@ -766,8 +723,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/masq</para>
-
-    <para>/etc/shorewall6/masq</para>
  </refsect1>

  <refsect1>
@@ -776,6 +731,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-modules.xml
+++ b/Shorewall/manpages/shorewall-modules.xml
@@ -18,11 +18,11 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/usr/share/shorewall[6]/modules</command>
+      <command>/usr/share/shorewall/modules</command>
    </cmdsynopsis>

    <cmdsynopsis>
-      <command>/usr/share/shorewall[6]/helpers</command>
+      <command>/usr/share/shorewall/helpers</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -51,7 +51,7 @@

    <para>The <replaceable>modulename</replaceable> names a kernel module
    (without suffix). Shorewall will search for modules based on your
-    MODULESDIR setting in <ulink
+    MODULESDIR and MODULE_SUFFIX settings in <ulink
    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(8). The
    <replaceable>moduleoption</replaceable>s are passed to modprobe (if
    installed) or to insmod.</para>
@@ -82,19 +82,19 @@
    <para>/etc/shorewall/modules</para>

    <para>/etc/shorewall/helpers</para>
-
-    <para>/usr/share/shorewall6/modules</para>
-
-    <para>/usr/share/shorewall6/helpers</para>
-
-    <para>/etc/shorewall6/modules</para>
-
-    <para>/etc/shorewall6/helpers</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-nat.xml
+++ b/Shorewall/manpages/shorewall-nat.xml
@@ -34,8 +34,6 @@
      url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also,
      in many cases, Proxy ARP (<ulink
      url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
-      or Proxy-NDP(<ulink
-      url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
      is a better solution that one-to-one NAT.</para>
    </warning>

@@ -210,8 +208,6 @@ all		all		REJECT		info
    <title>FILES</title>

    <para>/etc/shorewall/nat</para>
-
-    <para>/etc/shorewall6/nat</para>
  </refsect1>

  <refsect1>
@@ -223,6 +219,14 @@ all		all		REJECT		info
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-nesting.xml
+++ b/Shorewall/manpages/shorewall-nesting.xml
@@ -200,16 +200,6 @@
    <para>/etc/shorewall/policy</para>

    <para>/etc/shorewall/rules</para>
-
-    <para>/etc/shorewall6/zones</para>
-
-    <para>/etc/shorewall6/interfaces</para>
-
-    <para>/etc/shorewall6/hosts</para>
-
-    <para>/etc/shorewall6/policy</para>
-
-    <para>/etc/shorewall6/rules</para>
  </refsect1>

  <refsect1>
--- a/Shorewall/manpages/shorewall-netmap.xml
+++ b/Shorewall/manpages/shorewall-netmap.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/netmap</command>
+      <command>/etc/shorewall/netmap</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -44,6 +44,8 @@
        role="bold">SNAT}</emphasis></term>

        <listitem>
+          <para>Must be DNAT or SNAT</para>
+
          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
          its destination address rewritten to the corresponding address in
          NET2.</para>
@@ -167,8 +169,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/netmap</para>
-
-    <para>/etc/shorewall6/netmap</para>
  </refsect1>

  <refsect1>
@@ -180,6 +180,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-params.xml
+++ b/Shorewall/manpages/shorewall-params.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/params</command>
+      <command>/etc/shorewall/params</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -107,7 +107,7 @@

    <programlisting>NET_IF=eth0
 NET_BCAST=130.252.100.255
-NET_OPTIONS=routefilter</programlisting>
+NET_OPTIONS=routefilter,norfc1918</programlisting>

    <para>Example <ulink
    url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
@@ -119,15 +119,13 @@ net     $NET_IF         $NET_BCAST      $NET_OPTIONS</programlisting>
    <para>This is the same as if the interfaces file had contained:</para>

    <programlisting>ZONE    INTERFACE       BROADCAST       OPTIONS
-net     eth0            130.252.100.255 routefilter</programlisting>
+net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall/params</para>
-
-    <para>/etc/shorewall6/params</para>
  </refsect1>

  <refsect1>
@@ -136,6 +134,14 @@ net     eth0            130.252.100.255 routefilter</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/policy</command>
+      <command>/etc/shorewall/policy</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -33,30 +33,25 @@
      <para>The order of entries in this file is important</para>

      <para>This file determines what to do with a new connection request if
-      we don't get a match from the <ulink
-      url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink>(5) or
-      <ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5)
-      files. For each source/destination pair, the file is processed in order
-      until a match is found ("all" will match any source or
-      destination).</para>
+      we don't get a match from the /etc/shorewall/rules file . For each
+      source/destination pair, the file is processed in order until a match is
+      found ("all" will match any source or destination).</para>
    </important>

    <important>
      <para>Intra-zone policies are pre-defined</para>

-      <para>For $FW and for all of the zones defined in <ulink
-      url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), the
-      POLICY for connections from the zone to itself is ACCEPT (with no
+      <para>For $FW and for all of the zones defined in /etc/shorewall/zones,
+      the POLICY for connections from the zone to itself is ACCEPT (with no
      logging or TCP connection rate limiting) but may be overridden by an
      entry in this file. The overriding entry must be explicit (specifying
      the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall
      4.5.17 or later).</para>

-      <para>Similarly, if you have IMPLICIT_CONTINUE=Yes in <ulink
-      url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then the
-      implicit policy to/from any sub-zone is CONTINUE. These implicit
-      CONTINUE policies may also be overridden by an explicit entry in this
-      file.</para>
+      <para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
+      then the implicit policy to/from any sub-zone is CONTINUE. These
+      implicit CONTINUE policies may also be overridden by an explicit entry
+      in this file.</para>
    </important>

    <para>The columns in the file are as follows (where the column name is
@@ -401,8 +396,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/policy</para>
-
-    <para>/etc/shorewall6/policy</para>
  </refsect1>

  <refsect1>
@@ -411,6 +404,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -82,11 +82,14 @@
          url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
          file to direct packets to this provider.</para>

-          <para>If PROVIDER_OFFSET is non-zero in <ulink
+          <para>If HIGH_ROUTE_MARKS=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          the value must be a mutiple of 2^^PROVIDER_OFFSET. In all cases, the
-          number of significant bits may not exceed PROVIDER_OFFSET +
-          PROVIDER_BITS.</para>
+          the value must be a multiple of 256 between 256 and 65280 or their
+          hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
+          of the value being zero). Otherwise, the value must be between 1 and
+          255. Each provider must be assigned a unique mark value. This column
+          may be omitted if you don't use packet marking to direct connections
+          to a particular provider.</para>
        </listitem>
      </varlistentry>

@@ -113,9 +116,9 @@
          listed in <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
          In general, that interface should not have the
-          <option>proxyarp</option> or <option>proxyndp</option> option
-          specified unless <option>loose</option> is given in the OPTIONS
-          column of this entry.</para>
+          <option>proxyarp</option> option specified unless
+          <option>loose</option> is given in the OPTIONS column of this
+          entry.</para>

          <para>Where more than one provider is serviced through a single
          interface, the <emphasis>interface</emphasis> must be followed by a
@@ -214,14 +217,7 @@
                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
                unless the <option>fallback</option>, <option>loose</option>,
                <option>load</option> or <option>tproxy</option> option is
-                specified.I</para>
-
-                <caution>
-                  <para>In IPV6, the <option>balance</option> option does not
-                  cause balanced default routes to be created; it rather
-                  causes a sequence of default routes with different metrics
-                  to be created. </para>
-                </caution>
+                specified.</para>
              </listitem>
            </varlistentry>

@@ -344,14 +340,6 @@
                <para>Prior to Shorewall 4.4.24, the option is ignored with a
                warning message if USE_DEFAULT_RT=Yes in
                <filename>shorewall.conf</filename>.</para>
-
-                <caution>
-                  <para>In IPV6, specifying the <option>fallback</option>
-                  option on multiple providers does not cause balanced
-                  fallback routes to be created; it rather causes a sequence
-                  of fallback routes with different metrics to be
-                  created.</para>
-                </caution>
              </listitem>
            </varlistentry>

@@ -473,7 +461,7 @@

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>

        <listitem>
          <para>You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
@@ -485,7 +473,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>

        <listitem>
          <para>eth0 connects to ISP 1. The IP address of eth0 is
@@ -503,36 +491,6 @@
        ISP2  2       2    main      eth1      130.252.99.254  track,balance      eth2</programlisting>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2.
-          Your DMZ interface is eth2</para>
-
-          <programlisting>        #NAME   NUMBER  MARK DUPLICATE  INTERFACE GATEWAY              OPTIONS
-        Squid   1       1    -          eth2      2002:ce7c:92b4:1::2  -</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 2:</term>
-
-        <listitem>
-          <para>eth0 connects to ISP 1. The ISP's gateway router has IP
-          address 2001:ce7c:92b4:1::2.</para>
-
-          <para>eth1 connects to ISP 2. The ISP's gateway router has IP
-          address 2001:d64c:83c9:12::8b.</para>
-
-          <para>eth2 connects to a local network.</para>
-
-          <programlisting>        #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY               OPTIONS    COPY
-        ISP1  1       1    main      eth0     2001:ce7c:92b4:1::2   track      eth2
-        ISP2  2       2    main      eth1     2001:d64c:83c9:12::8b track      eth2</programlisting>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

@@ -540,8 +498,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/providers</para>
-
-    <para>/etc/shorewall6/providers</para>
  </refsect1>

  <refsect1>
@@ -553,6 +509,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-proxyarp.xml
+++ b/Shorewall/manpages/shorewall-proxyarp.xml
@@ -25,8 +25,6 @@
  <refsect1>
    <title>Description</title>

-    <para>IPv4 only.</para>
-
    <para>This file is used to define Proxy ARP. There is one entry in this
    file for each IP address to be proxied.</para>

@@ -141,6 +139,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-routes.xml
+++ b/Shorewall/manpages/shorewall-routes.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/routes</command>
+      <command>/etc/shorewall/routes</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -109,8 +109,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/routes</para>
-
-    <para>/etc/shorewall6/routes</para>
  </refsect1>

  <refsect1>
@@ -119,6 +117,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-rtrules.xml
+++ b/Shorewall/manpages/shorewall-rtrules.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/rtrules</command>
+      <command>/etc/shorewall/rtrules</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -177,7 +177,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>

        <listitem>
          <para>You use OpenVPN (routed setup /tunX) in combination with
@@ -199,8 +199,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/rtrules</para>
-
-    <para>/etc/shorewall6/rtrules</para>
  </refsect1>

  <refsect1>
@@ -212,6 +210,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/rules</command>
+      <command>/etc/shorewall/rules</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -54,8 +54,7 @@
        <listitem>
          <para>This section was added in Shorewall 4.4.23. Rules in this
          section are applied, regardless of the connection tracking state of
-          the packet and are applied before rules in the other
-          sections.</para>
+          the packet.</para>
        </listitem>
      </varlistentry>

@@ -212,8 +211,7 @@
                role="bold">DNAT</emphasis>[<emphasis
                role="bold">-</emphasis>] or <emphasis
                role="bold">REDIRECT</emphasis>[<emphasis
-                role="bold">-</emphasis>] rules. Use with IPv6 requires
-                Shorewall 4.5.14 or later.</para>
+                role="bold">-</emphasis>] rules.</para>
              </listitem>
            </varlistentry>

@@ -234,7 +232,7 @@
                <para>The name of an <emphasis>action</emphasis> declared in
                <ulink
                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
-                or in /usr/share/shorewall[6]/actions.std.</para>
+                or in /usr/share/shorewall/actions.std.</para>
              </listitem>
            </varlistentry>

@@ -288,8 +286,7 @@
              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
                ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support
-                in the kernel and iptables. A_ACCEPT+ with IPv6 requires
-                Shorewall 4.5.14 or later.</para>
+                in the kernel and iptables.</para>
              </listitem>
            </varlistentry>

@@ -404,8 +401,7 @@

              <listitem>
                <para>Forward the request to another system (and optionally
-                another port). Use with IPv6 requires Shorewall 4.5.14 or
-                later.</para>
+                another port).</para>
              </listitem>
            </varlistentry>

@@ -418,8 +414,7 @@
                <para>Like <emphasis role="bold">DNAT</emphasis> but only
                generates the <emphasis role="bold">DNAT</emphasis> iptables
                rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule. Use with IPv6 requires
-                Shorewall 4.5.14 or later.</para>
+                role="bold">ACCEPT</emphasis> rule.</para>
              </listitem>
            </varlistentry>

@@ -501,11 +496,11 @@
              [<replaceable>option</replaceable> ...])</term>

              <listitem>
-                <para>IPv4 only. This action allows you to specify an iptables
-                target with options (e.g., 'IPTABLES(MARK --set-xmark
-                0x01/0xff)'. If the <replaceable>iptables-target</replaceable>
-                is not one recognized by Shorewall, the following error
-                message will be issued:</para>
+                <para>This action allows you to specify an iptables target
+                with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
+                the <replaceable>iptables-target</replaceable> is not one
+                recognized by Shorewall, the following error message will be
+                issued:</para>

                <programlisting>    ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>

@@ -526,39 +521,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis
-              role="bold">IP6TABLES</emphasis>({<replaceable>ip6tables-target</replaceable>
-              [<replaceable>option</replaceable> ...])</term>
-
-              <listitem>
-                <para>IPv6 only. This action allows you to specify an
-                ip6tables target with options (e.g., 'IPTABLES(MARK
-                --set-xmark 0x01/0xff)'. If the
-                <replaceable>ip6tables-target</replaceable> is not one
-                recognized by Shorewall, the following error message will be
-                issued:</para>
-
-                <programlisting>    ERROR: Unknown target (<replaceable>ip6tables-target</replaceable>)</programlisting>
-
-                <para>This error message may be eliminated by adding
-                the<replaceable>
-                ip6tables-</replaceable><replaceable>target</replaceable> as a
-                builtin action in <ulink
-                url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
-
-                <important>
-                  <para>If you specify REJECT as the
-                  <replaceable>ip6tables-target</replaceable>, the target of
-                  the rule will be the i6ptables REJECT target and not
-                  Shorewall's builtin 'reject' chain which is used when REJECT
-                  (see below) is specified as the
-                  <replaceable>target</replaceable> in the ACTION
-                  column.</para>
-                </important>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis
              role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
@@ -711,8 +673,7 @@
                <para>Excludes the connection from any subsequent <emphasis
                role="bold">DNAT</emphasis>[-] or <emphasis
                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
-                a rule to accept the traffic. Use with IPv6 requires Shorewall
-                4.5.14 or later.</para>
+                a rule to accept the traffic.</para>
              </listitem>
            </varlistentry>

@@ -747,7 +708,7 @@

                <para>Beginning with Shorewall 5.0.8, the type of reject may
                be specified in the <replaceable>option</replaceable>
-                paramater. Valid IPv4 <replaceable>option</replaceable> values
+                paramater. Valid <replaceable>option</replaceable> values
                are:</para>

                <simplelist>
@@ -770,28 +731,6 @@
                  option may also be specified as
                  <option>tcp-reset</option>.</member>
                </simplelist>
-
-                <para>Valid IPv6 <replaceable>option</replaceable> values
-                are:</para>
-
-                <simplelist>
-                  <member><option>icmp6-no-route</option></member>
-
-                  <member><option>no-route</option></member>
-
-                  <member><option>i</option><option>cmp6-adm-prohibited</option></member>
-
-                  <member><option>adm-prohibited</option></member>
-
-                  <member><option>icmp6-addr-unreachable</option></member>
-
-                  <member><option>addr-unreach</option></member>
-
-                  <member><option>icmp6-port-unreachable</option></member>
-
-                  <member><option>tcp-reset</option> (the PROTO column must
-                  specify TCP)</member>
-                </simplelist>
              </listitem>
            </varlistentry>

@@ -810,8 +749,7 @@

              <listitem>
                <para>Redirect the request to a server running on the
-                firewall. Use with IPv6 requires Shorewall 4.5.14 or
-                later.</para>
+                firewall.</para>
              </listitem>
            </varlistentry>

@@ -824,8 +762,7 @@
                <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
                generates the <emphasis role="bold">REDIRECT</emphasis>
                iptables rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule. Use with IPv6 requires
-                Shorewall 4.5.14 or later.</para>
+                role="bold">ACCEPT</emphasis> rule.</para>
              </listitem>
            </varlistentry>

@@ -905,9 +842,9 @@
              role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>

              <listitem>
-                <para>IPv4 only. Added in Shorewall 4.5.10. Queues matching
-                packets to a back end logging daemon via a netlink socket then
-                continues to the next rule. See <ulink
+                <para>Added in Shorewall 4.5.10. Queues matching packets to a
+                back end logging daemon via a netlink socket then continues to
+                the next rule. See <ulink
                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>

                <para>Similar to<emphasis role="bold">
@@ -952,10 +889,10 @@
            </listitem>
          </itemizedlist>

-          <para>You may also specify <emphasis role="bold">ULOG</emphasis>
-          (IPv4 only) or <emphasis role="bold">NFLOG</emphasis> (must be in
-          upper case) as a log level.This will log to the ULOG or NFLOG target
-          for routing to a separate log through use of ulogd (<ulink
+          <para>You may also specify <emphasis role="bold">ULOG</emphasis> or
+          <emphasis role="bold">NFLOG</emphasis> (must be in upper case) as a
+          log level.This will log to the ULOG or NFLOG target for routing to a
+          separate log through use of ulogd (<ulink
          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>

          <para>Actions specifying logging may be followed by a log tag (a
@@ -985,9 +922,9 @@

              <listitem>
                <para>The name of a zone defined in <ulink
-                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).
-                When only the zone name is specified, the packet source may be
-                any host in that zone.</para>
+                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). When
+                only the zone name is specified, the packet source may be any
+                host in that zone.</para>

                <para>zone may also be one of the following:</para>

@@ -1054,10 +991,9 @@
                <replaceable>zone</replaceable> in either <ulink
                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
                or <ulink
-                url="/manpages/shorewall.hosts.html">shorewall-hosts</ulink>(5).
-                Only packets from hosts in the <replaceable>zone</replaceable>
-                that arrive through the named interface will match the
-                rule.</para>
+                url="/manpages/shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
+                packets from hosts in the <replaceable>zone</replaceable> that
+                arrive through the named interface will match the rule.</para>
              </listitem>
            </varlistentry>

@@ -1272,49 +1208,6 @@
                of the net zone.</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term>dmz:[2002:ce7c:2b4:1::2]</term>
-
-              <listitem>
-                <para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:2001:4d48:ad51:24::/64</term>
-
-              <listitem>
-                <para>Subnet 2001:4d48:ad51:24::/64 on the Internet</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
-
-              <listitem>
-                <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
-                local zone.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>loc:~00-A0-C9-15-39-78</term>
-
-              <listitem>
-                <para>Host in the local zone with MAC address
-                00:A0:C9:15:39:78.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80</term>
-
-              <listitem>
-                <para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
-                2001:4d48:ad51:24:6::/80.</para>
-              </listitem>
-            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -1336,9 +1229,9 @@

              <listitem>
                <para>The name of a zone defined in <ulink
-                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).
-                When only the zone name is specified, the packet destination
-                may be any host in that zone.</para>
+                url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). When
+                only the zone name is specified, the packet destination may be
+                any host in that zone.</para>

                <para>zone may also be one of the following:</para>

@@ -1405,9 +1298,9 @@
                <replaceable>zone</replaceable> in either <ulink
                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
                or <ulink
-                url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
-                Only packets to hosts in the <replaceable>zone</replaceable>
-                that are sent through the named interface will match the
+                url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5). Only
+                packets to hosts in the <replaceable>zone</replaceable> that
+                are sent through the named interface will match the
                rule.</para>
              </listitem>
            </varlistentry>
@@ -2189,100 +2082,12 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">HEADERS -
-        [!][any:|exactly:]</emphasis><replaceable>header-list
-        </replaceable>(Optional - Added in Shorewall 4.4.15)</term>
+        <term><emphasis role="bold">HEADERS</emphasis></term>

        <listitem>
-          <para>This column is only used in IPv6. In IPv4, supply "-" in this
-          column if you with to place a value in one of the following
-          columns.</para>
-
-          <para>The <replaceable>header-list</replaceable> consists of a
-          comma-separated list of headers from the following list.</para>
-
-          <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">auth</emphasis>, <emphasis
-              role="bold">ah</emphasis>, or <emphasis
-              role="bold">51</emphasis></term>
-
-              <listitem>
-                <para><firstterm>Authentication Headers</firstterm> extension
-                header.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">esp</emphasis>, or <emphasis
-              role="bold">50</emphasis></term>
-
-              <listitem>
-                <para><firstterm>Encrypted Security Payload</firstterm>
-                extension header.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">hop</emphasis>, <emphasis
-              role="bold">hop-by-hop</emphasis> or <emphasis
-              role="bold">0</emphasis></term>
-
-              <listitem>
-                <para>Hop-by-hop options extension header.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">route</emphasis>, <emphasis
-              role="bold">ipv6-route</emphasis> or <emphasis
-              role="bold">43</emphasis></term>
-
-              <listitem>
-                <para>IPv6 Route extension header.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">frag</emphasis>, <emphasis
-              role="bold">ipv6-frag</emphasis> or <emphasis
-              role="bold">44</emphasis></term>
-
-              <listitem>
-                <para>IPv6 fragmentation extension header.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">none</emphasis>, <emphasis
-              role="bold">ipv6-nonxt</emphasis> or <emphasis
-              role="bold">59</emphasis></term>
-
-              <listitem>
-                <para>No next header</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">proto</emphasis>, <emphasis
-              role="bold">protocol</emphasis> or <emphasis
-              role="bold">255</emphasis></term>
-
-              <listitem>
-                <para>Any protocol header.</para>
-              </listitem>
-            </varlistentry>
-          </variablelist>
-
-          <para>If <emphasis role="bold">any:</emphasis> is specified, the
-          rule will match if any of the listed headers are present. If
-          <emphasis role="bold">exactly:</emphasis> is specified, the will
-          match packets that exactly include all specified headers. If neither
-          is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
-
-          <para>If <emphasis role="bold">!</emphasis> is entered, the rule
-          will match those packets which would not be matched when <emphasis
-          role="bold">!</emphasis> is omitted.</para>
+          <para>Added in Shorewall 4.4.15. Not used in IPv4 configurations. If
+          you with to supply a value for one of the later columns, enter '-'
+          in this column.</para>
        </listitem>
      </varlistentry>

@@ -2608,20 +2413,6 @@
        SECCTX             builtin</programlisting>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term>Example 15:</term>
-
-        <listitem>
-          <para>You want to accept SSH connections to your firewall only from
-          internet IP addresses 2002:ce7c::92b4:1::2 and
-          2002:ce7c::92b4:1::22</para>
-
-          <programlisting>        #ACTION  SOURCE DEST            PROTO   DPORT   SPORT   ORIGDEST
-        ACCEPT   net:&lt;2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22&gt; \
-                        $FW              tcp     22</programlisting>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

@@ -2629,8 +2420,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/rules</para>
-
-    <para>/etc/shorewall6/rules</para>
  </refsect1>

  <refsect1>
@@ -2645,6 +2434,14 @@
    <para><ulink
    url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-blrules(5), shorewall-hosts(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-secmarks.xml
+++ b/Shorewall/manpages/shorewall-secmarks.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/secmarks</command>
+      <command>/etc/shorewall/secmarks</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -229,7 +229,7 @@
        role="bold">all}[,...]</emphasis></term>

        <listitem>
-          <para>See <ulink
+          <para> See <ulink
          url="shorewall-rules.html">shorewall-rules(5)</ulink> for
          details.</para>

@@ -404,8 +404,6 @@ RESTORE                               I:ER</programlisting>
    <title>FILES</title>

    <para>/etc/shorewall/secmarks</para>
-
-    <para>/etc/shorewall6/secmarks</para>
  </refsect1>

  <refsect1>
@@ -417,6 +415,14 @@ RESTORE                               I:ER</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/snat</command>
+      <command>/etc/shorewall/snat</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -86,7 +86,7 @@
                ADD_SNAT_ALIASES is set to Yes or yes in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                then Shorewall will automatically add this address to the
-                INTERFACE named in the first column (IPv4 only).</para>
+                INTERFACE named in the first column.</para>

                <para>You may also specify a range of up to 256 IP addresses
                if you want the SNAT address to be assigned from that range in
@@ -105,7 +105,9 @@
                role="bold">:random</emphasis>) with <emphasis
                role="bold">:persistent</emphasis>. This is only useful when
                an address range is specified and causes a client to be given
-                the same source/destination IP pair.</para>
+                the same source/destination IP pair. This feature replaces the
+                SAME modifier which was removed from Shorewall in version
+                4.4.0.</para>

                <para>You may also use the special value
                <option>detect</option> which causes Shorewall to determine
@@ -148,8 +150,8 @@
              <listitem>
                <para>where <replaceable>action</replaceable> is an action
                declared in <ulink
-                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>
-                with the <option>nat</option> option. See <ulink
+                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink> with
+                the <option>nat</option> option. See <ulink
                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
                further information.</para>
              </listitem>
@@ -255,8 +257,7 @@
        <listitem>
          <para>If you wish to restrict this entry to a particular protocol
          then enter the protocol name (from protocols(5)) or number here. See
-          <ulink
-          url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
+          <ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
          details.</para>

          <para>Beginning with Shorewall 4.5.12, this column can accept a
@@ -598,7 +599,7 @@

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>

        <listitem>
          <para>You have a simple masquerading setup where eth0 connects to a
@@ -613,7 +614,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>

        <listitem>
          <para>You add a router to your local network to connect subnet
@@ -627,7 +628,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 3:</term>
+        <term>Example 3:</term>

        <listitem>
          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@@ -641,7 +642,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 4:</term>
+        <term>Example 4:</term>

        <listitem>
          <para>You want all outgoing SMTP traffic entering the firewall from
@@ -665,7 +666,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 5:</term>
+        <term>Example 5:</term>

        <listitem>
          <para>Connections leaving on eth0 and destined to any host defined
@@ -678,7 +679,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 6:</term>
+        <term>Example 6:</term>

        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -700,34 +701,19 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv6 Example 1:</term>
+        <term>Example 7:</term>

        <listitem>
-          <para>You have a simple 'masquerading' setup where eth0 connects to
-          a DSL or cable modem and eth1 connects to your local network with
-          subnet 2001:470:b:787::0/64</para>
-
-          <para>Your entry in the file will be:</para>
-
-          <programlisting>        #ACTION      SOURCE                  DEST
-        MASQUERADE   2001:470:b:787::0/64    eth0</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 2:</term>
-
-        <listitem>
-          <para>Your sit1 interface has two public IP addresses:
-          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
-          iptables statistics match to masquerade outgoing connections evenly
-          between these two addresses.</para>
+          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
+          70.90.191.123. You want to use the iptables statistics match to
+          masquerade outgoing connections evenly between these two
+          addresses.</para>

          <programlisting>/etc/shorewall/snat:

-       #ACTION                      SOURCE     DEST
-       SNAT(2001:470:a:227::1)      ::/0       sit1              { probability=0.50 }
-       SNAT(2001:470:a:227::2)      ::/0       sit</programlisting>
+       #ACTION                 SOURCE           DEST
+       SNAT(70.90.191.121)     -                eth1 { probability=.50 }
+       SNAT(70.90.191.123)     -                eth1</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -737,8 +723,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/snat</para>
-
-    <para>/etc/shorewall6/snat</para>
  </refsect1>

  <refsect1>
@@ -747,6 +731,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-stoppedrules.xml
+++ b/Shorewall/manpages/shorewall-stoppedrules.xml
@@ -19,7 +19,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/stoppedrules</command>
+      <command>/etc/shorewall/stoppedrules</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -153,8 +153,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/stoppedrules</para>
-
-    <para>/etc/shorewall6/stoppedrules</para>
  </refsect1>

  <refsect1>
@@ -166,6 +164,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/tcclasses</command>
+      <command>/etc/shorewall/tcclasses</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -763,8 +763,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/tcclasses</para>
-
-    <para>/etc/shorewall6/tcclasses</para>
  </refsect1>

  <refsect1>
@@ -780,6 +778,14 @@

    <para>tc-red(8)</para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/tcdevices</command>
+      <command>/etc/shorewall/tcdevices</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -276,8 +276,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/tcdevices</para>
-
-    <para>/etc/shorewall6/tcdevices</para>
  </refsect1>

  <refsect1>
@@ -294,6 +292,14 @@
    <para><ulink
    url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/tcfilters</command>
+      <command>/etc/shorewall/tcfilters</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -89,12 +89,12 @@
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
-          (5)</ulink>. The ipset name may optionally be followed by a number
-          or a comma separated list of src and/or dst enclosed in square
-          brackets ([...]). See <ulink
-          url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink>
-          for details.</para>
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf (5)</ulink>. The
+          ipset name may optionally be followed by a number or a comma
+          separated list of src and/or dst enclosed in square brackets
+          ([...]). See <ulink
+          url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
+          details.</para>
        </listitem>
      </varlistentry>

@@ -108,12 +108,12 @@
          Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
          may be used if your kernel and ip6tables have the <firstterm>Basic
          Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
-          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
-          (5)</ulink>. The ipset name may optionally be followed by a number
-          or a comma separated list of src and/or dst enclosed in square
-          brackets ([...]). See <ulink
-          url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink>
-          for details.</para>
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf (5)</ulink>. The
+          ipset name may optionally be followed by a number or a comma
+          separated list of src and/or dst enclosed in square brackets
+          ([...]). See <ulink
+          url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
+          details.</para>

          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see <ulink
@@ -288,7 +288,7 @@

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>

        <listitem>
          <para>Place all 'ping' traffic on interface 1 in class 10. Note that
@@ -310,7 +310,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>

        <listitem>
          <para>Add two filters with priority 10 (Shorewall 4.5.8 or
@@ -324,22 +324,6 @@
       1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-reply      10</programlisting>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>Add two filters with priority 10 (Shorewall 4.5.8 or
-          later).</para>
-
-          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DPORT           PRIORITY
-
-       IPV6
-
-       1:10      ::/0      ::/0         icmp    echo-request    10
-       1:10      ::/0      ::/0         icmp    echo-reply      10</programlisting>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

@@ -347,8 +331,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/tcfilters</para>
-
-    <para>/etc/shorewall6/tcfilters</para>
  </refsect1>

  <refsect1>
@@ -366,6 +348,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcinterfaces.xml
+++ b/Shorewall/manpages/shorewall-tcinterfaces.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/tcinterfaces</command>
+      <command>/etc/shorewall/tcinterfaces</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -201,9 +201,7 @@
  <refsect1>
    <title>FILES</title>

-    <para>/etc/shorewall/tcinterfaces</para>
-
-    <para>/etc/shorewall6/tcinterfaces</para>
+    <para>/etc/shorewall/tcinterfaces.</para>
  </refsect1>

  <refsect1>
@@ -215,6 +213,14 @@
    <para><ulink
    url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcpri(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcpri.xml
+++ b/Shorewall/manpages/shorewall-tcpri.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/tcpri</command>
+      <command>/etc/shorewall/tcpri</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -148,8 +148,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/tcpri</para>
-
-    <para>/etc/shorewall6/tcpri</para>
  </refsect1>

  <refsect1>
@@ -158,6 +156,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>prio(8), shorewall(8)</para>
+    <para>prio(8), shorewall(8), shorewall-accounting(5),
+    shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/tunnels</command>
+      <command>/etc/shorewall/tunnels</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -173,7 +173,7 @@

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>

        <listitem>
          <para>IPSec tunnel.</para>
@@ -187,7 +187,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>

        <listitem>
          <para>Road Warrior (LapTop that may connect from anywhere) where the
@@ -199,7 +199,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 3:</term>
+        <term>Example 3:</term>

        <listitem>
          <para>Host 4.33.99.124 is a standalone system connected via an ipsec
@@ -211,7 +211,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 4:</term>
+        <term>Example 4:</term>

        <listitem>
          <para>Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
@@ -225,7 +225,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 5:</term>
+        <term>Example 5:</term>

        <listitem>
          <para>You run the Linux PPTP client on your firewall and connect to
@@ -237,7 +237,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 6:</term>
+        <term>Example 6:</term>

        <listitem>
          <para>You run a PPTP server on your firewall.</para>
@@ -260,7 +260,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 8:</term>
+        <term>Example 8:</term>

        <listitem>
          <para>You have a tunnel that is not one of the supported types. Your
@@ -273,7 +273,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 9:</term>
+        <term>Example 9:</term>

        <listitem>
          <para>TINC tunnel where the remote gateways are not specified. If
@@ -284,83 +284,6 @@
        tinc             net     0.0.0.0/0</programlisting>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>IPSec tunnel.</para>
-
-          <para>The remote gateway is 2001:cec792b4:1::44. The tunnel does not
-          use the AH protocol</para>
-
-          <programlisting>        #TYPE           ZONE    GATEWAY
-        ipsec:noah      net     2002:cec792b4:1::44</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 2:</term>
-
-        <listitem>
-          <para>Road Warrior (LapTop that may connect from anywhere) where the
-          "gw" zone is used to represent the remote LapTop</para>
-
-          <programlisting>        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
-        ipsec           net     ::/0                    gw</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 3:</term>
-
-        <listitem>
-          <para>Host 2001:cec792b4:1::44 is a standalone system connected via
-          an ipsec tunnel to the firewall system. The host is in zone
-          gw.</para>
-
-          <programlisting>        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
-        ipsec           net     2001:cec792b4:1::44     gw</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 4:</term>
-
-        <listitem>
-          <para>OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and
-          openvpn uses port 7777.</para>
-
-          <programlisting>        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
-        openvpn:7777    net     2001:cec792b4:1::44</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 8:</term>
-
-        <listitem>
-          <para>You have a tunnel that is not one of the supported types. Your
-          tunnel uses UDP port 4444. The other end of the tunnel is
-          2001:cec792b4:1::44.</para>
-
-          <programlisting>        #TYPE            ZONE    GATEWAY                GATEWAY ZONES
-        generic:udp:4444 net     2001:cec792b4:1::44</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 9:</term>
-
-        <listitem>
-          <para>TINC tunnel where the remote gateways are not specified. If
-          you wish to specify a list of gateways, you can do so in the GATEWAY
-          column.</para>
-
-          <programlisting>        #TYPE            ZONE    GATEWAY          GATEWAY ZONES
-        tinc             net     ::/0</programlisting>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

@@ -368,8 +291,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/tunnels</para>
-
-    <para>/etc/shorewall6/tunnels</para>
  </refsect1>

  <refsect1>
@@ -378,6 +299,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-vardir.xml
+++ b/Shorewall/manpages/shorewall-vardir.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/vardir</command>
+      <command>/etc/shorewall/vardir</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -28,8 +28,7 @@
    <para>This file does not exist by default. You may create the file if you
    want to change the directory used by Shorewall to store state information,
    including compiled firewall scripts. By default, the directory used is
-    <filename>/var/lib/shorewall/</filename> for IPv4 and /var/lib/shorewall6/
-    for IPv6</para>
+    <filename>/var/lib/shorewall/</filename>.</para>

    <para>The file contains a single variable assignment:</para>

@@ -51,13 +50,19 @@
    <title>FILES</title>

    <para>/etc/shorewall/vardir</para>
-
-    <para>/etc/shorewall6/vardir</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-zones.xml
+++ b/Shorewall/manpages/shorewall-zones.xml
@@ -128,9 +128,9 @@
          <para>Example:</para>

          <programlisting>#ZONE     TYPE     OPTIONS         IN OPTIONS        OUT OPTIONS
-a         ip
-b         ip
-c:a,b     ip</programlisting>
+a         ipv4
+b         ipv4
+c:a,b     ipv4</programlisting>

          <para>Currently, Shorewall uses this information to reorder the zone
          list so that parent zones appear after their subzones in the list.
@@ -140,8 +140,8 @@ c:a,b     ip</programlisting>

          <para>Where an <emphasis role="bold">ipsec</emphasis> zone is
          explicitly included as a child of an <emphasis
-          role="bold">ip</emphasis> zone, the ruleset allows CONTINUE policies
-          (explicit or implicit) to work as expected.</para>
+          role="bold">ipv4</emphasis> zone, the ruleset allows CONTINUE
+          policies (explicit or implicit) to work as expected.</para>

          <para>In the future, Shorewall may make additional use of nesting
          information.</para>
@@ -154,7 +154,7 @@ c:a,b     ip</programlisting>
        <listitem>
          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">ip</emphasis></term>
+              <term><emphasis role="bold">ipv4</emphasis></term>

              <listitem>
                <para>This is the standard Shorewall zone type and is the
@@ -162,22 +162,17 @@ c:a,b     ip</programlisting>
                the column. Communication with some zone hosts may be
                encrypted. Encrypted hosts are designated using the 'ipsec'
                option in <ulink
-                url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
-                For clarity, this zone type may be specified as
-                <option>ipv4</option> in IPv4 configurations and
-                <option>ipv6</option> in IPv6 configurations.</para>
+                url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">ipsec</emphasis></term>
+              <term><emphasis role="bold">ipsec</emphasis> (or <emphasis
+              role="bold">ipsec4</emphasis>)</term>

              <listitem>
                <para>Communication with all zone hosts is encrypted. Your
-                kernel and iptables must include policy match support. For
-                clarity, this zone type may be specified as
-                <option>ipsec4</option> in IPv4 configurations and
-                <option>ipsec6</option> in IPv6 configurations.</para>
+                kernel and iptables must include policy match support.</para>
              </listitem>
            </varlistentry>

@@ -195,13 +190,12 @@ c:a,b     ip</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">bport</emphasis></term>
+              <term><emphasis role="bold">bport</emphasis> (or <emphasis
+              role="bold">bport4</emphasis>)</term>

              <listitem>
                <para>The zone is associated with one or more ports on a
-                single bridge. For clarity, this zone type may be specified as
-                <option>bport4</option> in IPv4 configurations and
-                <option>bport6</option> in IPv6 configurations.</para>
+                single bridge.</para>
              </listitem>
            </varlistentry>

@@ -430,8 +424,6 @@ c:a,b     ip</programlisting>
    <title>FILES</title>

    <para>/etc/shorewall/zones</para>
-
-    <para>/etc/shorewall6/zones</para>
  </refsect1>

  <refsect1>
@@ -443,6 +435,13 @@ c:a,b     ip</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-nesting(8), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -20,24 +20,15 @@
    <cmdsynopsis>
      <command>/etc/shorewall/shorewall.conf</command>
    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>/etc/shorewall6/shorewall6.conf</command>
-    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

-    <para>The IPv4 and IPv6 environments each have their own configuration.
-    The IPv4 configuration resides in /etc/shorewall/ while the IPv6
-    configuration resides in /etc/shorewall6/.</para>
+    <para>This file sets options that apply to Shorewall as a whole.</para>

-    <para>The .conf files set options that apply to Shorewall and Shorewall6
-    as a whole.</para>
-
-    <para>The .conf files consist of Shell comments (lines beginning with
-    '#'), blank lines and assignment statements
+    <para>The file consists of Shell comments (lines beginning with '#'),
+    blank lines and assignment statements
    (<emphasis>variable</emphasis>=<emphasis>value</emphasis>). If the
    <emphasis>value</emphasis> contains shell meta characters or white-space,
    then it must be enclosed in quotes. Example:
@@ -74,13 +65,16 @@
    level to choose, 6 (info) is a safe bet. You may specify levels by name or
    by number.</para>

-    <para>If you have built your kernel with ULOG (IPv4 only) and/or NFLOG
-    target support, you may also specify a log level of ULOG and/or NFLOG
-    (must be all caps). Rather than log its messages to syslogd, Shorewall
-    will direct netfilter to log the messages via the ULOG or NFLOG target
-    which will send them to a process called 'ulogd'. ulogd is available with
-    most Linux distributions (although it probably isn't installed by
-    default).</para>
+    <para>If you have built your kernel with ULOG and/or NFLOG target support,
+    you may also specify a log level of ULOG and/or NFLOG (must be all caps).
+    Rather than log its messages to syslogd, Shorewall will direct netfilter
+    to log the messages via the ULOG or NFLOG target which will send them to a
+    process called 'ulogd'. ulogd is available with most Linux distributions
+    (although it probably isn't installed by default). Ulogd is also available
+    from <ulink
+    url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
+    and can be configured to log all Shorewall messages to their own log
+    file.</para>

    <note>
      <para>If you want to specify parameters to ULOG or NFLOG (e.g.,
@@ -88,7 +82,7 @@

      <para>Example:</para>

-      <programlisting>LOG_LEVEL="NFLOG(1,0,1)"</programlisting>
+      <programlisting>MACLIST_LOG_LEVEL="NFLOG(1,0,1)"</programlisting>
    </note>

    <para>Beginning with Shorewall 5.0.0, the log level may be followed by a
@@ -271,9 +265,8 @@
        <listitem>
          <para>This parameter determines whether Shorewall automatically adds
          the external address(es) in <ulink
-          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5), and is
-          only available in IPv4 configurations. If the variable is set to
-          <emphasis role="bold">Yes</emphasis> or <emphasis
+          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5). If the
+          variable is set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis> then Shorewall automatically adds these
          aliases. If it is set to <emphasis role="bold">No</emphasis> or
          <emphasis role="bold">no</emphasis>, you must add these aliases
@@ -300,14 +293,13 @@
        <listitem>
          <para>This parameter determines whether Shorewall automatically adds
          the SNAT ADDRESS in <ulink
-          url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5), and
-          is only available in IPv4 configurations. If the variable is set to
-          <emphasis role="bold">Yes</emphasis> or <emphasis
-          role="bold">yes</emphasis> then Shorewall automatically adds these
-          addresses. If it is set to <emphasis role="bold">No</emphasis> or
-          <emphasis role="bold">no</emphasis>, you must add these addresses
-          yourself using your distribution's network configuration
-          tools.</para>
+          url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5). If
+          the variable is set to <emphasis role="bold">Yes</emphasis> or
+          <emphasis role="bold">yes</emphasis> then Shorewall automatically
+          adds these addresses. If it is set to <emphasis
+          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
+          you must add these addresses yourself using your distribution's
+          network configuration tools.</para>

          <para>If this variable is not set or is given an empty value
          (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.</para>
@@ -387,10 +379,10 @@
        role="bold">ARPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>

        <listitem>
-          <para>Added in Shorewall 4.5.12 and available in IPv4 only. This
-          parameter names the arptables executable to be used by Shorewall. If
-          not specified or if specified as a null value, then the arptables
-          executable located using the PATH option is used.</para>
+          <para>Added in Shorewall 4.5.12. This parameter names the arptables
+          executable to be used by Shorewall. If not specified or if specified
+          as a null value, then the arptables executable located using the
+          PATH option is used.</para>

          <para>Regardless of how the arptables utility is located (specified
          via arptables= or located via PATH), Shorewall uses the
@@ -406,9 +398,8 @@
        <listitem>
          <para>Formerly named AUTO_COMMENT. If set, if there is not a current
          comment when a macro is invoked, the behavior is as if the first
-          line of the macro file was "COMMENT &lt;macro name&gt;". If not
-          specified, the AUTO_COMMENT option has a default value of
-          'Yes'.</para>
+          line of the macro file was "COMMENT &lt;macro name&gt;". The
+          AUTO_COMMENT option has a default value of 'Yes'.</para>
        </listitem>
      </varlistentry>

@@ -474,7 +465,7 @@
          command, then the compilation step is skipped and the compiled
          script that executed the last <command>start</command>, <emphasis
          role="bold">reload</emphasis> or <command>restart</command> command
-          is used. If not specified, the default is AUTOMAKE=No.</para>
+          is used. The default is AUTOMAKE=No.</para>

          <para>The setting of the AUTOMAKE option is ignored if the
          <command>start</command>, <emphasis role="bold">reload</emphasis> or
@@ -492,8 +483,8 @@
          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
          determines whether the <option>balance</option> provider option (see
          <ulink
-          url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>)
-          is the default. When BALANCE_PROVIDERS=Yes, then the
+          url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>) is
+          the default. When BALANCE_PROVIDERS=Yes, then the
          <option>balance</option> option is assumed unless the
          <option>fallback</option>, <option>loose</option>,
          <option>load</option> or <option>tproxy</option> option is
@@ -509,8 +500,8 @@
        <listitem>
          <para>Added in Shorewall-4.6.0. When set to <emphasis
          role="bold">Yes</emphasis>, causes entries in <ulink
-          url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>
-          to generate a basic filter rather than a u32 filter. This setting
+          url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
+          generate a basic filter rather than a u32 filter. This setting
          requires the <firstterm>Basic Ematch</firstterm> capability in your
          kernel and iptables.</para>

@@ -633,11 +624,6 @@
          marking defined in <ulink
          url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
          If not specified, CLEAR_TC=Yes is assumed.</para>
-
-          <warning>
-            <para>When you specify TC_ENABLED=shared (see below), then you
-            should also specify CLEAR_TC=No.</para>
-          </warning>
        </listitem>
      </varlistentry>

@@ -676,17 +662,17 @@
        role="bold">CONFIG_PATH</emphasis>=[<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term>

        <listitem>
-          <para>Specifies where configuration files other than
-          shorewall[6].conf may be found. CONFIG_PATH is specifies as a list
-          of directory names separated by colons (":"). When looking for a
-          configuration file:</para>
+          <para>Specifies where configuration files other than shorewall.conf
+          may be found. CONFIG_PATH is specifies as a list of directory names
+          separated by colons (":"). When looking for a configuration
+          file:</para>

          <itemizedlist>
            <listitem>
              <para>If the command is "try" or a "&lt;configuration
              directory&gt;" was specified in the command (e.g.,
-              <command>shorewall [-6] check ./gateway</command>) then the
-              directory given in the command is searched first.</para>
+              <command>shorewall check ./gateway</command>) then the directory
+              given in the command is searched first.</para>
            </listitem>

            <listitem>
@@ -711,8 +697,8 @@
        <listitem>
          <para>Added in Shorewall 4.5.12. When set to 'Yes' (the default),
          DNS names are validated in the compiler and then passed on to the
-          generated script where they are resolved by ip[6]tables-restore.
-          This is an advantage if you use AUTOMAKE=Yes and the IP address
+          generated script where they are resolved by iptables-restore. This
+          is an advantage if you use AUTOMAKE=Yes and the IP address
          associated with the DNS name is subject to change. When
          DEFER_DNS_RESOLUTION=No, DNS names are converted into IP addresses
          by the compiler. This has the advantage that when AUTOMAKE=Yes, the
@@ -729,7 +715,7 @@

        <listitem>
          <para>If set to Yes (the default value), entries in the
-          /etc/shorewall[6]/rtrules files cause an 'ip rule del' command to be
+          /etc/shorewall/rtrules files cause an 'ip rule del' command to be
          generated in addition to an 'ip rule add' command. Setting this
          option to No, causes the 'ip rule del' command to be omitted.</para>
        </listitem>
@@ -740,8 +726,6 @@
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

        <listitem>
-          <para>IPv4 only.</para>
-
          <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, Shorewall will detect the first IP
          address of the interface to the source zone and will include this
@@ -758,8 +742,6 @@
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

        <listitem>
-          <para>IPv4 only.</para>
-
          <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, IPv6 traffic to, from and through the
          firewall system is disabled. If set to <emphasis
@@ -779,8 +761,7 @@
            </listitem>

            <listitem>
-              <para>Change DISABLE_IPV6=Yes to DISABLE_IPV6=No in
-              <filename>/etc/shorewall/shorewall.conf</filename>.</para>
+              <para>Change DISABLE_IPV6=Yes to DISABLE_IPV6=No</para>
            </listitem>

            <listitem>
@@ -826,21 +807,20 @@
        <listitem>
          <para>Added in Shorewall 4.4.7. When set to <emphasis
          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
-          chain-based dynamic blacklisting using <command>shorewall [-6] [-l]
-          drop</command>, <command>shorewall [-6] [-l] reject</command>,
-          <command>shorewall logdrop</command> and <command>shorewall [-6]
-          [-l] logreject</command> is disabled. Default is <emphasis
+          chain-based dynamic blacklisting using <command>shorewall
+          drop</command>, <command>shorewall reject</command>,
+          <command>shorewall logdrop</command> and <command>shorewall
+          logreject</command> is disabled. Default is <emphasis
          role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
          ipset-based dynamic blacklisting using the <command>shorewall
          blacklist</command> command is also supported. The name of the set
          (<replaceable>setname</replaceable>) and the level
          (<replaceable>log_level</replaceable>), if any, at which blacklisted
-          traffic is to be logged may also be specified. The default IPv4 set
-          name is SW_DBL4 and the default IPv6 set name is SW_DBL6. The
-          default log level is <option>none</option> (no logging). If
-          <option>ipset-only</option> is given, then chain-based dynamic
-          blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
-          specified.</para>
+          traffic is to be logged may also be specified. The default set name
+          is SW_DBL4 and the default log level is <option>none</option> (no
+          logging). If <option>ipset-only</option> is given, then chain-based
+          dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
+          had been specified.</para>

          <para>Possible <replaceable>option</replaceable>s are:</para>

@@ -886,9 +866,9 @@
                <important>
                  <para>Once the dynamic blacklisting ipset has been created,
                  changing this option setting requires a complete restart of
-                  the firewall; <command>shorewall [-6] restart</command> if
-                  RESTART=restart, otherwise <command>shorewall [-6] [-l] stop
-                  &amp;&amp; shorewall [-6] [-l] start</command></para>
+                  the firewall; <command>shorewall restart</command> if
+                  RESTART=restart, otherwise <command>shorewall stop
+                  &amp;&amp; shorewall start</command></para>
                </important>
              </listitem>
            </varlistentry>
@@ -930,15 +910,13 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

        <listitem>
          <para>Added in Shorewall 4.4.17. When set to Yes when compiling for
-          use by Shorewall Lite (<command>shorewall [-6]
-          remote-start</command>, <command>shorewall [-6] remote-reload,
-          shorewall [-6] remote-restart </command>or <command>shorewall [-6]
+          use by Shorewall Lite (<command>shorewall load</command>,
+          <command>shorewall reload </command>or <command>shorewall
          export</command> commands), the compiler will copy the modules or
          helpers file from the administrative system into the script. When
          set to No or not specified, the compiler will not copy the modules
-          or helpers file from <filename>/usr/share/shorewall[6]</filename>
-          but will copy those found in another location on the
-          CONFIG_PATH.</para>
+          or helpers file from <filename>/usr/share/shorewall</filename> but
+          will copy those found in another location on the CONFIG_PATH.</para>

          <para>When compiling for direct use by Shorewall, causes the
          contents of the local module or helpers file to be copied into the
@@ -1136,12 +1114,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
          specified, the specifications on the right are interpreted as if
          INLINE had been specified in the ACTION column. This also applies to
-          <ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink>
-          and <ulink
-          url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>)
-          which also support INLINE. If not specified or if specified as the
-          empty value, the value 'No' is assumed for backward
-          compatibility.</para>
+          <ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink> and
+          <ulink url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>) which
+          also support INLINE. If not specified or if specified as the empty
+          value, the value 'No' is assumed for backward compatibility.</para>

          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
          set INLINE_MATCHES=Yes in order to be able to specify your own
@@ -1200,13 +1176,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">Keep</emphasis>]</term>

        <listitem>
-          <para>This IPv4 parameter determines whether Shorewall enables or
-          disables IPv4 Packet Forwarding
-          (<filename>/proc/sys/net/ipv4/ip_forward</filename>). In an IPv6
-          configuration, this parameter determines the setting of
-          <filename>/proc/sys/net/ipv6/config/all/ip_forwarding</filename>.</para>
-
-          <para>Possible values are:</para>
+          <para>This parameter determines whether Shorewall enables or
+          disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward).
+          Possible values are:</para>

          <variablelist>
            <varlistentry>
@@ -1238,8 +1210,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            </varlistentry>
          </variablelist>

-          <para>If this variable is not set or is given an empty value
-          (IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
+          <para/>
+
+          <blockquote>
+            <para>If this variable is not set or is given an empty value
+            (IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
+          </blockquote>
        </listitem>
      </varlistentry>

@@ -1282,8 +1258,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>

        <listitem>
-          <para>IPv4 only.</para>
-
          <para>This parameter names the iptables executable to be used by
          Shorewall. If not specified or if specified as a null value, then
          the iptables executable located using the PATH option is
@@ -1296,71 +1270,22 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis
-        role="bold">IP6TABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
-
-        <listitem>
-          <para>IPv6 only.</para>
-
-          <para>This parameter names the ip6tables executable to be used by
-          Shorewall6. If not specified or if specified as a null value, then
-          the ip6tables executable located using the PATH option is
-          used.</para>
-
-          <para>Regardless of how the ip6tables utility is located (specified
-          via IP6TABLES= or located via PATH), Shorewall6 uses the
-          ip6tables-restore and ip6tables-save utilities from that same
-          directory.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
-          <para>IPv4:</para>
-
-          <blockquote>
-            <para>When set to <option>Yes</option>, this option prevents
-            generated scripts from altering the /etc/iproute2/rt_tables
-            database when there are entries in
-            <filename>/etc/shorewall/providers</filename>. If you set this
-            option to <option>Yes</option> while Shorewall (Shorewall-lite) is
-            running, you should remove the file
-            <filename>/var/lib/shorewall/rt_tables</filename>
-            (<filename>/var/lib/shorewall-lite/rt_tables</filename>) before
-            your next <command>stop</command>, <command>refresh</command>,
-            <command>restore</command>, <emphasis
-            role="bold">reload</emphasis> or <command>restart</command>
-            command.</para>
-          </blockquote>
-
-          <para>IPv6:</para>
-
-          <blockquote>
-            <para>When set to <option>Yes</option>, this option prevents
-            scripts generated by Shorewall6 from altering the
-            /etc/iproute2/rt_tables database when there are entries in
-            <filename>/etc/shorewall6/providers</filename>. If you set this
-            option to <option>Yes</option> while Shorewall6 (Shorewall6-lite)
-            is running, you should remove the file
-            <filename>/var/lib/shorewall6/rt_tables</filename>
-            (<filename>/var/lib/shorewall6-lite/rt_tables</filename>) before
-            your next <command>stop</command>, <command>refresh</command>,
-            <command>restore</command>, <emphasis
-            role="bold">reload</emphasis> or <command>restart</command>
-            command.</para>
-          </blockquote>
-
-          <important>
-            <para>When both IPv4 and IPv6 Shorewall configurations are
-            present, KEEP_RT_TABLES=No should be specified in only one of the
-            two configurations unless the two provider configurations are
-            identical with respect to interface and provider names and
-            numbers.</para>
-          </important>
+          <para>When set to <option>Yes</option>, this option prevents
+          generated scripts from altering the /etc/iproute2/rt_tables database
+          when there are entries in
+          <filename>/etc/shorewall/providers</filename>. If you set this
+          option to <option>Yes</option> while Shorewall (Shorewall-lite) is
+          running, you should remove the file
+          <filename>/var/lib/shorewall/rt_tables</filename>
+          (<filename>/var/lib/shorewall-lite/rt_tables</filename>) before your
+          next <command>stop</command>, <command>refresh</command>,
+          <command>restore</command>, <emphasis role="bold">reload</emphasis>
+          or <command>restart</command> command.</para>

          <para>The default is KEEP_RT_TABLES=No.</para>
        </listitem>
@@ -1373,9 +1298,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        <listitem>
          <para>Added in Shorewall 4.4.7. When set to Yes, restricts the set
          of modules loaded by shorewall to those listed in
-          <filename>/var/lib/shorewall[6]/helpers</filename> and those that
-          are actually used. When not set, or set to the empty value,
-          LOAD_HELPERS_ONLY=No is assumed.</para>
+          /var/lib/shorewall/helpers and those that are actually used. When
+          not set, or set to the empty value, LOAD_HELPERS_ONLY=No is
+          assumed.</para>
        </listitem>
      </varlistentry>

@@ -1384,11 +1309,11 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">LOCKFILE</emphasis>=[<emphasis>pathname</emphasis>]</term>

        <listitem>
-          <para>Specifies the name of the Shorewall[6] lock file, used to
-          prevent simultaneous state-changing commands. If not specified,
-          ${VARDIR}/shorewall[6]/lock is assumed (${VARDIR} is normally
-          /var/lib but can be changed when Shorewall-core is installed -- see
-          the output of <command>shorewall show vardir</command>).</para>
+          <para>Specifies the name of the Shorewall lock file, used to prevent
+          simultaneous state-changing commands. If not specified,
+          ${VARDIR}/shorewall/lock is assumed (${VARDIR} is normally /var/lib
+          but can be changed when Shorewall-core is installed -- see the
+          output of <command>shorewall show vardir</command>).</para>
        </listitem>
      </varlistentry>

@@ -1416,8 +1341,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
              <term>ULOG</term>

              <listitem>
-                <para>IPv4 only.</para>
-
                <para>Use ULOG logging to ulogd.</para>
              </listitem>
            </varlistentry>
@@ -1442,8 +1365,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          sample configurations use this as the default log level and changing
          it will change all packet logging done by the configuration. In any
          configuration file (except <ulink
-          url="/manpages/shorewall-params.html">shorewall-params(5)</ulink>),
-          $LOG_LEVEL will expand to this value.</para>
+          url="/manpages/shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
+          will expand to this value.</para>
        </listitem>
      </varlistentry>

@@ -1453,8 +1376,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        role="bold">No</emphasis>|Keep]</term>

        <listitem>
-          <para>IPv4 only.</para>
-
          <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, sets
          <filename>/proc/sys/net/ipv4/conf/*/log_martians</filename> to 1
@@ -1602,9 +1523,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

          <caution>
            <para>Beginning with Shorewall 5.1.0, the default and sample
-            shorewall[6].conf files set LOGFORMAT="%s %s ".</para>
-
-            <para>Regardless of the LOGFORMAT setting, Shorewall IPv4 log
+            shorewall.conf files set LOGFORMAT="%s %s ". Shorewall log
            messages that use this LOGFORMAT can be uniquely identified using
            the following regular expression:</para>

@@ -1612,15 +1531,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
              <member>'IN=.* OUT=.* SRC=.*\..* DST='</member>
            </simplelist>

-            <para>and Shorewall IPv6 log messages can be uniquely identified
-            using the following regular expression:</para>
-
-            <simplelist>
-              <member>'IN=.* OUT=.* SRC=.*:.* DST='</member>
-            </simplelist>
-
-            <para>To match all Netfilter log messages (Both IPv4 and IPv6 and
-            regardless of the LOGFORMAT setting), use:</para>
+            <para>To match all Netfilter log messages (Both IPv4 and IPv6),
+            use:</para>

            <simplelist>
              <member>'IN=.* OUT=.* SRC=.* DST='</member>
@@ -1713,7 +1625,7 @@ LOG:info:,bar                        net                    fw</programlisting>

          <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
          respectively and were added in Shorewall 4.4.20. They require
-          AUDIT_TARGET in the kernel and ip[6]tables.</para>
+          AUDIT_TARGET in the kernel and iptables.</para>
        </listitem>
      </varlistentry>

@@ -1756,7 +1668,7 @@ LOG:info:,bar                        net                    fw</programlisting>
          entries in <ulink
          url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5)
          can be improved by setting the MACLIST_TTL variable in <ulink
-          url="/manpages/shorewall.conf.html">shorewall[6].conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>

          <para>If your iptables and kernel support the "Recent Match" (see
          the output of "shorewall check" near the top), you can cache the
@@ -1798,8 +1710,6 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

        <listitem>
-          <para>IPv4 only.</para>
-
          <para>This option is included for compatibility with old Shorewall
          configuration. New installs should always have
          MAPOLDACTIONS=No.</para>
@@ -1830,11 +1740,11 @@ LOG:info:,bar                        net                    fw</programlisting>
          PREROUTING chain. This permits you to mark inbound traffic based on
          its destination address when DNAT is in use. To determine if your
          kernel has a FORWARD chain in the mangle table, use the <emphasis
-          role="bold">shorewall [-6] show mangle</emphasis> command; if a
-          FORWARD chain is displayed then your kernel will support this
-          option. If this option is not specified or if it is given the empty
-          value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
-          is assumed.</para>
+          role="bold">shorewall show mangle</emphasis> command; if a FORWARD
+          chain is displayed then your kernel will support this option. If
+          this option is not specified or if it is given the empty value
+          (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is
+          assumed.</para>
        </listitem>
      </varlistentry>

@@ -1892,6 +1802,18 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">MODULE_SUFFIX=</emphasis>[<emphasis
+        role="bold">"</emphasis><emphasis>extension</emphasis> ...<emphasis
+        role="bold">"</emphasis>]</term>
+
+        <listitem>
+          <para>The value of this option determines the possible file
+          extensions of kernel modules. The default value is "ko ko.gz ko.xz o
+          o.gz o.xz gz xz".</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
@@ -1904,8 +1826,7 @@ LOG:info:,bar                        net                    fw</programlisting>
          "/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
-          role="bold">g_family</emphasis> holds '4' in IPv4 configurations and
-          '6' in IPv6 configurations.</para>
+          role="bold">g_family</emphasis> holds '4'.</para>

          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
          causes the listed pathnames to be appended to the default list
@@ -1918,8 +1839,6 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

        <listitem>
-          <para>IPv4 only.</para>
-
          <para>This option will normally be set to 'No' (the default). It
          should be set to 'Yes' under the following circumstances:</para>

@@ -1946,18 +1865,17 @@ LOG:info:,bar                        net                    fw</programlisting>

        <listitem>
          <para>The value of this variable determines the number of seconds
-          that programs will wait for exclusive access to the Shorewall[6]
-          lock file. After the number of seconds corresponding to the value of
-          this variable, programs will assume that the last program to hold
-          the lock died without releasing the lock.</para>
+          that programs will wait for exclusive access to the Shorewall lock
+          file. After the number of seconds corresponding to the value of this
+          variable, programs will assume that the last program to hold the
+          lock died without releasing the lock.</para>

          <para>If not set or set to the empty value, a value of 60 (60
          seconds) is assumed.</para>

          <para>An appropriate value for this parameter would be twice the
          length of time that it takes your firewall system to process a
-          <emphasis role="bold">shorewall [-6] restart</emphasis>
-          command.</para>
+          <emphasis role="bold">shorewall restart</emphasis> command.</para>
        </listitem>
      </varlistentry>

@@ -1981,8 +1899,6 @@ LOG:info:,bar                        net                    fw</programlisting>
        role="bold">prohibit</emphasis>]</term>

        <listitem>
-          <para>IPv4 only.</para>
-
          <para>When set to Yes, causes Shorewall to null-route the IPv4
          address ranges reserved by RFC1918. The default value is
          'No'.</para>
@@ -2019,11 +1935,12 @@ LOG:info:,bar                        net                    fw</programlisting>
          <itemizedlist>
            <listitem>
              <para>Optimization category 1 - Traditionally, Shorewall has
-              created rules for the complete matrix of host groups defined by
-              the zones, interfaces and hosts files. Any traffic that didn't
-              correspond to an element of that matrix was rejected in one of
-              the built-in chains. When the matrix is sparse, this results in
-              lots of largely useless rules.</para>
+              created rules for the complete matrix of
+              host groups defined by the zones, interfaces and hosts
+              files. Any traffic that didn't correspond to an element
+              of that matrix was rejected in one of the built-in chains. When
+              the matrix is sparse, this results in lots of largely useless
+              rules.</para>

              <para>These extra rules can be eliminated by setting the 1 bit
              in OPTIMIZE.</para>
@@ -2201,9 +2118,8 @@ LOG:info:,bar                        net                    fw</programlisting>
            </listitem>
          </itemizedlist>

-          <para>In versions prior to 5.1.0, the default value is zero which
-          disables all optimizations. Beginning with Shorewall 5.1.0, the
-          default value is All which enables all optimizations.</para>
+          <para>The default value is zero which disables all
+          optimizations.</para>
        </listitem>
      </varlistentry>

@@ -2400,7 +2316,7 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>

            <listitem>
              <para>if the protocol is UDP (17) then the packet is rejected
-              with an 'port-unreachable' ICMP.</para>
+              with an 'port-unreachable' ICMP (ICMP6).</para>
            </listitem>

            <listitem>
@@ -2408,11 +2324,6 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
              with a 'host-unreachable' ICMP.</para>
            </listitem>

-            <listitem>
-              <para>if the protocol is ICMP6 (1) then the packet is rejected
-              with a 'icmp6-addr-unreachable' ICMP6.</para>
-            </listitem>
-
            <listitem>
              <para>otherwise, the packet is rejected with a 'host-prohibited'
              ICMP.</para>
@@ -2422,12 +2333,11 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
          <para>You can modify this behavior by implementing your own
          <replaceable>action</replaceable> that handles REJECT and specifying
          it's name in this option. The <emphasis role="bold">nolog</emphasis>
-          and <emphasis role="bold">noinline</emphasis> options will
+          and <emphasis role="bold">inline</emphasis> options will
          automatically be assumed for the specified
          <replaceable>action</replaceable>.</para>

-          <para>The following action implements the default reject
-          action:</para>
+          <para>The following action implements the standard behavior:</para>

          <programlisting>?format 2
 #TARGET         SOURCE  DEST    PROTO
@@ -2527,10 +2437,10 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Specifies the simple name of a file in /var/lib/shorewall to
          be used as the default restore script in the <emphasis
-          role="bold">shorewall [-6] save</emphasis>, <emphasis
-          role="bold">shorewall [-6] restore</emphasis>, <emphasis
-          role="bold">shorewall [-6] forget </emphasis>and <emphasis
-          role="bold">shorewall [6] -f start</emphasis> commands.</para>
+          role="bold">shorewall save</emphasis>, <emphasis
+          role="bold">shorewall restore</emphasis>, <emphasis
+          role="bold">shorewall forget </emphasis>and <emphasis
+          role="bold">shorewall -f start</emphasis> commands.</para>
        </listitem>
      </varlistentry>

@@ -2539,8 +2449,6 @@ INLINE          -       -       -       ;; -j REJECT
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
-          <para>IPv4 only.</para>
-
          <para>During <emphasis role="bold">shorewall star</emphasis>t, IP
          addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
          ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
@@ -2553,7 +2461,7 @@ INLINE          -       -       -       ;; -j REJECT
          not be deleted. Regardless of the setting of RETAIN_ALIASES,
          addresses added during <emphasis role="bold">shorewall
          start</emphasis> are still deleted at a subsequent <emphasis
-          role="bold">shorewall [stop</emphasis>, <emphasis
+          role="bold">shorewall stop</emphasis>, <emphasis
          role="bold">shorewall reload</emphasis> or <emphasis
          role="bold">shorewall restart</emphasis>.</para>
        </listitem>
@@ -3073,40 +2981,6 @@ INLINE          -       -       -       ;; -j REJECT
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">USE_NFLOG_SIZE=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.1.5. The second parameter to the NFLOG
-          target specifies how many bytes of the packet to copy to the log; if
-          omitted or if supplied as zero, the entire packet is copied. This
-          feature has traditionally been implemented using the --nflog-range
-          option to the NFLOG iptables target. Unfortuntely, the --nflog-range
-          option never worked (the entire packet was always copied). To deal
-          with this issue, the Netfilter team:</para>
-
-          <itemizedlist>
-            <listitem>
-              <para>Added a warning message when --nflog-range is used</para>
-            </listitem>
-
-            <listitem>
-              <para>Added --nflog-size which works like --nflog-range was
-              intended to work.</para>
-            </listitem>
-          </itemizedlist>
-
-          <para>When USE_NFLOG_SIZE=Yes, Shorewall will attempt to use the new
-          --nflog-size feature. If that feature is not available in the
-          running kernel and ip[6]tables, an error is raised.</para>
-
-          <para>When USE_NFLOG_SIZE is not supplied, USE_NFLOG_SIZE=No is
-          assumed. When USE_NFLOG_SIZE is added by shorewall update, it is
-          added with setting No.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">USE_PHYSICAL_NAMES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -3276,13 +3150,19 @@ INLINE          -       -       -       ;; -j REJECT
    <title>FILES</title>

    <para>/etc/shorewall/shorewall.conf</para>
-
-    <para>/etc/shorewall6/shorewall6.conf</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcinterfaces(5),
+    shorewall-tcpri(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,6 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -8,7 +8,6 @@
 Description=Shorewall IPv6 firewall (lite)
 Wants=network-online.target
 After=network-online.target
-After=shorewall-lite.service
 Conflicts=ip6tables.service firewalld.service

 [Service]
--- a/Shorewall6-lite/shorewall6-lite.service.debian
+++ b/Shorewall6-lite/shorewall6-lite.service.debian
@@ -7,7 +7,6 @@
 Description=Shorewall IPv6 firewall (lite)
 Wants=network-online.target
 After=network-online.target
-After=shorewall-lite.service
 Conflicts=ip6tables.service firewalld.service

 [Service]
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -190,6 +190,8 @@ MARK_IN_FORWARD_CHAIN=No

 MINIUPNPD=No

+MODULE_SUFFIX="ko ko.xz"
+
 MUTEX_TIMEOUT=60

 OPTIMIZE=All
@@ -204,8 +206,6 @@ REQUIRE_INTERFACE=Yes

 RESTART=restart

-RESTORE_DEFAULT_ROUTE=Yes
-
 RESTORE_ROUTEMARKS=Yes

 SAVE_IPSETS=No
@@ -222,8 +222,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -191,6 +191,8 @@ MARK_IN_FORWARD_CHAIN=No

 MINIUPNPD=No

+MODULE_SUFFIX="ko ko.xz"
+
 MUTEX_TIMEOUT=60

 OPTIMIZE=All
@@ -205,8 +207,6 @@ REQUIRE_INTERFACE=No

 RESTART=restart

-RESTORE_DEFAULT_ROUTE=Yes
-
 RESTORE_ROUTEMARKS=Yes

 SAVE_IPSETS=No
@@ -223,8 +223,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -190,6 +190,8 @@ MARK_IN_FORWARD_CHAIN=No

 MINIUPNPD=No

+MODULE_SUFFIX="ko ko.xz"
+
 MUTEX_TIMEOUT=60

 OPTIMIZE=All
@@ -204,8 +206,6 @@ REQUIRE_INTERFACE=No

 RESTART=restart

-RESTORE_DEFAULT_ROUTE=Yes
-
 RESTORE_ROUTEMARKS=Yes

 SAVE_IPSETS=No
@@ -222,8 +222,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -190,6 +190,8 @@ MARK_IN_FORWARD_CHAIN=No

 MINIUPNPD=No

+MODULE_SUFFIX="ko ko.xz"
+
 MUTEX_TIMEOUT=60

 OPTIMIZE=All
@@ -204,8 +206,6 @@ REQUIRE_INTERFACE=No

 RESTART=restart

-RESTORE_DEFAULT_ROUTE=Yes
-
 RESTORE_ROUTEMARKS=Yes

 SAVE_IPSETS=No
@@ -222,8 +222,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -21,7 +21,6 @@ BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 Broadcast    noinline      	# Handles Broadcast/Anycast
 Drop		        	# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
-dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
 dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
@@ -29,7 +28,6 @@ DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
-FIN	     inline,audit	# Handles ACK,FIN,PSH packets
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 IfEvent      noinline           # Perform an action based on an event
 Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
--- a/Shorewall6/configfiles/disabled
+++ b/Shorewall6/configfiles/disabled
@@ -1,12 +0,0 @@
-#
-# Shorewall6 -- /etc/shorewall6/disabled
-#
-# Add commands below that you want executed when an optional
-# interface is successfully disabled using the 'disable' command
-#
-# When the commands are invoked:
-#
-#  $1 contains the physical name of the interface
-#  $2 contains the logical name of the interface
-#  $3 contains the name of the provider associated with the interface,
-      if any
--- a/Shorewall6/configfiles/enabled
+++ b/Shorewall6/configfiles/enabled
@@ -1,12 +0,0 @@
-#
-# Shorewall6 -- /etc/shorewall6/enabled
-#
-# Add commands below that you want executed when an optional
-# interface is successfully enabled using the 'enable' command
-#
-# When the commands are invoked:
-#
-#  $1 contains the physical name of the interface
-#  $2 contains the logical name of the interface
-#  $3 contains the name of the provider associated with the interface,
-      if any
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -190,6 +190,8 @@ MARK_IN_FORWARD_CHAIN=No

 MINIUPNPD=No

+MODULE_SUFFIX=ko
+
 MUTEX_TIMEOUT=60

 OPTIMIZE=All
@@ -204,8 +206,6 @@ REQUIRE_INTERFACE=No

 RESTART=restart

-RESTORE_DEFAULT_ROUTE=Yes
-
 RESTORE_ROUTEMARKS=Yes

 SAVE_IPSETS=No
@@ -222,8 +222,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -0,0 +1,851 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-accounting</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>accounting</refname>
+
+    <refpurpose>Shorewall6 Accounting file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/accounting</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>Accounting rules exist simply to count packets and bytes in
+    categories that you define in this file. You may display these rules and
+    their packet and byte counters using the <command>shorewall6 show
+    accounting</command> command.</para>
+
+    <para>Beginning with Shorewall 4.4.18, the accounting structure can be
+    created with three root chains:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para><emphasis role="bold">accountin</emphasis>: Rules that are valid
+        in the <emphasis role="bold">INPUT</emphasis> chain (may not specify
+        an output interface).</para>
+      </listitem>
+
+      <listitem>
+        <para><emphasis role="bold">accountout</emphasis>: Rules that are
+        valid in the OUTPUT chain (may not specify an input interface or a MAC
+        address).</para>
+      </listitem>
+
+      <listitem>
+        <para><emphasis role="bold">accounting</emphasis>: Other rules.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>The new structure is enabled by sectioning the accounting file in a
+    manner similar to the <ulink url="/manpages6/shorewall6-rules.html">rules
+    file</ulink>. The sections are <emphasis role="bold">INPUT</emphasis>,
+    <emphasis role="bold">OUTPUT</emphasis> and <emphasis
+    role="bold">FORWARD</emphasis> and must appear in that order (although any
+    of them may be omitted). The first non-commentary record in the accounting
+    file must be a section header when sectioning is used.</para>
+
+    <warning>
+      <para>If sections are not used, the Shorewall rules compiler cannot
+      detect certain violations of netfilter restrictions. These violations
+      can result in run-time errors such as the following:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">ip6tables-restore v1.4.13: Can't use -o
+        with INPUT</emphasis></para>
+      </blockquote>
+    </warning>
+
+    <para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
+    added to shorewall.conf and shorewall6.conf. That setting determines the
+    Netfilter table (filter or mangle) where the accounting rules are added.
+    When ACCOUNTING_TABLE=mangle is specified, the available sections are
+    <emphasis role="bold">PREROUTING</emphasis>, <emphasis
+    role="bold">INPUT</emphasis>, <emphasis role="bold">OUTPUT</emphasis>,
+    <emphasis role="bold">FORWARD</emphasis> and <emphasis
+    role="bold">POSTROUTING</emphasis>.</para>
+
+    <para>Section headers have the form:</para>
+
+    <para><option>[?]SECTION</option>
+    <replaceable>section-name</replaceable></para>
+
+    <para>The optional "?" was added in Shorewalll 4.6.0 and is preferred.
+    Existing configurations may be converted to use this form using the
+    <command>shorewall6 update</command> command.</para>
+
+    <para>When sections are enabled:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>A jump to a user-defined accounting chain must appear before
+        entries that add rules to that chain. This eliminates loops and
+        unreferenced chains.</para>
+      </listitem>
+
+      <listitem>
+        <para>An output interface may not be specified in the <emphasis
+        role="bold">PREROUTING</emphasis> and <emphasis
+        role="bold">INPUT</emphasis> sections.</para>
+      </listitem>
+
+      <listitem>
+        <para>In the <emphasis role="bold">OUTPUT</emphasis> and <emphasis
+        role="bold">POSTROUTING</emphasis> sections:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>An input interface may not be specified</para>
+          </listitem>
+
+          <listitem>
+            <para>Jumps to a chain defined in the <emphasis
+            role="bold">INPUT</emphasis> or <emphasis
+            role="bold">PREROUTING</emphasis> sections that specifies an input
+            interface are prohibited</para>
+          </listitem>
+
+          <listitem>
+            <para>MAC addresses may not be used</para>
+          </listitem>
+
+          <listitem>
+            <para>Jump to a chain defined in the <emphasis
+            role="bold">INPUT</emphasis> or <emphasis
+            role="bold">PREROUTING</emphasis> section that specifies a MAC
+            address are prohibited.</para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+
+      <listitem>
+        <para>The default value of the CHAIN column is:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para><emphasis role="bold">accountin</emphasis> in the <emphasis
+            role="bold">INPUT</emphasis> section</para>
+          </listitem>
+
+          <listitem>
+            <para><emphasis role="bold">accountout</emphasis> in the <emphasis
+            role="bold">OUTPUT</emphasis> section</para>
+          </listitem>
+
+          <listitem>
+            <para><emphasis role="bold">accountfwd</emphasis> in the <emphasis
+            role="bold">FORWARD</emphasis> section</para>
+          </listitem>
+
+          <listitem>
+            <para><emphasis role="bold">accountpre</emphasis> in the <emphasis
+            role="bold">PREROUTING</emphasis> section</para>
+          </listitem>
+
+          <listitem>
+            <para><emphasis role="bold">accountpost</emphasis> in the
+            <emphasis role="bold">POSTROUTING</emphasis> section</para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+
+      <listitem>
+        <para>Traffic addressed to the firewall goes through the rules defined
+        in the INPUT section.</para>
+      </listitem>
+
+      <listitem>
+        <para>Traffic originating on the firewall goes through the rules
+        defined in the OUTPUT section.</para>
+      </listitem>
+
+      <listitem>
+        <para>Traffic being forwarded through the firewall goes through the
+        rules from the FORWARD sections.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
+        role="bold">COUNT</emphasis>|<emphasis
+        role="bold">DONE</emphasis>|<emphasis>chain</emphasis>[:<emphasis
+        role="bold">{COUNT|JUMP}</emphasis>]|[?]COMMENT
+        <replaceable>comment</replaceable>}</term>
+
+        <listitem>
+          <para>What to do when a matching packet is found.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">COUNT</emphasis></term>
+
+              <listitem>
+                <para>Simply count the match and continue with the next
+                rule</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DONE</emphasis></term>
+
+              <listitem>
+                <para>Count the match and don't attempt to match any other
+                accounting rules in the chain specified in the <emphasis
+                role="bold">CHAIN</emphasis> column.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>chain</emphasis>[<emphasis
+              role="bold">:</emphasis><emphasis
+              role="bold">COUNT</emphasis>]</term>
+
+              <listitem>
+                <para>Where <emphasis>chain</emphasis> is the name of a chain;
+                shorewall6 will create the chain automatically if it doesn't
+                already exist. If a second chain is mentioned in the CHAIN
+                column, then a jump from this second chain to
+                <replaceable>chain</replaceable> is created. If no chain is
+                named in the CHAIN column, then a jump from the default chain
+                to <replaceable>chain</replaceable> is created. If <emphasis
+                role="bold">:COUNT</emphasis> is included, a counting rule
+                matching this entry will be added to
+                <emphasis>chain</emphasis>. The <emphasis>chain</emphasis> may
+                not exceed 29 characters in length and may be composed of
+                letters, digits, dash ('-') and underscore ('_').</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>chain</emphasis>:JUMP</term>
+
+              <listitem>
+                <para>Like the previous option without the <emphasis
+                role="bold">:COUNT</emphasis> part.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">INLINE</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.16. Allows free form ip6tables
+                matches to be specified following a ';'. In the generated
+                ip6tables rule(s), the free form matches will follow any
+                matches that are generated by the column contents.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">NFACCT</emphasis>({<replaceable>object</replaceable>[!]}[,...])</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.7. Provides a form of accounting
+                that survives <command>shorewall stop/shorewall</command>
+                start and <command>shorewall restart</command>. Requires the
+                NFaccnt Match capability in your kernel and iptables.
+                <replaceable>object</replaceable> names an nfacct object (see
+                man nfaccnt(8)). Multiple rules can specify the same
+                <replaceable>object</replaceable>; all packets that match any
+                of the rules increment the packet and bytes count of the
+                object.</para>
+
+                <para>Prior to Shorewall 4.5.16, only one
+                <replaceable>object</replaceable> could be specified.
+                Beginning with Shorewall 4.5.16, an arbitrary number of
+                objects may be given.</para>
+
+                <para>With Shorewall 4.5.16 or later, an nfacct
+                <replaceable>object</replaceable> in the list may optionally
+                be followed by <emphasis role="bold">!</emphasis> to indicate
+                that the nfacct <replaceable>object</replaceable> will be
+                incremented unconditionally for each packet. When <emphasis
+                role="bold">!</emphasis> is omitted, the
+                <replaceable>object</replaceable> will be incremented only if
+                all of the matches in the rule succeed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">NFLOG</emphasis>[(nflog-parameters)]
+              - Added in Shorewall-4.4.20.</term>
+
+              <listitem>
+                <para>Causes each matching packet to be sent via the currently
+                loaded logging back end (usually nfnetlink_log) where it is
+                available to accounting daemons through a netlink
+                socket.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">?COMMENT</emphasis></term>
+
+              <listitem>
+                <para>The remainder of the line is treated as a comment which
+                is attached to subsequent rules until another ?COMMENT line is
+                found or until the end of the file is reached. To stop adding
+                comments to rules, use a line with only the word
+                ?COMMENT.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">CHAIN</emphasis> - {<emphasis
+        role="bold">-</emphasis>|<emphasis>chain</emphasis>}</term>
+
+        <listitem>
+          <para>The name of a <emphasis>chain</emphasis>. If specified as
+          <emphasis role="bold">-</emphasis> the <emphasis
+          role="bold">accounting</emphasis> chain is assumed when the file is
+          un-sectioned. When the file is sectioned, the default is one of
+          accountin, accountout, etc. depending on the section. This is the
+          chain where the accounting rule is added. The
+          <emphasis>chain</emphasis> will be created if it doesn't already
+          exist. The <emphasis>chain</emphasis> may not exceed 29 characters
+          in length.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
+        role="bold">-</emphasis>|<emphasis
+        role="bold">any</emphasis>|<emphasis
+        role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
+        role="bold">:<option>[</option></emphasis><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
+
+        <listitem>
+          <para>Packet Source.</para>
+
+          <para>The name of an <replaceable>interface</replaceable>, an
+          <replaceable>address</replaceable> (host or net) or an
+          <replaceable>interface</replaceable> name followed by ":" and a host
+          or net <replaceable>address</replaceable>. An ipset name is also
+          accepted as an <replaceable>address</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
+        role="bold">-</emphasis>|<emphasis
+        role="bold">any</emphasis>|<emphasis
+        role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><option>:[</option><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
+
+        <listitem>
+          <para>Packet Destination.</para>
+
+          <para>Format same as <emphasis role="bold">SOURCE</emphasis>
+          column.</para>
+
+          <para>This column was formerly labelled DESTINATION.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
+        role="bold">-</emphasis>|<emphasis
+        role="bold">any</emphasis>|<emphasis
+        role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
+        role="bold">ipp2p</emphasis>[<emphasis
+        role="bold">:</emphasis>{<emphasis
+        role="bold">udp</emphasis>|<emphasis
+        role="bold">all</emphasis>}]}</term>
+
+        <listitem>
+          <para>A <emphasis>protocol-name</emphasis> (from protocols(5)), a
+          <emphasis>protocol-number</emphasis>, <emphasis
+          role="bold">ipp2p</emphasis>, <emphasis
+          role="bold">ipp2p:udp</emphasis> or <emphasis
+          role="bold">ipp2p:all</emphasis></para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
+
+          <para>This column was formerly labelled PROTOCOL.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DPORT</emphasis> - {<emphasis
+        role="bold">-</emphasis>|<emphasis
+        role="bold">any</emphasis>|<emphasis
+        role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
+
+        <listitem>
+          <para>Destination Port number. Service name from services(5) or
+          <emphasis>port number</emphasis>. May only be specified if the
+          protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
+          (136).</para>
+
+          <para>You may place a comma-separated list of port names or numbers
+          in this column if your kernel and ip6tables include multi-port match
+          support.</para>
+
+          <para>If the PROTOCOL is <emphasis role="bold">ipp2p</emphasis> then
+          this column must contain an <emphasis>ipp2p-option</emphasis>
+          ("ip6tables -m ipp2p --help") without the leading "--". If no option
+          is given in this column, <emphasis role="bold">ipp2p</emphasis> is
+          assumed.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SPORT</emphasis> - {<emphasis
+        role="bold">-</emphasis>|<emphasis
+        role="bold">any</emphasis>|<emphasis
+        role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
+
+        <listitem>
+          <para>Service name from services(5) or <emphasis>port
+          number</emphasis>. May only be specified if the protocol is TCP (6),
+          UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para>
+
+          <para>You may place a comma-separated list of port numbers in this
+          column if your kernel and ip6tables include multi-port match
+          support.</para>
+
+          <para>Beginning with Shorewall 4.5.15, you may place '=' in this
+          column, provided that the DPORT column is non-empty. This causes the
+          rule to match when either the source port or the destination port in
+          a packet matches one of the ports specified in DPORT. Use of '='
+          requires multi-port match in your iptables and kernel.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">USER</emphasis> - [<emphasis
+        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
+
+        <listitem>
+          <para>This column may only be non-empty if the <emphasis
+          role="bold">CHAIN</emphasis> is <emphasis
+          role="bold">OUTPUT</emphasis>.</para>
+
+          <para>When this column is non-empty, the rule applies only if the
+          program generating the output is running under the effective
+          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
+          specified (or is NOT running under that id if "!" is given).</para>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>joe</term>
+
+              <listitem>
+                <para>program must be run by joe</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>:kids</term>
+
+              <listitem>
+                <para>program must be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>!:kids</term>
+
+              <listitem>
+                <para>program must not be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>+upnpd</term>
+
+              <listitem>
+                <para>#program named upnpd</para>
+
+                <important>
+                  <para>The ability to specify a program name was removed from
+                  Netfilter in kernel version 2.6.14.</para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>This column was formerly labelled USER/GROUP.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
+        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
+        role="bold">:C</emphasis>]</term>
+
+        <listitem>
+          <para>Defines a test on the existing packet or connection mark. The
+          rule will match only if the test returns true.</para>
+
+          <para>If you don't want to define a test but need to specify
+          anything in the following columns, place a "-" in this field.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>!</term>
+
+              <listitem>
+                <para>Inverts the test (not equal)</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>value</emphasis></term>
+
+              <listitem>
+                <para>Value of the packet or connection mark.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>mask</emphasis></term>
+
+              <listitem>
+                <para>A mask to be applied to the mark before testing.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">:C</emphasis></term>
+
+              <listitem>
+                <para>Designates a connection mark. If omitted, the packet
+                mark's value is tested.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
+        (Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
+        )</emphasis></term>
+
+        <listitem>
+          <para>The option-list consists of a comma-separated list of options
+          from the following list. Only packets that will be encrypted or have
+          been decrypted via an SA that matches these options will have their
+          source address changed. May only be specified when sections are
+          used.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is specified using
+                setkey(8) using the 'unique:<emphasis>number</emphasis> option
+                for the SPD level.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is the SPI of the SA
+                used to encrypt/decrypt packets.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">proto=</emphasis><emphasis
+              role="bold">ah</emphasis>|<emphasis
+              role="bold">esp</emphasis>|<emphasis
+              role="bold">ipcomp</emphasis></term>
+
+              <listitem>
+                <para>IPSEC Encapsulation Protocol</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>sets the MSS field in TCP packets</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">mode=</emphasis><emphasis
+              role="bold">transport</emphasis>|<emphasis
+              role="bold">tunnel</emphasis></term>
+
+              <listitem>
+                <para>IPSEC mode</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">strict</emphasis></term>
+
+              <listitem>
+                <para>Means that packets must match all rules.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">next</emphasis></term>
+
+              <listitem>
+                <para>Separates rules; can only be used with strict</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">yes</emphasis> or <emphasis
+              role="bold">ipsec</emphasis></term>
+
+              <listitem>
+                <para>When used by itself, causes all traffic that will be
+                encrypted/encapsulated or has been decrypted/un-encapsulated
+                to match the rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">no</emphasis> or <emphasis
+              role="bold">none</emphasis></term>
+
+              <listitem>
+                <para>When used by itself, causes all traffic that will not be
+                encrypted/encapsulated or has been decrypted/un-encapsulated
+                to match the rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">in</emphasis></term>
+
+              <listitem>
+                <para>May only be used in the FORWARD section and must be the
+                first or the only item the list. Indicates that matching
+                packets have been decrypted in input.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">out</emphasis></term>
+
+              <listitem>
+                <para>May only be used in the FORWARD section and must be the
+                first or the only item in the list. Indicates that matching
+                packets will be encrypted on output.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>If this column is non-empty and sections are not used,
+          then:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>A chain NAME appearing in the ACTION column must be a
+              chain branched either directly or indirectly from the <emphasis
+              role="bold">accipsecin</emphasis> or <emphasis
+              role="bold">accipsecout</emphasis> chain.</para>
+            </listitem>
+
+            <listitem>
+              <para>The CHAIN column must contain either <emphasis
+              role="bold">accipsecin</emphasis> or <emphasis
+              role="bold">accipsecout</emphasis> or a chain branched either
+              directly or indirectly from those chains.</para>
+            </listitem>
+
+            <listitem>
+              <para>These rules will NOT appear in the <emphasis
+              role="bold">accounting</emphasis> chain.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">HEADERS -
+        [!][any:|exactly:]</emphasis><replaceable>header-list
+        </replaceable>(Optional - Added in Shorewall 4.4.15)</term>
+
+        <listitem>
+          <para>The <replaceable>header-list</replaceable> consists of a
+          comma-separated list of headers from the following list.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">auth</emphasis>, <emphasis
+              role="bold">ah</emphasis>, or <emphasis
+              role="bold">51</emphasis></term>
+
+              <listitem>
+                <para><firstterm>Authentication Headers</firstterm> extension
+                header.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">esp</emphasis>, or <emphasis
+              role="bold">50</emphasis></term>
+
+              <listitem>
+                <para><firstterm>Encrypted Security Payload</firstterm>
+                extension header.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">hop</emphasis>, <emphasis
+              role="bold">hop-by-hop</emphasis> or <emphasis
+              role="bold">0</emphasis></term>
+
+              <listitem>
+                <para>Hop-by-hop options extension header.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">route</emphasis>, <emphasis
+              role="bold">ipv6-route</emphasis> or <emphasis
+              role="bold">41</emphasis></term>
+
+              <listitem>
+                <para>IPv6 Route extension header.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">frag</emphasis>, <emphasis
+              role="bold">ipv6-frag</emphasis> or <emphasis
+              role="bold">44</emphasis></term>
+
+              <listitem>
+                <para>IPv6 fragmentation extension header.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">none</emphasis>, <emphasis
+              role="bold">ipv6-nonxt</emphasis> or <emphasis
+              role="bold">59</emphasis></term>
+
+              <listitem>
+                <para>No next header</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">proto</emphasis>, <emphasis
+              role="bold">protocol</emphasis> or <emphasis
+              role="bold">255</emphasis></term>
+
+              <listitem>
+                <para>Any protocol header.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>If <emphasis role="bold">any:</emphasis> is specified, the
+          rule will match if any of the listed headers are present. If
+          <emphasis role="bold">exactly:</emphasis> is specified, the will
+          match packets that exactly include all specified headers. If neither
+          is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
+
+          <para>If <emphasis role="bold">!</emphasis> is entered, the rule
+          will match those packets which would not be matched when <emphasis
+          role="bold">!</emphasis> is omitted.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>In all of the above columns except <emphasis
+    role="bold">ACTION</emphasis> and <emphasis role="bold">CHAIN</emphasis>,
+    the values <emphasis role="bold">-</emphasis>, <emphasis
+    role="bold">any</emphasis> and <emphasis role="bold">all</emphasis> may be
+    used as wildcards. Omitted trailing columns are also treated as
+    wildcards.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/accounting</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/Accounting.html">http://www.shorewall.net/Accounting.html
+    </ulink></para>
+
+    <para><ulink
+    url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
+    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
+    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -0,0 +1,260 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-actions</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>actions</refname>
+
+    <refpurpose>shorewall6 action declaration file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/actions</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file allows you to define new ACTIONS for use in rules (see
+    <ulink
+    url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>). You
+    define the ip6tables rules to be performed in an ACTION in
+    /etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
+
+    <para>Columns are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>NAME</term>
+
+        <listitem>
+          <para>The name of the action. ACTION names should begin with an
+          upper-case letter to distinguish them from Shorewall-generated chain
+          names and be composed of letters, digits or numbers. If you intend
+          to log from the action then the name must be no longer than 11
+          characters in length if you use the standard LOGFORMAT.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>OPTIONS</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.10. Available options are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><option>audit</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. When this option is specified,
+                the action is expected to have at least two parameters; the
+                first is a target and the second is either 'audit' or omitted.
+                If the second is 'audit', then the first must be an auditable
+                target (ACCEPT, DROP or REJECT).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>builtin</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.16. Defines the action as a rule
+                target that is supported by your ip6tables but is not directly
+                supported by Shorewall. The action may be used as the rule
+                target in an INLINE rule in <ulink
+                url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
+
+                <para>Beginning with Shorewall 4.6.0, the Netfilter table(s)
+                in which the <emphasis role="bold">builtin</emphasis> can be
+                used may be specified: <emphasis
+                role="bold">filter</emphasis>, <emphasis
+                role="bold">nat</emphasis>, <emphasis
+                role="bold">mangle</emphasis> and <emphasis
+                role="bold">raw</emphasis>. If no table name(s) are given,
+                then <emphasis role="bold">filter</emphasis> is assumed. The
+                table names follow <emphasis role="bold">builtin</emphasis>
+                and are separated by commas; for example, "FOOBAR
+                builtin,filter,mangle" would specify FOOBAR as a builtin
+                target that can be used in the filter and mangle
+                tables.</para>
+
+                <para>Beginning with Shorewall 4.6.4, you may specify the
+                <emphasis role="bold">terminating</emphasis> option with
+                <emphasis role="bold">builtin</emphasis> to indicate to the
+                Shorewall optimizer that the action is terminating (the
+                current packet will not be passed to the next rule in the
+                chain).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>inline</option></term>
+
+              <listitem>
+                <para>Causes the action body (defined in
+                action.<replaceable>action-name</replaceable>) to be expanded
+                in-line like a macro rather than in its own chain. You can
+                list Shorewall Standard Actions in this file to specify the
+                <option>inline</option> option.</para>
+
+                <caution>
+                  <para>Some of the Shorewall standard actions cannot be used
+                  in-line and will generate a warning and the compiler will
+                  ignore <option>inline</option> if you try to use them that
+                  way:</para>
+
+                  <simplelist>
+                    <member>DropSmurfs</member>
+
+                    <member>IfEvent</member>
+
+                    <member>Invalid (Prior to Shorewall 4.5.13)</member>
+
+                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>
+
+                    <member>RST (Prior to Shorewall 4.5.13)</member>
+
+                    <member>TCPFlags</member>
+                  </simplelist>
+                </caution>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>logjump</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. Performs the same function as
+                <option>nolog</option> (below), with the addition that the
+                jump to the actions chain is logged if a log level is
+                specified on the action invocation. For inline actions, this
+                option is identical to <option>nolog</option>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>mangle</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Specifies that this action is
+                to be used in <ulink
+                url="/manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
+                rather than <ulink
+                url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>nat</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.13. Specifies that this action is
+                to be used in <ulink
+                url="/manpages6/shorewall6-snat.html">shorewall6-snat(5)</ulink> rather
+                than <ulink
+                url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>. The
+                <option>mangle</option> and <option>nat</option> options are
+                mutually exclusive.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>noinline</option></term>
+
+              <listitem>
+                <para>Causes any later <option>inline</option> option for the
+                same action to be ignored with a warning.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>nolog</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.11. When this option is
+                specified, the compiler does not automatically apply the log
+                level and/or tag from the invocation of the action to all
+                rules inside of the action. Rather, it simply sets the
+                $_loglevel and $_logtag shell variables which can be used
+                within the action body to apply those logging options only to
+                a subset of the rules.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>section</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1. When specified, this option
+                causes the rules file section name and a comma to be prepended
+                to the parameters passed to the action (if any). Note that
+                this means that the first parameter passed to the action by
+                the user is actually the second parameter to the action. If
+                the action is invoked out of the blrules file, 'BLACKLIST' is
+                used as the section name.</para>
+
+                <para>Given that neither the <filename>snat</filename> nor the
+                <filename>mangle</filename> file is sectioned, this parameter
+                has no effect when <option>mangle</option> or
+                <option>nat</option> is specified.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
+                in <filename>actions.std</filename>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><option>terminating</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.4. When used with
+                <option>builtin</option>, indicates that the built-in action
+                is termiating (i.e., if the action is jumped to, the next rule
+                in the chain is not evaluated).</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/actions</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
+    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
+    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-blrules.xml
+++ b/Shorewall6/manpages/shorewall6-blrules.xml
@@ -0,0 +1,331 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-blrules</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>blrules</refname>
+
+    <refpurpose>shorewall6 Blacklist file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/blrules</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to perform zone-specific blacklisting and
+    whitelisting.</para>
+
+    <para>Rules in this file are applied depending on the setting of
+    BLACKLISTNEWONLY in <ulink
+    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
+    BLACKLISTNEWONLY=No, then they are applied regardless of the connection
+    tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
+    connections in the NEW and INVALID states.</para>
+
+    <para>The format of rules in this file is the same as the format of rules
+    in <ulink
+    url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5). The
+    difference in the two files lies in the ACTION (first) column.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION- {<emphasis
+        role="bold">ACCEPT</emphasis>|BLACKLIST|blacklog|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
+        role="bold">WHITELIST</emphasis>|<emphasis
+        role="bold">LOG</emphasis>|<emphasis
+        role="bold">QUEUE</emphasis>|<emphasis
+        role="bold">NFQUEUE</emphasis>[<emphasis
+        role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
+        role="bold">)</emphasis>]<emphasis
+        role="bold">|[?]COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
+        role="bold">(</emphasis><emphasis>target</emphasis><emphasis
+        role="bold">)</emphasis>]}<emphasis
+        role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
+        role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
+        role="bold">!</emphasis></emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>tag</emphasis>]]</emphasis></term>
+
+        <listitem>
+          <para>Specifies the action to be taken if the packet matches the
+          rule. Must be one of the following.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.3. This is actually a macro that
+                expands as follows:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>If BLACKLIST_LOGLEVEL is specified in <ulink
+                    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
+                    then the macro expands to <emphasis
+                    role="bold">blacklog</emphasis>.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Otherwise it expands to the action specified for
+                    BLACKLIST_DISPOSITION in <ulink
+                    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">blacklog</emphasis></term>
+
+              <listitem>
+                <para>May only be used if BLACKLIST_LOGLEVEL is specified in
+                <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
+                </ulink>(5). Logs, audits (if specified) and applies the
+                BLACKLIST_DISPOSITION specified in <ulink
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
+                (5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">ACCEPT|CONTINUE|WHITELIST</emphasis></term>
+
+              <listitem>
+                <para>Exempt the packet from the remaining rules in this
+                file.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DROP</emphasis></term>
+
+              <listitem>
+                <para>Ignore the packet.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>A_DROP and A_DROP!</term>
+
+              <listitem>
+                <para>Audited versions of DROP. Requires AUDIT_TARGET support
+                in the kernel and ip6tables.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">REJECT</emphasis></term>
+
+              <listitem>
+                <para>disallow the packet and return an icmp-unreachable or an
+                RST packet.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>A_REJECT</term>
+
+              <listitem>
+                <para>Audited versions of REJECT. Require AUDIT_TARGET support
+                in the kernel and ip6tables.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">LOG</emphasis></term>
+
+              <listitem>
+                <para>Simply log the packet and continue with the next
+                rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">QUEUE</emphasis></term>
+
+              <listitem>
+                <para>Queue the packet to a user-space application such as
+                ftwall (http://p2pwall.sf.net). The application may reinsert
+                the packet for further processing.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
+
+              <listitem>
+                <para>queues matching packets to a back end logging daemon via
+                a netlink socket then continues to the next rule. See <ulink
+                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">NFQUEUE</emphasis></term>
+
+              <listitem>
+                <para>Queues the packet to a user-space application using the
+                nfnetlink_queue mechanism. If a
+                <replaceable>queuenumber</replaceable> is not specified, queue
+                zero (0) is assumed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">?COMMENT</emphasis></term>
+
+              <listitem>
+                <para>the rest of the line will be attached as a comment to
+                the Netfilter rule(s) generated by the following entries. The
+                comment will appear delimited by "/* ... */" in the output of
+                "shorewall6 show &lt;chain&gt;". To stop the comment from
+                being attached to further rules, simply include ?COMMENT on a
+                line by itself.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>action</emphasis></term>
+
+              <listitem>
+                <para>The name of an <emphasis>action</emphasis> declared in
+                <ulink
+                url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
+                or in /usr/share/shorewall6/actions.std.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>macro</emphasis></term>
+
+              <listitem>
+                <para>The name of a macro defined in a file named
+                macro.<emphasis>macro</emphasis>. If the macro accepts an
+                action parameter (Look at the macro source to see if it has
+                PARAM in the TARGET column) then the
+                <emphasis>macro</emphasis> name is followed by the
+                parenthesized <emphasis>target</emphasis> (<emphasis
+                role="bold">ACCEPT</emphasis>, <emphasis
+                role="bold">DROP</emphasis>, <emphasis
+                role="bold">REJECT</emphasis>, ...) to be substituted for the
+                parameter.</para>
+
+                <para>Example: FTP(ACCEPT).</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>The <emphasis role="bold">ACTION</emphasis> may optionally be
+          followed by ":" and a syslog log level (e.g, REJECT:info or
+          Web(ACCEPT):debug). This causes the packet to be logged at the
+          specified level.</para>
+
+          <para>If the <emphasis role="bold">ACTION</emphasis> names an
+          <emphasis>action</emphasis> declared in <ulink
+          url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
+          or in /usr/share/shorewall6/actions.std then:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If the log level is followed by "!' then all rules in the
+              action are logged at the log level.</para>
+            </listitem>
+
+            <listitem>
+              <para>If the log level is not followed by "!" then only those
+              rules in the action that do not specify logging are logged at
+              the specified level.</para>
+            </listitem>
+
+            <listitem>
+              <para>The special log level <emphasis
+              role="bold">none!</emphasis> suppresses logging by the
+              action.</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>You may also specify <emphasis role="bold">NFLOG</emphasis>
+          (must be in upper case) as a log level.This will log to the NFLOG
+          target for routing to a separate log through use of ulogd (<ulink
+          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
+
+          <para>Actions specifying logging may be followed by a log tag (a
+          string of alphanumeric characters) which is appended to the string
+          generated by the LOGPREFIX (in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>For the remaining columns, see <ulink
+    url="/manpages6/shorewall6-rules.html">shorewall6-rules
+    (5)</ulink>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1:</term>
+
+        <listitem>
+          <para>Drop Teredo packets from the net.</para>
+
+          <programlisting>DROP          net:[2001::/32]            all</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>Don't subject packets from 2001:DB8::/64 to the remaining
+          rules in the file.</para>
+
+          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/blrules</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
+    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -0,0 +1,739 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-conntrack</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>conntrack</refname>
+
+    <refpurpose>shorewall6 conntrack file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/conntrack</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The original intent of the <emphasis role="bold">notrack</emphasis>
+    file was to exempt certain traffic from Netfilter connection tracking.
+    Traffic matching entries in the file were not to be tracked.</para>
+
+    <para>The role of the file was expanded in Shorewall 4.4.27 to include all
+    rules that can be added in the Netfilter <emphasis
+    role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
+    <emphasis role="bold">conntrack</emphasis>.</para>
+
+    <para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
+    and FORMAT 3, FORMAT 1 being the default. The three differ as
+    follows:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>in FORMAT 2 and 3, there is an additional leading ACTION
+        column.</para>
+      </listitem>
+
+      <listitem>
+        <para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
+        ACTION column allows a SUFFIX that determines the chain(s) that the
+        generated rule will be added to.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>When an entry in the following form is encountered, the format of
+    the following entries are assumed to be of the specified
+    <replaceable>format</replaceable>.</para>
+
+    <simplelist>
+      <member><emphasis role="bold">?FORMAT</emphasis>
+      <replaceable>format</replaceable></member>
+    </simplelist>
+
+    <para>where <replaceable>format</replaceable> is either <emphasis
+    role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
+    role="bold">3</emphasis>.</para>
+
+    <para>Format 3 was introduced in Shorewall 4.5.10.</para>
+
+    <para>Comments may be attached to Netfilter rules generated from entries
+    in this file through the use of ?COMMENT lines. These lines begin with
+    ?COMMENT; the remainder of the line is treated as a comment which is
+    attached to subsequent rules until another ?COMMENT line is found or until
+    the end of the file is reached. To stop adding comments to rules, use a
+    line with only ?COMMENT.</para>
+
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
+        role="bold">NOTRACK</emphasis>|<emphasis
+        role="bold">CT</emphasis>:<emphasis
+        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
+        role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new|notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)|IP6TABLES(<replaceable>target</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
+
+        <listitem>
+          <para>This column is only present when FORMAT &gt;= 2. Values other
+          than NOTRACK require <firstterm>CT Target </firstterm>support in
+          your iptables and kernel.</para>
+
+          <itemizedlist>
+            <listitem>
+              <para><option>NOTRACK</option> or
+              <option>CT:notrack</option></para>
+
+              <para>Disables connection tracking for this packet. If a
+              <replaceable>log-level</replaceable> is specified, the packet
+              will also be logged at that level.</para>
+            </listitem>
+
+            <listitem>
+              <para><option>helper</option>:<replaceable>name</replaceable></para>
+
+              <para>Attach the helper identified by the
+              <replaceable>name</replaceable> to this connection. This is more
+              flexible than loading the conntrack helper with preset ports. If
+              a <replaceable>log-level</replaceable> is specified, the packet
+              will also be logged at that level.</para>
+
+              <para>At this writing, the available helpers are:</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>amanda</term>
+
+                  <listitem>
+                    <para>Requires that the amanda netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>ftp</term>
+
+                  <listitem>
+                    <para>Requires that the FTP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>irc</term>
+
+                  <listitem>
+                    <para>Requires that the IRC netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>netbios-ns</term>
+
+                  <listitem>
+                    <para>Requires that the netbios_ns (sic) helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>RAS and Q.931</term>
+
+                  <listitem>
+                    <para>These require that the H323 netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>pptp</term>
+
+                  <listitem>
+                    <para>Requires that the pptp netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>sane</term>
+
+                  <listitem>
+                    <para>Requires that the SANE netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>sip</term>
+
+                  <listitem>
+                    <para>Requires that the SIP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>snmp</term>
+
+                  <listitem>
+                    <para>Requires that the SNMP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>tftp</term>
+
+                  <listitem>
+                    <para>Requires that the TFTP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+
+              <para>May be followed by an option list of
+              <replaceable>arg</replaceable>=<replaceable>val</replaceable>
+              pairs in parentheses:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para><option>ctevents</option>=<replaceable>event</replaceable>[,...]</para>
+
+                  <para>Only generate the specified conntrack events for this
+                  connection. Possible event types are: <emphasis
+                  role="bold">new</emphasis>, <emphasis
+                  role="bold">related</emphasis>, <emphasis
+                  role="bold">destroy</emphasis>, <emphasis
+                  role="bold">reply</emphasis>, <emphasis
+                  role="bold">assured</emphasis>, <emphasis
+                  role="bold">protoinfo</emphasis>, <emphasis
+                  role="bold">helper</emphasis>, <emphasis
+                  role="bold">mark</emphasis> (this is connection mark, not
+                  packet mark), <emphasis role="bold">natseqinfo</emphasis>,
+                  and <emphasis role="bold">secmark</emphasis>. If more than
+                  one <emphasis>event</emphasis> is listed, the
+                  <replaceable>event</replaceable> list must be enclosed in
+                  parentheses (e.g., ctevents=(new,related)).</para>
+                </listitem>
+
+                <listitem>
+                  <para><option>expevents</option><option>=new</option></para>
+
+                  <para>Only generate <emphasis role="bold">new</emphasis>
+                  expectation events for this connection.</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
+
+            <listitem>
+              <para>ctevents:<replaceable>event</replaceable>[,...]</para>
+
+              <para>Added in Shorewall 4.6.10. Only generate the specified
+              conntrack events for this connection. Possible event types are:
+              <emphasis role="bold">new</emphasis>, <emphasis
+              role="bold">related</emphasis>, <emphasis
+              role="bold">destroy</emphasis>, <emphasis
+              role="bold">reply</emphasis>, <emphasis
+              role="bold">assured</emphasis>, <emphasis
+              role="bold">protoinfo</emphasis>, <emphasis
+              role="bold">helper</emphasis>, <emphasis
+              role="bold">mark</emphasis> (this is connection mark, not packet
+              mark), <emphasis role="bold">natseqinfo</emphasis>, and
+              <emphasis role="bold">secmark</emphasis>.</para>
+            </listitem>
+
+            <listitem>
+              <para>expevents=new</para>
+
+              <para>Added in Shorewall 4.6.10. Only generate <emphasis
+              role="bold">new</emphasis> expectation events for this
+              connection.</para>
+            </listitem>
+
+            <listitem>
+              <para><option>DROP</option></para>
+
+              <para>Added in Shorewall 4.5.10. Silently discard the packet. If
+              a <replaceable>log-level</replaceable> is specified, the packet
+              will also be logged at that level.</para>
+            </listitem>
+
+            <listitem>
+              <para><option>IP6TABLES</option>(<replaceable>target</replaceable>)</para>
+
+              <para>Added in Shorewall 4.6.0. Allows you to specify any
+              iptables <replaceable>target</replaceable> with target options
+              (e.g., "IP6TABLES(AUDIT --type drop)"). If the target is not one
+              recognized by Shorewall, the following error message will be
+              issued:</para>
+
+              <simplelist>
+                <member>ERROR: Unknown target
+                (<replaceable>target</replaceable>)</member>
+              </simplelist>
+
+              <para>This error message may be eliminated by adding
+              <replaceable>target</replaceable> as a builtin action in <ulink
+              url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
+            </listitem>
+
+            <listitem>
+              <para><option>LOG</option></para>
+
+              <para>Added in Shoreawll 4.6.0. Logs the packet using the
+              specified <replaceable>log-level</replaceable> and<replaceable>
+              log-tag </replaceable>(if any). If no log-level is specified,
+              then 'info' is assumed.</para>
+            </listitem>
+
+            <listitem>
+              <para><option>NFLOG</option></para>
+
+              <para>Added in Shoreawll 4.6.0. Queues the packet to a backend
+              logging daemon using the NFLOG netfilter target with the
+              specified <replaceable>nflog-parameters</replaceable>.</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>When FORMAT = 1, this column is not present and the rule is
+          processed as if NOTRACK had been entered in this column.</para>
+
+          <para>Beginning with Shorewall 4.5.10, when FORMAT = 3, this column
+          can end with a colon followed by a
+          <replaceable>chain-designator</replaceable>. The
+          <replaceable>chain-designator</replaceable> can be one of the
+          following:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>P</term>
+
+              <listitem>
+                <para>The rule is added to the raw table PREROUTING chain.
+                This is the default if no
+                <replaceable>chain-designator</replaceable> is present.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>O</term>
+
+              <listitem>
+                <para>The rule is added to the raw table OUTPUT chain.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>PO or OP</term>
+
+              <listitem>
+                <para>The rule is added to the raw table PREROUTING and OUTPUT
+                chains.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SOURCE (formats 1 and 2) ‒
+        <emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]</term>
+
+        <listitem>
+          <para>where <replaceable>zone</replaceable> is the name of a zone,
+          <replaceable>interface</replaceable> is an interface to that zone,
+          and <replaceable>address-list</replaceable> is a comma-separated
+          list of addresses (may contain exclusion - see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
+          (5)).</para>
+
+          <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
+          used as the <replaceable>zone</replaceable> name to mean
+          <firstterm>all zones</firstterm>.</para>
+
+          <para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
+          used as the <replaceable>zone</replaceable> name to mean all
+          <firstterm>off-firewall zone</firstterm>s.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SOURCE (format 3 prior to Shorewall 5.1.0) ‒
+        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
+
+        <listitem>
+          <para>Where <replaceable>interface</replaceable> is an interface to
+          that zone, and <replaceable>address-list</replaceable> is a
+          comma-separated list of addresses (may contain exclusion - see
+          <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
+          (5)).</para>
+
+          <para>COMMENT is only allowed in format 1; the remainder of the line
+          is treated as a comment that will be associated with the generated
+          rule(s).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
+        later) -
+        {-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
+
+        <listitem>
+          <para>where <replaceable>source-spec</replaceable> is one of the
+          following:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>Where interface is the logical name of an interface
+                defined in <ulink
+                url="/manpages6/shorewall6-interfaces.html">shorewall6-interface</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>where <replaceable>address</replaceable> may be:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>A host or network IP address.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>A MAC address in Shorewall format (preceded by a
+                    tilde ("~") and using dash ("-") as a separator.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The name of an ipset preceded by a plus sign ("+").
+                    See <ulink
+                    url="/manpages6/shorewall6-ipsets.html">shorewall6-ipsets</ulink>(5).</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para><replaceable>exclusion</replaceable> is described in
+                <ulink
+                url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>This form combines the preceding two and requires that
+                both the incoming interace and source address match.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>See <ulink
+                url="/manpages6/shorewall6-exclusion.html">shorewall-exclusion</ulink>
+                (5)</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>Beginning with Shorewall 5.1.0, multiple
+          <replaceable>source-spec</replaceable>s separated by commas may be
+          specified provided that the following alternative forms are
+          used:</para>
+
+          <blockquote>
+            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para>(<replaceable>exclusion</replaceable>)</para>
+          </blockquote>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>DEST (Prior to Shorewall 5.1.0) ‒
+        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
+
+        <listitem>
+          <para>where <replaceable>address-list</replaceable> is a
+          comma-separated list of addresses (may contain exclusion - see
+          <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
+          (5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
+        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
+
+        <listitem>
+          <para>where <replaceable>dest-spec</replaceable> is one of the
+          following:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>Where interface is the logical name of an interface
+                defined in <ulink
+                url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>where <replaceable>address</replaceable> may be:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>A host or network IP address.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>A MAC address in Shorewall format (preceded by a
+                    tilde ("~") and using dash ("-") as a separator.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The name of an ipset preceded by a plus sign ("+").
+                    See <ulink
+                    url="/manpages6/shorewall6-ipsets.html">shorewall6-ipsets</ulink>(5).</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para><replaceable>exclusion</replaceable> is described in
+                <ulink
+                url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>This form combines the preceding two and requires that
+                both the outgoing interace and destination address
+                match.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>See <ulink
+                url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
+                (5)</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>Beginning with Shorewall 5.1.0, multiple source-specs
+          separated by commas may be specified provided that the following
+          alternative forms are used:</para>
+
+          <blockquote>
+            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para>(<replaceable>exclusion</replaceable>)</para>
+          </blockquote>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PROTO ‒
+        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
+
+        <listitem>
+          <para>A protocol name from <filename>/etc/protocols</filename> or a
+          protocol number.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>DPORT -
+        {-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
+
+        <listitem>
+          <para>A comma-separated list of port numbers and/or service names
+          from <filename>/etc/services</filename>. May also include port
+          ranges of the form
+          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
+          if your kernel and iptables include port range support.</para>
+
+          <para>Beginning with Shorewall 4.6.0, an ipset name can be specified
+          in this column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SPORT -
+        {-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
+
+        <listitem>
+          <para>A comma-separated list of port numbers and/or service names
+          from <filename>/etc/services</filename>. May also include port
+          ranges of the form
+          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
+          if your kernel and iptables include port range support.</para>
+
+          <para>Beginning with Shorewall 4.5.15, you may place '=' in this
+          column, provided that the DPORT column is non-empty. This causes the
+          rule to match when either the source port or the destination port in
+          a packet matches one of the ports specified in DPORT.</para>
+
+          <para>Beginning with Shorewall 4.6.0, an ipset name can be specified
+          in this column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>USER ‒
+        [<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
+
+        <listitem>
+          <para>May only be specified if the SOURCE
+          <replaceable>zone</replaceable> is $FW. Specifies the effective user
+          id and or group id of the process sending the traffic.</para>
+
+          <para>This column was formerly labelled USER/GROUP.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall6 4.5.10 and allows enabling and disabling
+          the rule without requiring <command>shorewall6
+          restart</command>.</para>
+
+          <para>Enables the rule if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. Disables the rule if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall6
+          restart</command>.</para>
+
+          <para>When the <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLES</title>
+
+    <para>Example 1:</para>
+
+    <para>Use the FTP helper for TCP port 21 connections from the firewall
+    itself.</para>
+
+    <programlisting>FORMAT 2
+#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
+CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
+
+    <para>Example 2 (Shorewall 4.5.10 or later):</para>
+
+    <para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
+
+    <programlisting>FORMAT 2
+#ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
+DROP                          all-:2001:1.2.3::4 -
+DROP                          all                2001:1.2.3::4
+</programlisting>
+
+    <para>or<programlisting>FORMAT 3
+#ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
+DROP:P                        2001:1.2.3::4      -
+DROP:PO                       -                  2001:1.2.3::4
+</programlisting></para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/notrack</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+    shorewall6-ipsec(5), shorewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
+    shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5),
+    shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
+    shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5),
+    shorewall6-tunnels(5), shorewall-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-exclusion.xml
+++ b/Shorewall6/manpages/shorewall6-exclusion.xml
@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-exclusion</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>exclusion</refname>
+
+    <refpurpose>Exclude a set of hosts from a definition in a shorewall6
+    configuration file.</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <arg choice="plain"
+      rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <arg choice="plain"
+      rep="repeat"><option>!</option><replaceable>zone-name</replaceable>[,<replaceable>zone-name</replaceable>]</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>Exclusion is used when you wish to exclude one or more addresses
+    from a definition. An exclamation point is followed by a comma-separated
+    list of addresses. The addresses may be single host addresses (e.g.,
+    fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format
+    (e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and ip6tables include
+    iprange support, you may also specify ranges of ip addresses of the form
+    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>
+
+    <para>No embedded white-space is allowed.</para>
+
+    <para>Exclusion can appear after a list of addresses and/or address
+    ranges. In that case, the final list of address is formed by taking the
+    first list and then removing the addresses defined in the
+    exclusion.</para>
+
+    <para>Beginning in Shorewall 4.4.13, the second form of exclusion is
+    allowed after <emphasis role="bold">all</emphasis> and <emphasis
+    role="bold">any</emphasis> in the SOURCE and DEST columns of
+    /etc/shorewall/rules. It allows you to omit arbitrary zones from the list
+    generated by those key words.</para>
+
+    <warning>
+      <para>If you omit a sub-zone and there is an explicit or explicit
+      CONTINUE policy, a connection to/from that zone can still be matched by
+      the rule generated for a parent zone.</para>
+
+      <para>For example:</para>
+
+      <blockquote>
+        <para>/etc/shorewall6/zones:</para>
+
+        <programlisting>#ZONE          TYPE
+z1             ip
+z2:z1          ip
+...</programlisting>
+
+        <para>/etc/shorewall6/policy:</para>
+
+        <programlisting>#SOURCE         DEST          POLICY
+z1              net           CONTINUE
+z2              net           REJECT</programlisting>
+
+        <para>/etc/shorewall6/rules:</para>
+
+        <programlisting>#ACTION         SOURCE        DEST        PROTO         DEST
+#                                                       PORT(S)
+ACCEPT          all!z2        net         tcp           22</programlisting>
+
+        <para>In this case, SSH connections from <emphasis
+        role="bold">z2</emphasis> to <emphasis role="bold">net</emphasis> will
+        be accepted by the generated <emphasis role="bold">z1</emphasis> to
+        net ACCEPT rule.</para>
+      </blockquote>
+    </warning>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/hosts</para>
+
+    <para>/etc/shorewall6/masq</para>
+
+    <para>/etc/shorewall6/rules</para>
+
+    <para>/etc/shorewall6/tcrules</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-hosts.xml
+++ b/Shorewall6/manpages/shorewall6-hosts.xml
@@ -0,0 +1,210 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-hosts</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>hosts</refname>
+
+    <refpurpose>shorewall6 file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/hosts</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to define zones in terms of subnets and/or
+    individual IP addresses. Most simple setups don't need to (should not)
+    place anything in this file.</para>
+
+    <para>The order of entries in this file is not significant in determining
+    zone composition. Rather, the order that the zones are declared in <ulink
+    url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
+    determines the order in which the records in this file are
+    interpreted.</para>
+
+    <warning>
+      <para>The only time that you need this file is when you have more than
+      one zone connected through a single interface.</para>
+    </warning>
+
+    <warning>
+      <para>If you have an entry for a zone and interface in <ulink
+      url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+      then do not include any entries in this file for that same (zone,
+      interface) pair.</para>
+    </warning>
+
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ZONE</emphasis> -
+        <emphasis>zone-name</emphasis></term>
+
+        <listitem>
+          <para>The name of a zone declared in <ulink
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).
+          You may not list the firewall zone in this column.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">HOST(S)</emphasis> (hosts)-
+        <emphasis>interface</emphasis>:{<replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]...|+<replaceable>ipset</replaceable>|<option>dynamic</option>}[<replaceable>exclusion</replaceable>]</term>
+
+        <listitem>
+          <para>The name of an interface defined in the <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          file followed by a colon (":") and a comma-separated list whose
+          elements are either:</para>
+
+          <orderedlist numeration="loweralpha">
+            <listitem>
+              <para>The IPv6 <replaceable>address</replaceable> of a
+              host.</para>
+            </listitem>
+
+            <listitem>
+              <para>A network in CIDR format.</para>
+            </listitem>
+
+            <listitem>
+              <para>An IP address range of the form
+              [<emphasis>low.address</emphasis>]-[<emphasis>high.address</emphasis>].
+              Your kernel and ip6tables must have iprange match
+              support.</para>
+            </listitem>
+
+            <listitem>
+              <para>The name of an <emphasis>ipset</emphasis>.</para>
+            </listitem>
+
+            <listitem>
+              <para>The word <option>dynamic</option> which makes the zone
+              dynamic in that you can use the <command>shorewall add</command>
+              and <command>shorewall delete</command> commands to change to
+              composition of the zone. This capability was added in Shorewall
+              4.4.21.</para>
+            </listitem>
+          </orderedlist>
+
+          <blockquote>
+            <para>You may also exclude certain hosts through use of an
+            <emphasis>exclusion</emphasis> (see <ulink
+            url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
+          </blockquote>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>OPTIONS - [<emphasis>option</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
+
+        <listitem>
+          <para>An optional comma-separated list of options from the following
+          list. The order in which you list the options is not significant but
+          the list must have no embedded white-space.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">blacklist</emphasis></term>
+
+              <listitem>
+                <para>Check packets arriving on this port against the <ulink
+                url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
+                file.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">ipsec</emphasis></term>
+
+              <listitem>
+                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
+                that if the zone named in the ZONE column is specified as an
+                IPSEC zone in the <ulink
+                url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
+                file then you do NOT need to specify the 'ipsec' option
+                here.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss</emphasis>=<replaceable>mss</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.2. When present, causes the TCP
+                mss for new connections to/from the hosts given in the HOST(S)
+                column to be clamped at the specified
+                <replaceable>mss</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routeback</emphasis></term>
+
+              <listitem>
+                <para>shorewall6 should set up the infrastructure to pass
+                packets from this/these address(es) back to themselves. This
+                is necessary if hosts in this group use the services of a
+                transparent proxy that is a member of the group or if DNAT is
+                used to send requests originating from this group to a server
+                in the group.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">tcpflags</emphasis></term>
+
+              <listitem>
+                <para>Packets arriving from these hosts are checked for
+                certain illegal combinations of TCP flags. Packets found to
+                have such a combination of flags are handled according to the
+                setting of TCP_FLAGS_DISPOSITION after having been logged
+                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/hosts</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
+    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -0,0 +1,733 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-interfaces</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>interfaces</refname>
+
+    <refpurpose>shorewall6 interfaces file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/interfaces</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The interfaces file serves to define the firewall's network
+    interfaces to shorewall6. The order of entries in this file is not
+    significant in determining zone composition.</para>
+
+    <para>Beginning with Shorewall 4.5.3, the interfaces file supports two
+    different formats:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>FORMAT 1 (default - deprecated)</term>
+
+        <listitem>
+          <para>There is a ANYCAST column which provides compatibility with
+          older versions of Shorewall..</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>FORMAT 2</term>
+
+        <listitem>
+          <para>The BROADCAST column is omitted.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>The format is specified by a line as follows:</para>
+
+    <blockquote>
+      <para><emphasis role="bold">?FORMAT {1|2}</emphasis></para>
+    </blockquote>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ZONE</emphasis> -
+        <emphasis>zone-name</emphasis></term>
+
+        <listitem>
+          <para>Zone for this interface. Must match the name of a zone
+          declared in /etc/shorewall6/zones. You may not list the firewall
+          zone in this column.</para>
+
+          <para>If the interface serves multiple zones that will be defined in
+          the <ulink
+          url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
+          file, you should place "-" in this column.</para>
+
+          <para>If there are multiple interfaces to the same zone, you must
+          list them in separate entries.</para>
+
+          <para>Example:</para>
+
+          <blockquote>
+            <programlisting>#ZONE   INTERFACE       BROADCAST
+loc     eth1            -
+loc     eth2            -</programlisting>
+          </blockquote>
+
+          <para>Beginning with Shorewall 4.5.17, if you specify a zone for the
+          'lo' interface, then that zone must be defined as type
+          <option>local</option> in <ulink
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE</emphasis> -
+        <emphasis>interface</emphasis><emphasis
+        role="bold">[:</emphasis><emphasis>port</emphasis><emphasis
+        role="bold">]</emphasis></term>
+
+        <listitem>
+          <para>Logical name of interface. Each interface may be listed only
+          once in this file. You may NOT specify the name of a "virtual"
+          interface (e.g., eth0:0) here; see <ulink
+          url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
+          If the <option>physical</option> option is not specified, then the
+          logical name is also the name of the actual interface.</para>
+
+          <para>You may use wildcards here by specifying a prefix followed by
+          the plus sign ("+"). For example, if you want to make an entry that
+          applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
+          ppp1, ppp2, …Please note that the '+' means '<emphasis
+          role="bold">one</emphasis> or more additional characters' so 'ppp'
+          does not match 'ppp+'.</para>
+
+          <para>Care must be exercised when using wildcards where there is
+          another zone that uses a matching specific interface. See <ulink
+          url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
+          for a discussion of this problem.</para>
+
+          <para>Shorewall6 allows '+' as an interface name.</para>
+
+          <para>There is no need to define the loopback interface (lo) in this
+          file.</para>
+
+          <para>If a <replaceable>port</replaceable> is given, then the
+          <replaceable>interface</replaceable> must have been defined
+          previously with the <option>bridge</option> option. The OPTIONS
+          column must be empty when a <replaceable>port</replaceable> is
+          given.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ANYCAST</emphasis> - <emphasis
+        role="bold">-</emphasis></term>
+
+        <listitem>
+          <para>Enter '<emphasis role="bold">-'</emphasis> in this column. It
+          is here for compatibility between Shorewall6 and Shorewall and is
+          omitted if FORMAT is 2.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">OPTIONS</emphasis> (Optional) -
+        [<emphasis>option</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
+
+        <listitem>
+          <para>A comma-separated list of options from the following list. The
+          order in which you list the options is not significant but the list
+          should have no embedded white-space.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">accept_ra</emphasis>[={0|1|2}]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.16. Values are:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>0</term>
+
+                    <listitem>
+                      <para>Do not accept Router Advertisements.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>1</term>
+
+                    <listitem>
+                      <para>Accept Route Advertisements if forwarding is
+                      disabled.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>2</term>
+
+                    <listitem>
+                      <para>Overrule forwarding behavior. Accept Route
+                      Advertisements even if forwarding is enabled.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+
+                <para>If the option is specified without a value, then the
+                value 1 is assumed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">blacklist</emphasis></term>
+
+              <listitem>
+                <para>Check packets arriving on this interface against the
+                <ulink
+                url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
+                file.</para>
+
+                <para>Beginning with Shorewall 4.4.13:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>If a <replaceable>zone</replaceable> is given in the
+                    ZONES column, then the behavior is as if <emphasis
+                    role="bold">blacklist</emphasis> had been specified in the
+                    IN_OPTIONS column of <ulink
+                    url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Otherwise, the option is ignored with a
+                    warning:</para>
+
+                    <blockquote>
+                      <para><emphasis role="bold">WARNING: The 'blacklist'
+                      option is ignored on multi-zone
+                      interfaces</emphasis></para>
+                    </blockquote>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">bridge</emphasis></term>
+
+              <listitem>
+                <para>Designates the interface as a bridge. Beginning with
+                Shorewall 4.4.7, setting this option also sets
+                <option>routeback</option>.</para>
+
+                <note>
+                  <para>If you have a bridge that you don't intend to define
+                  bport zones on, then it is best to omit this option and
+                  simply specify <option>routeback</option>.</para>
+                </note>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.10. This option defined whether
+                or not dynamic blacklisting is applied to packets entering the
+                firewall through this interface and whether the source address
+                and/or destination address is to be compared against the
+                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
+                <ulink
+                url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>).
+                The default is determine by the setting of
+                DYNAMIC_BLACKLIST:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=No</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">none</emphasis>
+                      (e.g., no dynamic blacklist checking).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=Yes</term>
+
+                    <listitem>
+                      <para>Default is <emphasis role="bold">src</emphasis>
+                      (e.g., the source IP address is checked against the
+                      ipset).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only]</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src</emphasis>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
+
+                    <listitem>
+                      <para>Default is <emphasis
+                      role="bold">src-dst</emphasis> (e.g., the source IP
+                      addresses in checked against the ipset on input and the
+                      destination IP address is checked against the ipset on
+                      packets originating from the firewall and leaving
+                      through this interface).</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">destonly</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.17. Causes the compiler to omit
+                rules to handle traffic from this interface.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">dhcp</emphasis></term>
+
+              <listitem>
+                <para>Specify this option when any of the following are
+                true:</para>
+
+                <orderedlist spacing="compact">
+                  <listitem>
+                    <para>the interface gets its IP address via DHCP</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>the interface is used by a DHCP server running on
+                    the firewall</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>the interface has a static IP but is on a LAN
+                    segment with lots of DHCP clients.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>the interface is a <ulink
+                    url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
+                    server on one port and DHCP clients on another
+                    port.</para>
+
+                    <note>
+                      <para>If you use <ulink
+                      url="/bridge-Shorewall-perl.html">Shorewall-perl for
+                      firewall/bridging</ulink>, then you need to include
+                      DHCP-specific rules in <ulink
+                      url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(8).
+                      DHCP uses UDP ports 546 and 547.</para>
+                    </note>
+                  </listitem>
+                </orderedlist>
+
+                <para>This option allows DHCP datagrams to enter and leave the
+                interface.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
+
+              <listitem>
+                <para>Sets the /proc/sys/net/ipv6/conf/interface/forwarding
+                option to the specified value. If no value is supplied, then 1
+                is assumed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">ignore[=1]</emphasis></term>
+
+              <listitem>
+                <para>When specified, causes the generated script to ignore
+                up/down events from Shorewall-init for this device.
+                Additionally, the option exempts the interface from hairpin
+                filtering. When '=1' is omitted, the ZONE column must contain
+                '-' and <option>ignore</option> must be the only
+                OPTION.</para>
+
+                <para>Beginning with Shorewall 4.5.5, may be specified as
+                '<option>ignore=1</option>' which only causes the generated
+                script to ignore up/down events from Shorewall-init; hairpin
+                filtering is still applied. In this case, the above
+                restrictions on the ZONE and OPTIONS columns are
+                lifted.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">loopback</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.6. Designates the interface as
+                the loopback interface. This option is assumed if the
+                interface's physical name is 'lo'. Only one interface man have
+                the <option>loopback</option> option specified.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>Causes forwarded TCP SYN packets entering or leaving on
+                this interface to have their MSS field set to the specified
+                <replaceable>number</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">nets=(<emphasis>net</emphasis>[,...])</emphasis></term>
+
+              <listitem>
+                <para>Limit the zone named in the ZONE column to only the
+                listed networks. If you specify this option, be sure to
+                include the link-local network (ff80::/10).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">nets=dynamic</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.21. Defines the zone as
+                <firstterm>dynamic</firstterm>. Requires ipset match support
+                in your iptables and kernel. See <ulink
+                url="/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
+                for further information.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">nodbl</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.8. When specified, dynamic
+                blacklisting is disabled on the interface. Beginning with
+                Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
+                equivalent to <emphasis
+                role="bold">dbl=none</emphasis>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">optional</emphasis></term>
+
+              <listitem>
+                <para>When <option>optional</option> is specified for an
+                interface, shorewall6 will be silent when:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>a <filename
+                    class="directory">/proc/sys/net/ipv6/conf/</filename>
+                    entry for the interface cannot be modified.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The first global IPv6 address of the interface
+                    cannot be obtained.</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para>This option may not be specified together with <emphasis
+                role="bold">required</emphasis>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">physical</emphasis>=<emphasis
+              role="bold"><emphasis>name</emphasis></emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. When specified, the interface
+                or port name in the INTERFACE column is a logical name that
+                refers to the name given in this option. It is useful when you
+                want to specify the same wildcard port name on two or more
+                bridges. See <ulink
+                url="/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
+
+                <para>If the <emphasis>interface</emphasis> name is a wildcard
+                name (ends with '+'), then the physical
+                <emphasis>name</emphasis> must also end in '+'.</para>
+
+                <para>If <option>physical</option> is not specified, then it's
+                value defaults to the <emphasis>interface</emphasis>
+                name.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">required</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.10. When specified, the firewall
+                will fail to start if the interface named in the INTERFACE
+                column is not usable. May not be specified together with
+                <emphasis role="bold">optional</emphasis>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routeback[={0|1}]</emphasis></term>
+
+              <listitem>
+                <para>If specified, indicates that shorewall6 should include
+                rules that allow traffic arriving on this interface to be
+                routed back out that same interface. This option is also
+                required when you have used a wildcard in the INTERFACE column
+                if you want to allow traffic between the interfaces that match
+                the wildcard.</para>
+
+                <para>If you specify this option, then you should also specify
+                <option>rpfilter</option> (see below) if you are running
+                Shorewall 4.5.7 or later; otherwise, you should specify
+                <option>sfilter</option> (see below).</para>
+
+                <para>Beginning with Shorewall 4.5.18, you may specify this
+                option to explicitly reset (e.g., <emphasis
+                role="bold">routeback=0</emphasis>). This can be used to
+                override Shorewall's default setting for bridge devices which
+                is <emphasis role="bold">routeback=1</emphasis>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">rpfilter</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.7. This is an anti-spoofing
+                measure that requires the 'RPFilter Match' capability in your
+                iptables and kernel. It provides a more efficient alternative
+                to the <option>sfilter</option> option below.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">sourceroute[={0|1}]</emphasis></term>
+
+              <listitem>
+                <para>If this option is not specified for an interface, then
+                source-routed packets will not be accepted from that interface
+                unless explicitly enabled via sysconf. Only set this option to
+                1 (enable source routing) if you know what you are doing. This
+                might represent a security risk and is not usually
+                needed.</para>
+
+                <para>Only those interfaces with the
+                <option>sourceroute</option> option will have their setting
+                changed; the value assigned to the setting will be the value
+                specified (if any) or 1 if no value is given.</para>
+
+                <note>
+                  <para>This option does not work with a wild-card
+                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
+                  the INTERFACE column.</para>
+                </note>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">sfilter=(<emphasis>net</emphasis>[,...])</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.20. At this writing (spring
+                2011), Linux does not support reverse path filtering (RFC3704)
+                for IPv6. In its absence, <option>sfilter</option> may be used
+                as an anti-spoofing measure.</para>
+
+                <para>This option should be used on bridges or other
+                interfaces with the <option>routeback</option> option. On
+                these interfaces, <option>sfilter</option> should list those
+                local networks that are connected to the firewall through
+                other interfaces.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">tcpflags[={0|1}]</emphasis></term>
+
+              <listitem>
+                <para>Packets arriving on this interface are checked for
+                certain illegal combinations of TCP flags. Packets found to
+                have such a combination of flags are handled according to the
+                setting of TCP_FLAGS_DISPOSITION after having been logged
+                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
+
+                <para>Beginning with Shorewall 4.6.0, tcpflags=1 is the
+                default. To disable this option, specify tcpflags=0.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
+
+              <listitem>
+                <para>Sets
+                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
+
+                <para><emphasis role="bold">Note</emphasis>: This option does
+                not work with a wild-card <replaceable>interface</replaceable>
+                name (e.g., eth0.+) in the INTERFACE column.</para>
+
+                <para>Only those interfaces with the <option>proxyndp</option>
+                option will have their setting changed; the value assigned to
+                the setting will be the value specified (if any) or 1 if no
+                value is given.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">unmanaged</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.18. Causes all traffic between
+                the firewall and hosts on the interface to be accepted. When
+                this option is given:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The ZONE column must contain '-'.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Only the following other options are allowed with
+                    <emphasis role="bold">unmanaged</emphasis>:</para>
+
+                    <simplelist>
+                      <member><emphasis
+                      role="bold">accept_ra</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">forward</emphasis></member>
+
+                      <member><emphasis role="bold">ignore</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">optional</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">physical</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">sourceroute</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">proxyndp</emphasis></member>
+                    </simplelist>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">wait</emphasis>=<emphasis>seconds</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.10. Causes the generated script
+                to wait up to <emphasis>seconds</emphasis> seconds for the
+                interface to become usable before applying the <emphasis
+                role="bold">required</emphasis> or <emphasis
+                role="bold">optional</emphasis> options.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1:</term>
+
+        <listitem>
+          <para>Suppose you have eth0 connected to a DSL modem and eth1
+          connected to your local network You have a DMZ using eth2.</para>
+
+          <para>Your entries for this setup would look like:</para>
+
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE OPTIONS
+net     eth0      -
+loc     eth1      -
+dmz     eth2      -</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 4 (Shorewall 4.4.9 and later):</term>
+
+        <listitem>
+          <para>You have a bridge with no IP address and you want to allow
+          traffic through the bridge.</para>
+
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE        OPTIONS
+-       br0              bridge</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/interfaces</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
+    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-ipsets.xml
+++ b/Shorewall6/manpages/shorewall6-ipsets.xml
@@ -0,0 +1,274 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-ipsets</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>ipsets</refname>
+
+    <refpurpose>Specifying the name if an ipset in Shorewall6 configuration
+    files</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>+<replaceable>ipsetname</replaceable></command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>+<replaceable>ipsetname</replaceable>[<replaceable>flag</replaceable>,...]</command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>+[ipsetname,...]</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>Note: In the above syntax descriptions, the square brackets ("[]")
+    are to be taken literally rather than as meta-characters.</para>
+
+    <para>In most places where a network address may be entered, an ipset may
+    be substituted. Set names must be prefixed by the character "+", must
+    start with a letter and may be composed of alphanumeric characters, "-"
+    and "_".</para>
+
+    <para>Whether the set is matched against the packet source or destination
+    is determined by which column the set name appears (SOURCE or DEST). For
+    those set types that specify a tuple, two alternative syntaxes are
+    available:</para>
+
+    <simplelist>
+      <member>[<replaceable>number</replaceable>] - Indicates that 'src' or
+      'dst' should repeated number times. Example: myset[2].</member>
+
+      <member>[<replaceable>flag</replaceable>,...] where
+      <replaceable>flag</replaceable> is <option>src</option> or
+      <option>dst</option>. Example: myset[src,dst].</member>
+    </simplelist>
+
+    <para>In a SOURCE or SPORT column, the following pairs are
+    equivalent:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>+myset[2] and +myset[src,src]</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>In a DEST or DPORT column, the following pairs are
+    equivalent:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>+myset[2] and +myset[dst,dst]</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Beginning with Shorewall 4.4.14, multiple source or destination
+    matches may be specified by enclosing the set names within +[...]. The set
+    names need not be prefixed with '+'. When such a list of sets is
+    specified, matching packets must match all of the listed sets.</para>
+
+    <para>For information about set lists and exclusion, see <ulink
+    url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
+    (5).</para>
+
+    <para>Beginning with Shorewall 4.5.16, you can increment one or more
+    nfacct objects each time a packet matches an ipset. You do that by listing
+    the objects separated by commas within parentheses.</para>
+
+    <para>Example:</para>
+
+    <simplelist>
+      <member>+myset[src](myobject)</member>
+    </simplelist>
+
+    <para>In that example, when the source address of a packet matches the
+    <emphasis role="bold">myset</emphasis> ipset, the <emphasis
+    role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
+
+    <para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
+    any) can be immediately be followed by a list of match options.</para>
+
+    <important>
+      <para>These additional match options are not available in <ulink
+      url="/manpages6/shorewall6-tcfilters.html">shorewall6-tcfilters(5)</ulink>.</para>
+    </important>
+
+    <para>Available options are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>nomatch</term>
+
+        <listitem>
+          <para>If the set type supports the nomatch flag, then the matching
+          is reversed: a match with an element flagged with nomatch returns
+          true, while a match with a plain element returns false. This option
+          requires the 'Ipset Match nomatch' capability in your kernel and
+          ip[6]tables.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>no-update-counters</term>
+
+        <listitem>
+          <para>The packet and byte counters of the matching element in the
+          set won't be updated. By default, the packet and byte counters are
+          updated. This option and those that follow require the 'Ipset Match
+          counters' capability in your kernel and ip[6]tables.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>no-update-subcounters</term>
+
+        <listitem>
+          <para>The packet and byte counters of the matching element in the
+          member set of a list type of set won't be updated. Default the
+          packet and byte counters are updated.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>packets=<replaceable>value</replaceable></term>
+
+        <listitem>
+          <para>If the packet is matched an element in the set, match only if
+          the packet counter of the element matches the given
+          <replaceable>value</replaceable> also.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>packets&lt;<replaceable>value</replaceable></term>
+
+        <listitem>
+          <para>If the packet is matched an element in the set, match only if
+          the packet counter of the element is less than the given
+          <replaceable>value</replaceable> as well.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>packets&gt;<replaceable>value</replaceable></term>
+
+        <listitem>
+          <para>If the packet is matched an element in the set, match only if
+          the packet counter of the element is greater than the given
+          <replaceable>value</replaceable> as well.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>packets!=<replaceable>value</replaceable></term>
+
+        <listitem>
+          <para>If the packet is matched an element in the set, match only if
+          the packet counter of the element does not match the given
+          <replaceable>value</replaceable> also.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>bytes=<replaceable>value</replaceable></term>
+
+        <listitem>
+          <para>If the packet is matched an element in the set, match only if
+          the byte counter of the element matches the given
+          <replaceable>value</replaceable> also.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>bytes&lt;<replaceable>value</replaceable></term>
+
+        <listitem>
+          <para>If the packet is matched an element in the set, match only if
+          the byte counter of the element is less than the given
+          <replaceable>value</replaceable> as well.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>bytes&gt;<replaceable>value</replaceable></term>
+
+        <listitem>
+          <para>If the packet is matched an element in the set, match only if
+          the byte counter of the element is greater than the given
+          <replaceable>value</replaceable> as well.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>bytes&lt;&gt;<replaceable>value</replaceable></term>
+
+        <listitem>
+          <para>If the packet is matched an element in the set, match only if
+          the byte counter of the element does not match the given
+          <replaceable>value</replaceable> also.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Examples</title>
+
+    <para>+myset</para>
+
+    <para>+myset[src]</para>
+
+    <para>+myset[2]</para>
+
+    <para>+[myset1,myset2[dst]]</para>
+
+    <para>+myset[src,nomatch,packets&gt;100]</para>
+
+    <para>+myset[nomatch,no-update-counters](myObject)</para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/accounting</para>
+
+    <para>/etc/shorewall6/blrules</para>
+
+    <para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis>
+    Multiple matches enclosed in +[...] may not be used in this file.</para>
+
+    <para>/etc/shorewall6/maclist -- <emphasis role="bold">Note:</emphasis>
+    Multiple matches enclosed in +[...] may not be used in this file.</para>
+
+    <para>/etc/shorewall6/rules</para>
+
+    <para>/etc/shorewall6/secmarks</para>
+
+    <para>/etc/shorewall6/mangle</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
+    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
+    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-maclist.xml
+++ b/Shorewall6/manpages/shorewall6-maclist.xml
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-maclist</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>maclist</refname>
+
+    <refpurpose>shorewall6 MAC Verification file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/maclist</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to define the MAC addresses and optionally their
+    associated IPv6 addresses to be allowed to use the specified interface.
+    The feature is enabled by using the <emphasis
+    role="bold">maclist</emphasis> option in the <ulink
+    url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+    or <ulink
+    url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
+    configuration file.</para>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">DISPOSITION</emphasis> - {<emphasis
+        role="bold">ACCEPT</emphasis>|<emphasis
+        role="bold">DROP</emphasis>|<emphasis
+        role="bold">REJECT</emphasis>}[<option>:</option><replaceable>log-level</replaceable>]</term>
+
+        <listitem>
+          <para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
+          role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
+          then REJECT is also allowed). If specified, the
+          <replaceable>log-level</replaceable> causes packets matching the
+          rule to be logged at that level.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE</emphasis> -
+        <emphasis>interface</emphasis></term>
+
+        <listitem>
+          <para>Network <emphasis>interface</emphasis> to a host.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">MAC</emphasis> -
+        <emphasis>address</emphasis></term>
+
+        <listitem>
+          <para>MAC <emphasis>address</emphasis> of the host -- you do not
+          need to use the shorewall6 format for MAC addresses here. If
+          <emphasis role="bold">IP ADDRESSES</emphasis> is supplied then
+          <emphasis role="bold">MAC</emphasis> can be supplied as a dash
+          (<emphasis role="bold">-</emphasis>)</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">IP ADDRESSES</emphasis> (Optional) -
+        [<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>]...]</term>
+
+        <listitem>
+          <para>If specified, both the MAC and IP address must match. This
+          column can contain a comma-separated list of host and/or subnet
+          addresses. If your kernel and ip6tables have iprange match support
+          then IP address ranges are also allowed. Similarly, if your kernel
+          and ip6tables include ipset support than set names (prefixed by "+")
+          are also allowed.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/maclist</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/MAC_Validation.html">http://www.shorewall.net/MAC_Validation.html</ulink></para>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
--- a/Shorewall6/manpages/shorewall6-masq.xml
+++ b/Shorewall6/manpages/shorewall6-masq.xml
@@ -0,0 +1,577 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-masq</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>masq</refname>
+
+    <refpurpose>Shorewall6 Masquerade/SNAT definition file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/masq</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>Use this file to define Source NAT (SNAT). Requires Shorewall 4.5.14
+    or later.</para>
+
+    <warning>
+      <para>The entries in this file are order-sensitive. The first entry that
+      matches a particular connection will be the one that is used.</para>
+    </warning>
+
+    <warning>
+      <para>If you have more than one ISP link, adding entries to this file
+      will <emphasis role="bold">not</emphasis> force connections to go out
+      through a particular link. You must use entries in <ulink
+      url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
+      or PREROUTING entries in <ulink
+      url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to
+      do that.</para>
+    </warning>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE:DEST</emphasis> - {[<emphasis
+        role="bold">+</emphasis>]<emphasis>interfacelist</emphasis>|[<emphasis
+        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|?COMMENT}</term>
+
+        <listitem>
+          <para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
+          comma-separated list of interface names. This is usually your
+          internet interface.</para>
+
+          <para>Each interface must match an entry in <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+          Shorewall allows loose matches to wildcard entries in <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+          For example, <filename class="devicefile">ppp0</filename> in this
+          file will match a <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          entry that defines <filename
+          class="devicefile">ppp+</filename>.</para>
+
+          <para>Where <ulink url="MultiISP.html#Shared">more that one
+          internet provider share a single interface</ulink>, the provider is
+          specified by including the provider name or number in
+          parentheses:</para>
+
+          <programlisting>        eth0(Avvanta)</programlisting>
+
+          <para>In that case, you will want to specify the interface's address
+          for that provider in the ADDRESS column.</para>
+
+          <para>The interface may be qualified by adding the character ":"
+          followed by a comma-separated list of destination host or subnet
+          addresses to indicate that you only want to change the source IP
+          address for packets being sent to those particular destinations.
+          Exclusion is allowed (see <ulink
+          url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
+          as are ipset names preceded by a plus sign '+'.</para>
+
+          <para>Comments may be attached to Netfilter rules generated from
+          entries in this file through the use of ?COMMENT lines. These lines
+          begin with ?COMMENT; the remainder of the line is treated as a
+          comment which is attached to subsequent rules until another ?COMMENT
+          line is found or until the end of the file is reached. To stop
+          adding comments to rules, use a line containing only
+          ?COMMENT.</para>
+
+          <para>Beginning with Shorewall 4.6.0, a new syntax is also accepted.
+          With the exception of the leading '+', the interfacelist and
+          qualifiers may appear within the parentheses of <emphasis
+          role="bold">INLINE</emphasis>(...).</para>
+
+          <para>Example:</para>
+
+          <programlisting>        +INLINE(eth0)</programlisting>
+
+          <para>When this is done, you may augment the rule generated by
+          Shorewall with iptables matches of your own. These matches appear
+          after a semicolon (';') at the end of the line.</para>
+
+          <para>See example 2 below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> (Optional) -
+        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+
+        <listitem>
+          <para>Set of hosts that you wish to SNAT; one or more host or
+          network addresses separated by comma. You may use ipset names
+          preceded by a plus sign (+) to specify a set of hosts.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
+        role="bold">-</emphasis>|<emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
+        role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
+        role="bold">:random</emphasis>][:persistent]|<emphasis
+        role="bold">detect</emphasis>|<emphasis
+        role="bold">random</emphasis>]</term>
+
+        <listitem>
+          <para>If you do not specify an address or address range,
+          masquerading will be performed. This requires <firstterm>Masquerade
+          Target</firstterm> support in your kernel and ip6tables.</para>
+
+          <para>If you specify an address here, SNAT will be used and this
+          will be the source address.</para>
+
+          <para>You may also specify a range of up to 256 IP addresses if you
+          want the SNAT address to be assigned from that range in a
+          round-robin fashion by connection. The range is specified by
+          <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
+          You may follow the port range with<emphasis
+          role="bold">:random</emphasis> in which case assignment of ports
+          from the list will be random. <emphasis
+          role="bold">random</emphasis> may also be specified by itself in
+          this column in which case random local port assignments are made for
+          the outgoing connections.</para>
+
+          <para>Example:
+          [2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010</para>
+
+          <para>You may follow the port range (or <emphasis
+          role="bold">:random</emphasis>) with <emphasis
+          role="bold">:persistent</emphasis>. This is only useful when an
+          address range is specified and causes a client to be given the same
+          source/destination IP pair.</para>
+
+          <para>This column may not contain DNS Names.</para>
+
+          <para>Normally, Netfilter will attempt to retain the source port
+          number. You may cause netfilter to remap the source port by
+          following an address or range (if any) by ":" and a port range with
+          the format
+          <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If this
+          is done, you must specify "tcp" or "udp" in the PROTO column.</para>
+
+          <para>Examples:</para>
+
+          <programlisting>        [2001:470:a:787::2]:5000-6000</programlisting>
+
+          <para>If you simply place <emphasis role="bold">NONAT</emphasis> in
+          this column, no rewriting of the source IP address or port number
+          will be performed. This is useful if you want particular traffic to
+          be exempt from the entries that follow in the file.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
+        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
+
+        <listitem>
+          <para>If you wish to restrict this entry to a particular protocol
+          then enter the protocol name (from protocols(5)) or number
+          here.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
+
+          <para>Beginning with Shorewall 4.6.0, an
+          <replaceable>ipset</replaceable> name can be specified in this
+          column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DPORT</emphasis> (Optional) -
+        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
+
+        <listitem>
+          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
+          SCTP (132) or UDPLITE (136) then you may list one or more port
+          numbers (or names from services(5)) or port ranges separated by
+          commas.</para>
+
+          <para>Port ranges are of the form
+          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.6.0, an
+          <replaceable>ipset</replaceable> name can be specified in this
+          column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
+        [<emphasis>option</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
+
+        <listitem>
+          <para>If you specify a value other than "-" in this column, you must
+          be running kernel 2.6 and your kernel and iptables must include
+          policy match support.</para>
+
+          <para>Comma-separated list of options from the following. Only
+          packets that will be encrypted via an SA that matches these options
+          will have their source address changed.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is specified using
+                setkey(8) using the 'unique:<emphasis>number</emphasis> option
+                for the SPD level.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is the SPI of the SA
+                used to encrypt/decrypt packets.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">proto=</emphasis><emphasis
+              role="bold">ah</emphasis>|<emphasis
+              role="bold">esp</emphasis>|<emphasis
+              role="bold">ipcomp</emphasis></term>
+
+              <listitem>
+                <para>IPSEC Encapsulation Protocol</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>sets the MSS field in TCP packets</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">mode=</emphasis><emphasis
+              role="bold">transport</emphasis>|<emphasis
+              role="bold">tunnel</emphasis></term>
+
+              <listitem>
+                <para>IPSEC mode</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">strict</emphasis></term>
+
+              <listitem>
+                <para>Means that packets must match all rules.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">next</emphasis></term>
+
+              <listitem>
+                <para>Separates rules; can only be used with strict</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">yes</emphasis></term>
+
+              <listitem>
+                <para>When used by itself, causes all traffic that will be
+                encrypted/encapsulated to match the rule.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
+        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
+        role="bold">:C</emphasis>]</term>
+
+        <listitem>
+          <para>Defines a test on the existing packet or connection mark. The
+          rule will match only if the test returns true.</para>
+
+          <para>If you don't want to define a test but need to specify
+          anything in the following columns, place a "-" in this field.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>!</term>
+
+              <listitem>
+                <para>Inverts the test (not equal)</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>value</emphasis></term>
+
+              <listitem>
+                <para>Value of the packet or connection mark.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>mask</emphasis></term>
+
+              <listitem>
+                <para>A mask to be applied to the mark before testing.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">:C</emphasis></term>
+
+              <listitem>
+                <para>Designates a connection mark. If omitted, the packet
+                mark's value is tested.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
+
+        <listitem>
+          <para>Only locally-generated connections will match if this column
+          is non-empty.</para>
+
+          <para>When this column is non-empty, the rule matches only if the
+          program generating the output is running under the effective
+          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
+          specified (or is NOT running under that id if "!" is given).</para>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>joe</term>
+
+              <listitem>
+                <para>program must be run by joe</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>:kids</term>
+
+              <listitem>
+                <para>program must be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>!:kids</term>
+
+              <listitem>
+                <para>program must not be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>+upnpd</term>
+
+              <listitem>
+                <para>#program named upnpd</para>
+
+                <important>
+                  <para>The ability to specify a program name was removed from
+                  Netfilter in kernel version 2.6.14.</para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
+          rule without requiring <command>shorewall restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+
+          <para>Beginning with Shorewall 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
+
+        <listitem>
+          <para>(Optional) This column may be included and may contain one or
+          more addresses (host or network) separated by commas. Address ranges
+          are not allowed. When this column is supplied, rules are generated
+          that require that the original destination address matches one of
+          the listed addresses. It is useful for specifying that SNAT should
+          occur only for connections that were acted on by a DNAT when they
+          entered the firewall.</para>
+
+          <para>This column was formerly labelled ORIGINAL DEST.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROBABILITY</emphasis> -
+        [<replaceable>probability</replaceable>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.0. When non-empty, requires the
+          <firstterm>Statistics Match</firstterm> capability in your kernel
+          and ip6tables and causes the rule to match randomly but with the
+          given <replaceable>probability</replaceable>. The
+          <replaceable>probability</replaceable> is a number 0 &lt;
+          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
+          at up to 8 decimal points of precision.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Examples</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1:</term>
+
+        <listitem>
+          <para>You have a simple 'masquerading' setup where eth0 connects to
+          a DSL or cable modem and eth1 connects to your local network with
+          subnet 2001:470:b:787::0/64</para>
+
+          <para>Your entry in the file will be:</para>
+
+          <programlisting>        #INTERFACE   SOURCE                  ADDRESS
+        eth0         2001:470:b:787::0/64    -</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>Your sit1 interface has two public IP addresses:
+          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
+          iptables statistics match to masquerade outgoing connections evenly
+          between these two addresses.</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::2 
+</programlisting>
+
+          <para>If INLINE_MATCHES=Yes in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
+          then these rules may be specified as follows:</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::2</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/masq</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-modules.xml
+++ b/Shorewall6/manpages/shorewall6-modules.xml
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-modules</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>modules</refname>
+
+    <refpurpose>shorewall6 file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/usr/share/shorewall6/modules</command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>/usr/share/shorewall6/helpers</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>These files specify which kernel modules shorewall6 will load before
+    trying to determine your ip6tables/kernel's capabilities. The
+    <filename>modules</filename> file is used when LOAD_HELPERS_ONLY=No in
+    <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5);
+    the <filename>helpers</filename> file is used when
+    LOAD_HELPERS_ONLY=Yes.</para>
+
+    <para>Each record in the files has the following format:</para>
+
+    <cmdsynopsis>
+      <command>loadmodule</command>
+
+      <arg choice="plain"><replaceable
+      class="parameter">modulename</replaceable></arg>
+
+      <arg rep="repeat"><replaceable>moduleoption</replaceable></arg>
+    </cmdsynopsis>
+
+    <para>The <replaceable>modulename</replaceable> names a kernel module
+    (without suffix). shorewall6 will search for modules based on your
+    MODULESDIR and MODULE_SUFFIX settings in <ulink
+    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). The
+    <replaceable>moduleoption</replaceable>s are passed to modprobe (if
+    installed) or to insmod.</para>
+
+    <para>The /usr/share/shorewall6/modules file contains a large number of
+    modules. Users are encouraged to copy the file to /etc/shorewall6/modules
+    and modify the copy to load only the modules required or use
+    LOAD_HELPERS_ONLY=Yes.<note>
+        <para>If you build monolithic kernels and have not installed
+        module-init-tools, then create an empty /etc/shorewall6/modules file;
+        that will prevent shorewall6 from trying to load modules at
+        all.</para>
+      </note></para>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <para>loadmodule ip_conntrack_ftp ports=21,221</para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/usr/share/shorewall6/modules</para>
+
+    <para>/usr/share/shorewall6/helpers</para>
+
+    <para>/etc/shorewall6/modules</para>
+
+    <para>/etc/shorewall6/helpers</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-nat.xml
+++ b/Shorewall6/manpages/shorewall6-nat.xml
@@ -0,0 +1,147 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-nat</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nat</refname>
+
+    <refpurpose>Shorewall6 one-to-one NAT file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/nat</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to define one-to-one Network Address Translation
+    (NAT).</para>
+
+    <warning>
+      <para>If all you want to do is simple port forwarding, do NOT use this
+      file. See <ulink
+      url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.</para>
+    </warning>
+
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">EXTERNAL</emphasis> -
+        {<emphasis>address</emphasis>|?COMMENT}</term>
+
+        <listitem>
+          <para>External IP Address - this should NOT be the primary IP
+          address of the interface named in the next column and must not be a
+          DNS Name.</para>
+
+          <para>If you put ?COMMENT in this column, the rest of the line will
+          be attached as a comment to the Netfilter rule(s) generated by the
+          following entries in the file. The comment will appear delimited by
+          "/* ... */" in the output of "shorewall show nat"</para>
+
+          <para>To stop the comment from being attached to further rules,
+          simply include ?COMMENT on a line by itself.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE</emphasis> -
+        <emphasis>interfacelist</emphasis>[<emphasis
+        role="bold">:</emphasis>[<emphasis>digit</emphasis>]]</term>
+
+        <listitem>
+          <para>Interfaces that have the <emphasis
+          role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
+          <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
+          Shorewall will automatically add the EXTERNAL address to this
+          interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
+          name with ":" and a <emphasis>digit</emphasis> to indicate that you
+          want Shorewall to add the alias with this name (e.g., "eth0:0").
+          That allows you to see the alias with ifconfig. <emphasis
+          role="bold">That is the only thing that this name is good for -- you
+          cannot use it anywhere else in your Shorewall configuration.
+          </emphasis></para>
+
+          <para>Each interface must match an entry in <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+          Shorewall allows loose matches to wildcard entries in <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+          For example, <filename class="devicefile">ppp0</filename> in this
+          file will match a <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          entry that defines <filename
+          class="devicefile">ppp+</filename>.</para>
+
+          <para>If you want to override ADD_IP_ALIASES=Yes for a particular
+          entry, follow the interface name with ":" and no digit (e.g.,
+          "eth0:").</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INTERNAL</emphasis> -
+        <emphasis>address</emphasis></term>
+
+        <listitem>
+          <para>Internal Address (must not be a DNS Name).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ALLINTS</emphasis> - [<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>If Yes or yes, NAT will be effective from all hosts. If No or
+          no (or left empty) then NAT will be effective only through the
+          interface named in the <emphasis role="bold">INTERFACE</emphasis>
+          column.</para>
+
+          <para>This column was formerly labelled ALL INTERFACES.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">LOCAL</emphasis> - [<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>If <emphasis role="bold">Yes</emphasis> or <emphasis
+          role="bold">yes</emphasis>, NAT will be effective from the firewall
+          system</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/nat</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/NAT.htm">http://www.shorewall.net/NAT.htm</ulink></para>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-nesting.xml
+++ b/Shorewall6/manpages/shorewall6-nesting.xml
@@ -0,0 +1,123 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-nesting</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nesting</refname>
+
+    <refpurpose>shorewall6 Nested Zones</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <arg choice="plain"
+      rep="norepeat"><replaceable>child-zone</replaceable>[:<replaceable>parent-zone</replaceable>[,<replaceable>parent-zone</replaceable>]...]</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>In <ulink
+    url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), a zone
+    may be declared to be a sub-zone of one or more other zones using the
+    above syntax. The <replaceable>child-zone</replaceable> may be neither the
+    firewall zone nor a vserver zone. The firewall zone may not appear as a
+    parent zone, although all vserver zones are handled as sub-zones of the
+    firewall zone.</para>
+
+    <para>Where zones are nested, the CONTINUE policy in <ulink
+    url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5)
+    allows hosts that are within multiple zones to be managed under the rules
+    of all of these zones.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <para><filename>/etc/shorewall6/zones</filename>:</para>
+
+    <programlisting>        #ZONE    TYPE        OPTION
+        fw       firewall
+        net      ipv6
+        sam:net  ipv6
+        loc      ipv6</programlisting>
+
+    <para><filename>/etc/shorewall6/interfaces</filename>:</para>
+
+    <programlisting>        #ZONE     INTERFACE     BROADCAST     OPTIONS
+        -         eth0          detect        blacklist
+        loc       eth1          detect</programlisting>
+
+    <para><filename>/etc/shorewall6/hosts</filename>:</para>
+
+    <programlisting>        #ZONE     HOST(S)                     OPTIONS
+        net       eth0:[::\]
+        sam       eth0:[2001:19f0:feee::dead:beef:cafe]</programlisting>
+
+    <para><filename>/etc/shorewall6/policy</filename>:</para>
+
+    <programlisting>        #SOURCE      DEST        POLICY       LOG LEVEL
+        loc          net         ACCEPT
+        sam          all         CONTINUE
+        net          all         DROP         info
+        all          all         REJECT       info</programlisting>
+
+    <para>The second entry above says that when Sam is the client, connection
+    requests should first be processed under rules where the source zone is
+    sam and if there is no match then the connection request should be treated
+    under rules where the source zone is net. It is important that this policy
+    be listed BEFORE the next policy (net to all). You can have this policy
+    generated for you automatically by using the IMPLICIT_CONTINUE option in
+    <ulink
+    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+
+    <para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
+
+    <programlisting>        #ACTION   SOURCE    DEST                  PROTO    DPORT
+        ...
+        ACCEPT    sam       loc:2001:19f0:feee::3 tcp      ssh
+        ACCEPT    net       loc:2001:19f0:feee::5 tcp      www
+        ...</programlisting>
+
+    <para>Given these two rules, Sam can connect with ssh to
+    2001:19f0:feee::3. Like all hosts in the net zone, Sam can connect to TCP
+    port 80 on 2001:19f0:feee::5. The order of the rules is not
+    significant.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/zones</para>
+
+    <para>/etc/shorewall6/interfaces</para>
+
+    <para>/etc/shorewall6/hosts</para>
+
+    <para>/etc/shorewall6/policy</para>
+
+    <para>/etc/shorewall6/rules</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-netmap.xml
+++ b/Shorewall6/manpages/shorewall6-netmap.xml
@@ -0,0 +1,185 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-netmap</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>netmap</refname>
+
+    <refpurpose>Shorewall6 NETMAP definition file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/netmap</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to map addresses in one network to corresponding
+    addresses in a second network. It was added in Shorewall6 4.4.23.3.</para>
+
+    <warning>
+      <para>To use this file, your kernel and ip6tables must have NETMAP
+      support included.</para>
+    </warning>
+
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">TYPE</emphasis> - <emphasis
+        role="bold">{DNAT</emphasis>|<emphasis
+        role="bold">SNAT}</emphasis></term>
+
+        <listitem>
+          <para>Must be DNAT or SNAT followed by :P, :O or :T to perform
+          <firstterm>stateless NAT</firstterm>. Stateless NAT requires
+          <firstterm>Rawpost Table support</firstterm> in your kernel and
+          iptables (see the output of <command>shorewall6 show
+          capabilities</command>).</para>
+
+          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
+          its destination address rewritten to the corresponding address in
+          NET2.</para>
+
+          <para>If SNAT, traffic leaving INTERFACE with a source address in
+          NET1 has it's source address rewritten to the corresponding address
+          in NET2.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">NET1</emphasis> -
+        <emphasis>network-address</emphasis></term>
+
+        <listitem>
+          <para>Network in CIDR format (e.g., 2001:470:b:227/64). Beginning in
+          Shorewall6 4.4.24, <ulink
+          url="/manpages6/shorewall6-exclusion.html">exclusion</ulink> is
+          supported.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE</emphasis> -
+        <emphasis>interface</emphasis></term>
+
+        <listitem>
+          <para>The name of a network interface. The interface must be defined
+          in <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+          Shorewall allows loose matches to wildcard entries in <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+          For example, <filename class="devicefile">ppp0</filename> in this
+          file will match a <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          entry that defines <filename
+          class="devicefile">ppp+</filename>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">NET2</emphasis> -
+        <emphasis>network-address</emphasis></term>
+
+        <listitem>
+          <para>Network in CIDR format</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">NET3</emphasis> -
+        <emphasis>network-address</emphasis></term>
+
+        <listitem>
+          <para>Optional - added in Shorewall 4.4.11. If specified, qualifies
+          INTERFACE. It specifies a SOURCE network for DNAT rules and a
+          DESTINATION network for SNAT rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO (Optional</emphasis> -
+        <emphasis>protocol-number-or-name</emphasis></term>
+
+        <listitem>
+          <para>Only packets specifying this protocol will have their IP
+          header modified.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DPORT</emphasis> -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Destination Ports. An optional comma-separated list of Port
+          names (from services(5)), <emphasis>port number</emphasis>s or
+          <emphasis>port range</emphasis>s; if the protocol is <emphasis
+          role="bold">icmp</emphasis>, this column is interpreted as the
+          destination icmp-type(s). ICMP types may be specified as a numeric
+          type, a numeric type and code separated by a slash (e.g., 3/4), or a
+          typename. See <ulink
+          url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
+
+          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
+          this column is interpreted as an ipp2p option without the leading
+          "--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
+          If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
+          assumed.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
+          any of the following field is supplied.</para>
+
+          <para>This column was formerly labelled DEST PORT(S).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SPORT</emphasis> -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Optional source port(s). If omitted, any source port is
+          acceptable. Specified as a comma-separated list of port names, port
+          numbers or port ranges.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
+          the following fields is supplied.</para>
+
+          <para>This column was formerly labelled SOURCE PORT(S).</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/netmap</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/netmap.html">http://www.shorewall.net/netmap.html</ulink></para>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-params.xml
+++ b/Shorewall6/manpages/shorewall6-params.xml
@@ -0,0 +1,144 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-params</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>params</refname>
+
+    <refpurpose>Shorewall6 parameters file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/params</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>Assign any shell variables that you need in this file. The file is
+    always processed by <filename>/bin/sh</filename> or by the shell specified
+    through SHOREWALL_SHELL in <ulink
+    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5) so the
+    full range of shell capabilities may be used.</para>
+
+    <para>It is suggested that variable names begin with an upper case letter
+    to distinguish them from variables used internally within the Shorewall
+    programs</para>
+
+    <para>The following variable names must be avoided. Those in <emphasis
+    role="bold">bold font</emphasis> must be avoided in all Shorewall
+    versions; those in regular font must be avoided in versions prior to
+    4.4.8.</para>
+
+    <simplelist>
+      <member><emphasis role="bold">Any option from <ulink
+      url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
+      (5)</emphasis></member>
+
+      <member><emphasis role="bold">COMMAND</emphasis></member>
+
+      <member><emphasis role="bold">CONFDIR</emphasis></member>
+
+      <member>DEBUG</member>
+
+      <member>ECHO_E</member>
+
+      <member>ECHO_N</member>
+
+      <member>EXPORT</member>
+
+      <member>FAST</member>
+
+      <member>FILEMODE</member>
+
+      <member>HOSTNAME</member>
+
+      <member>IPT_OPTIONS</member>
+
+      <member>NOROUTES</member>
+
+      <member>PREVIEW</member>
+
+      <member>PRODUCT</member>
+
+      <member>PROFILE</member>
+
+      <member>PURGE</member>
+
+      <member>RECOVERING</member>
+
+      <member>RESTOREPATH</member>
+
+      <member>RING_BELL</member>
+
+      <member><emphasis role="bold">SHAREDIR</emphasis></member>
+
+      <member><emphasis role="bold">Any name beginning with SHOREWALL_ or
+      SW_</emphasis></member>
+
+      <member>STOPPING</member>
+
+      <member>TEST</member>
+
+      <member>TIMESTAMP</member>
+
+      <member>USE_VERBOSITY</member>
+
+      <member><emphasis role="bold">VARDIR</emphasis></member>
+
+      <member>VERBOSE</member>
+
+      <member>VERBOSE_OFFSET</member>
+
+      <member>VERSION</member>
+    </simplelist>
+
+    <para>Example params file:</para>
+
+    <programlisting>NET_IF=eth0
+NET_OPTIONS=dhcp,nosmurfs</programlisting>
+
+    <para>Example <ulink
+    url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+    file.</para>
+
+    <programlisting>ZONE    INTERFACE       BROADCAST       OPTIONS
+net     $NET_IF         -               $NET_OPTIONS</programlisting>
+
+    <para>This is the same as if the interfaces file had contained:</para>
+
+    <programlisting>ZONE    INTERFACE       BROADCAST       OPTIONS
+net     eth0            -               dhcp,nosmurfs</programlisting>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/params</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+    shorewall6-maclist(5), shorewall6-policy(5), shorewall6-providers(5),
+    shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5),
+    shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
+    shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -0,0 +1,416 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-policy</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>policy</refname>
+
+    <refpurpose>shorewall6 policy file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/policy</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file defines the high-level policy for connections between
+    zones defined in <ulink
+    url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
+
+    <important>
+      <para>The order of entries in this file is important</para>
+
+      <para>This file determines what to do with a new connection request if
+      we don't get a match from the /etc/shorewall6/rules file . For each
+      source/destination pair, the file is processed in order until a match is
+      found ("all" will match any source or destination).</para>
+    </important>
+
+    <important>
+      <para>Intra-zone policies are pre-defined</para>
+
+      <para>For $FW and for all of the zones defined in /etc/shorewall6/zones,
+      the POLICY for connections from the zone to itself is ACCEPT (with no
+      logging or TCP connection rate limiting but may be overridden by an
+      entry in this file. The overriding entry must be explicit (specifying
+      the zone name on both SOURCE and DEST) or it must use "all+ or it must
+      use "all+" (Shorewall 4.5.17 or later).</para>
+
+      <para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall6.conf,
+      then the implicit policy to/from any sub-zone is CONTINUE. These
+      implicit CONTINUE policies may also be overridden by an explicit entry
+      in this file.</para>
+    </important>
+
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> -
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
+        role="bold">$FW</emphasis>|<emphasis
+        role="bold">all</emphasis>|<emphasis
+        role="bold">all+</emphasis></term>
+
+        <listitem>
+          <para>Source zone. Must be the name of a zone defined in <ulink
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
+          $FW, "all" or "all+".</para>
+
+          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
+          not override the implicit intra-zone ACCEPT policy while "all+"
+          does.</para>
+
+          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST</emphasis> -
+        <emphasis>zone</emphasis>[,...[+]]|<emphasis
+        role="bold">$FW</emphasis>|<emphasis
+        role="bold">all</emphasis>|<emphasis
+        role="bold">all+</emphasis></term>
+
+        <listitem>
+          <para>Destination zone. Must be the name of a zone defined in <ulink
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
+          $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
+          must be "all", "all+", another bport zone associated with the same
+          bridge, or it must be an ipv4 zone that is associated with only the
+          same bridge.</para>
+
+          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
+          not override the implicit intra-zone ACCEPT policy while "all+"
+          does.</para>
+
+          <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
+          separated by commas. As above, if '+' is specified after two or more
+          zone names, then the policy overrides the implicit intra-zone ACCEPT
+          policy if the same <replaceable>zone</replaceable> appears in both
+          the SOURCE and DEST columns.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">POLICY</emphasis> - {<emphasis
+        role="bold">ACCEPT</emphasis>|<emphasis
+        role="bold">DROP</emphasis>|<emphasis
+        role="bold">REJECT</emphasis>|BLACKLIST|<emphasis
+        role="bold">CONTINUE</emphasis>|<emphasis
+        role="bold">QUEUE</emphasis>|<emphasis
+        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
+        role="bold">NONE</emphasis>}[<emphasis
+        role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
+        role="bold">None</emphasis>}]</term>
+
+        <listitem>
+          <para>Policy if no match from the rules file is found.</para>
+
+          <para>If the policy is neither CONTINUE nor NONE then the policy may
+          be followed by ":" and one of the following:</para>
+
+          <orderedlist numeration="loweralpha">
+            <listitem>
+              <para>The word "None" or "none". This causes any default action
+              defined in <ulink
+              url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
+              to be omitted for this policy.</para>
+            </listitem>
+
+            <listitem>
+              <para>The name of an action. The action will be invoked before
+              the policy is enforced.</para>
+            </listitem>
+          </orderedlist>
+
+          <para>Actions can have parameters specified.</para>
+
+          <para>Beginning with Shorewall 4.5.10, the action name can be
+          followed optionally by a colon and a log level. The level will be
+          applied to each rule in the action or body that does not already
+          have a log level.</para>
+
+          <para>Beginning with Shorewall 5.1.2, multiple
+          <replaceable>action</replaceable>[:<replaceable>level</replaceable>]
+          pairs may be specified, separated by commas. The actions are invoked
+          in the order listed. Also beginning with Shorewall 5.1.2, the
+          policy-action list can be prefixed with a plus sign ("+") indicating
+          that the listed actions are in addition to those listed in the
+          related _DEFAULT setting in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>Possible policies are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">ACCEPT</emphasis></term>
+
+              <listitem>
+                <para>Accept the connection.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DROP</emphasis></term>
+
+              <listitem>
+                <para>Ignore the connection request.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">REJECT</emphasis></term>
+
+              <listitem>
+                <para>For TCP, send RST. For all other, send an "unreachable"
+                ICMP.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1 and requires that the
+                DYNAMIC_BLACKLIST setting in <ulink
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
+                specifies ipset-based dynamic blacklisting. The SOURCE IP
+                address is added to the blacklist ipset and the connection
+                request is ignored.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">QUEUE</emphasis></term>
+
+              <listitem>
+                <para>Queue the request for a user-space application such as
+                Snort-inline.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">NFQUEUE</emphasis></term>
+
+              <listitem>
+                <para>Queue the request for a user-space application using the
+                nfnetlink_queue mechanism. If a
+                <replaceable>queuenumber1</replaceable> is not given, queue
+                zero (0) is assumed. Beginning with Shorewall 4.6.10, a second
+                queue number (queuenumber2) may be given. This specifies a
+                range of queues to use. Packets are then balanced across the
+                given queues. This is useful for multicore systems: start
+                multiple instances of the userspace program on queues x, x+1,
+                .. x+n and use "x:x+n". Packets belonging to the same
+                connection are put into the same nfqueue.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">CONTINUE</emphasis></term>
+
+              <listitem>
+                <para>Pass the connection request past any other rules that it
+                might also match (where the source or destination zone in
+                those rules is a superset of the SOURCE or DEST in this
+                policy). See <ulink
+                url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
+                for additional information.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">NONE</emphasis></term>
+
+              <listitem>
+                <para>Assume that there will never be any packets from this
+                SOURCE to this DEST. shorewall6 will not create any
+                infrastructure to handle such packets and you may not have any
+                rules with this SOURCE and DEST in the /etc/shorewall6/rules
+                file. If such a packet <emphasis role="bold">is</emphasis>
+                received, the result is undefined. NONE may not be used if the
+                SOURCE or DEST columns contain the firewall zone ($FW) or
+                "all".</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">LOGLEVEL</emphasis> (loglevel) -
+        [<emphasis>log-level</emphasis>|<emphasis
+        role="bold">NFLOG</emphasis>]</term>
+
+        <listitem>
+          <para>Optional - if supplied, each connection handled under the
+          default POLICY is logged at that level. If not supplied, no log
+          message is generated. See syslog.conf(5) for a description of log
+          levels.</para>
+
+          <para>You may also specify NFLOG (must be in upper case). This will
+          log to the NFLOG target and will send to a separate log through use
+          of ulogd (<ulink
+          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
+
+          <para>For a description of log levels, see <ulink
+          url="/shorewall_logging.html.">http://www.shorewall.net/shorewall_logging.html.</ulink></para>
+
+          <para>If you don't want to log but need to specify the following
+          column, place "-" here.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">RATE</emphasis> (rate) -
+        [-|<replaceable>limit</replaceable>]</term>
+
+        <listitem>
+          <para>where limit is one of:</para>
+
+          <simplelist>
+            <member>[<emphasis
+            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
+
+            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
+            role="bold">/</emphasis>{<emphasis
+            role="bold">sec</emphasis>|<emphasis
+            role="bold">min</emphasis>|<emphasis
+            role="bold">hour</emphasis>|<emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
+          </simplelist>
+
+          <para>If passed, specifies the maximum TCP connection
+          <emphasis>rate</emphasis> and the size of an acceptable
+          <emphasis>burst</emphasis>. If not specified, TCP connections are
+          not limited. If the <replaceable>burst</replaceable> parameter is
+          omitted, a value of 5 is assumed.</para>
+
+          <para>When <option>s:</option> or <option>d:</option> is specified,
+          the rate applies per source IP address or per destination IP address
+          respectively. The <replaceable>name</replaceable> may be chosen by
+          the user and specifies a hash table to be used to count matching
+          connections. If not give, the name <emphasis
+          role="bold">shorewall</emphasis> is assumed. Where more than one
+          POLICY or rule specifies the same name, the connections counts for
+          the policies are aggregated and the individual rates apply to the
+          aggregated count.</para>
+
+          <para>Beginning with Shorewall 4.6.5, two<replaceable>
+          limit</replaceable>s may be specified, separated by a comma. In this
+          case, the first limit (<replaceable>name1</replaceable>,
+          <replaceable>rate1</replaceable>, burst1) specifies the per-source
+          IP limit and the second limit specifies the per-destination IP
+          limit.</para>
+
+          <para>Example: <emphasis
+          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">CONNLIMIT</emphasis> -
+        <emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
+
+        <listitem>
+          <para>May be used to limit the number of simultaneous connections
+          from each individual host to <replaceable>limit</replaceable>
+          connections. While the limit is only checked on connections to which
+          this policy could apply, the number of current connections is
+          calculated over all current connections from the SOURCE host. By
+          default, the limit is applied to each host individually but can be
+          made to apply to networks of hosts by specifying a
+          <replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
+          specifies the width of a VLSM mask to be applied to the source
+          address; the number of current connections is then taken over all
+          hosts in the subnet
+          <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <orderedlist numeration="loweralpha">
+      <listitem>
+        <para>All connections from the local network to the internet are
+        allowed</para>
+      </listitem>
+
+      <listitem>
+        <para>All connections from the internet are ignored but logged at
+        syslog level KERNEL.INFO.</para>
+      </listitem>
+
+      <listitem>
+        <para>All other connection requests are rejected and logged at level
+        KERNEL.INFO.</para>
+      </listitem>
+    </orderedlist>
+
+    <programlisting>        #SOURCE         DEST            POLICY          LOG           BURST:LIMIT
+        #                                               LEVEL
+        loc             net             ACCEPT
+        net             all             DROP            info
+        #
+        # THE FOLLOWING POLICY MUST BE LAST
+        #
+        all             all             REJECT          info</programlisting>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/policy</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+    shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
+    shorewall6-nat(5), shorewall6-netmap(5),
+    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -0,0 +1,503 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-providers</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>providers</refname>
+
+    <refpurpose>Shorewall6 Providers file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/providers</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to define additional routing tables. You will want
+    to define an additional table if:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>You have connections to more than one ISP or multiple
+        connections to the same ISP</para>
+      </listitem>
+
+      <listitem>
+        <para>You run Squid as a transparent proxy on a host other than the
+        firewall.</para>
+      </listitem>
+
+      <listitem>
+        <para>You have other requirements for policy routing.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Each entry in the file defines a single routing table.</para>
+
+    <para>If you wish to omit a column entry but want to include an entry in
+    the next column, use "-" for the omitted entry.</para>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">NAME</emphasis> -
+        <emphasis>name</emphasis></term>
+
+        <listitem>
+          <para>The provider <emphasis>name</emphasis>. Must be a valid shell
+          variable name. The names 'local', 'main', 'default' and 'unspec' are
+          reserved and may not be used as provider names.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">NUMBER</emphasis> -
+        <emphasis>number</emphasis></term>
+
+        <listitem>
+          <para>The provider number -- a number between 1 and 15. Each
+          provider must be assigned a unique value.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">MARK</emphasis> (Optional) -
+        <emphasis>value</emphasis></term>
+
+        <listitem>
+          <para>A FWMARK <emphasis>value</emphasis> used in your <ulink
+          url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
+          file to direct packets to this provider.</para>
+
+          <para>If HIGH_ROUTE_MARKS=Yes in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
+          then the value must be a multiple of 256 between 256 and 65280 or
+          their hexadecimal equivalents (0x0100 and 0xff00 with the low-order
+          byte of the value being zero). Otherwise, the value must be between
+          1 and 255. Each provider must be assigned a unique mark value. This
+          column may be omitted if you don't use packet marking to direct
+          connections to a particular provider.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DUPLICATE</emphasis> -
+        <emphasis>routing-table-name</emphasis></term>
+
+        <listitem>
+          <para>The name of an existing table to duplicate to create this
+          routing table. May be <option>main</option> or the name of a
+          previously listed provider. You may select only certain entries from
+          the table to copy by using the COPY column below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE</emphasis> -
+        <emphasis>interface</emphasis></term>
+
+        <listitem>
+          <para>The name of the network interface to the provider. Must be
+          listed in <ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
+        role="bold">detect|none</emphasis>}</term>
+
+        <listitem>
+          <para>The IP address of the provider's gateway router.</para>
+
+          <para>You can enter <emphasis role="bold">detect</emphasis> here and
+          Shorewall6 will attempt to detect the gateway automatically.</para>
+
+          <para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
+          role="bold">none</emphasis>. This causes creation of a routing table
+          with no default route in it.</para>
+
+          <para>For PPP devices, you may omit this column.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">OPTIONS</emphasis> (Optional) - [<emphasis
+        role="bold">-</emphasis>|<emphasis>option</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
+
+        <listitem>
+          <para>A comma-separated list selected from the following. The order
+          of the options is not significant but the list may contain no
+          embedded white-space.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>autosrc</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.17. Causes a host route to the
+                provider's gateway router to be added to the provider's
+                routing table. This is the default behavior unless overridden
+                by a following <emphasis role="bold">noautosrc</emphasis>
+                option.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">balance[=<replaceable>weight</replaceable>]</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.25. The providers that have
+                <option>balance</option> specified will get outbound traffic
+                load-balanced among them. By default, all interfaces with
+                <option>balance</option> specified will have the same weight
+                (1). Beginning with Shorewall 5.0.13, you can change the
+                weight of an interface by specifying
+                <option>balance=</option><replaceable>weight</replaceable>
+                where <replaceable>weight</replaceable> is the weight of the
+                route out of this interface. Prior to Shorewall 5.0.13, only
+                one provider can specify this option.</para>
+
+                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
+                <option>balance=1</option> is assumed unless the
+                <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified. Beginning with Shorewall 5.1.1, when
+                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
+                unless the <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.25. Indicates that a default
+                route through the provider should be added to the default
+                routing table (table 253). If a
+                <replaceable>weight</replaceable> is given, a balanced route
+                is added with the weight of this provider equal to the
+                specified <replaceable>weight</replaceable>. If the option is
+                given without a <replaceable>weight</replaceable>, an separate
+                default route is added through the provider's gateway; the
+                route has a metric equal to the provider's NUMBER. Prior to
+                Shorewall 5.0.13, at most one provider can specify this option
+                and a <replaceable>weight</replaceable> may not be
+                given.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">track</emphasis></term>
+
+              <listitem>
+                <para>If specified, inbound connections on this interface are
+                to be tracked so that responses may be routed back out this
+                same interface.</para>
+
+                <para>You want to specify <option>track</option> if internet
+                hosts will be connecting to local servers through this
+                provider.</para>
+
+                <para>Beginning with Shorewall 4.4.3, <option>track</option>
+                defaults to the setting of the TRACK_PROVIDERS option in
+                <ulink
+                url="/manpages6/shorwewall6.conf.html">shorewall6.conf</ulink>
+                (5). If you set TRACK_PROVIDERS=Yes and want to override that
+                setting for an individual provider, then specify
+                <option>notrack</option> (see below).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">loose</emphasis></term>
+
+              <listitem>
+                <para>Shorewall6 normally adds a routing rule for each IP
+                address on an interface which forces traffic whose source is
+                that IP address to be sent using the routing table for that
+                interface. Setting <option>loose</option> prevents creation of
+                such rules on this interface.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">load=<replaceable>probability</replaceable></emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.0. This option provides an
+                alternative method of load balancing based on probabilities.
+                Providers to be balanced are given a
+                <replaceable>probability</replaceable> (a number 0 &gt; n
+                &gt;= 1) with up to 8 digits to the right of the decimal
+                point. Beginning with Shorewall 4.6.10, a warning is issued if
+                the sum of the probabilities is not 1.00000000.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">noautosrc</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.17. Prevents the addition of a
+                host route to the provider's gateway router from being added
+                to the provider's routing table. This option must be used with
+                caution as it can cause start and restart failures.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">notrack</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.3. When specified, turns off
+                <option>track</option>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">optional</emphasis> (deprecated for
+              use with providers that do not share an interface)</term>
+
+              <listitem>
+                <para>If the interface named in the INTERFACE column is not up
+                and configured with an IPv4 address then ignore this provider.
+                If not specified, the value of the <option>optional</option>
+                option for the INTERFACE in <ulink
+                url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5)</ulink>
+                is assumed. Use of that option is preferred to this one,
+                unless an <replaceable>address</replaceable> is provider in
+                the INTERFACE column.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">primary</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.6, <emphasis
+                role="bold">primary</emphasis> is a synonym for <emphasis
+                role="bold">balance</emphasis> (see above) and is preferred
+                when the remaining providers specify <emphasis
+                role="bold">fallback</emphasis> or <emphasis
+                role="bold">tproxy</emphasis>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>src=<replaceable>source-address</replaceable></term>
+
+              <listitem>
+                <para>Specifies the source address to use when routing to this
+                provider and none is known (the local client has bound to the
+                0 address). May not be specified when an
+                <replaceable>address</replaceable> is given in the INTERFACE
+                column. If this option is not used, Shorewall6 substitutes the
+                primary IP address on the interface named in the INTERFACE
+                column.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>mtu=<replaceable>number</replaceable></term>
+
+              <listitem>
+                <para>Specifies the MTU when forwarding through this provider.
+                If not given, the MTU of the interface named in the INTERFACE
+                column is assumed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">tproxy</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
+                action in shorewall-tcrules(5). See <ulink
+                url="/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
+                When specified, the MARK, DUPLICATE and GATEWAY columns should
+                be empty, INTERFACE should be set to 'lo' and
+                <option>tproxy</option> should be the only OPTION. Only one
+                <option>tproxy</option> provider is allowed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">hostroute</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.21. This is the default behavior
+                that results in a host route to the defined <emphasis
+                role="bold">GATEWAY</emphasis> being inserted into the main
+                routing table and into the provider's routing table. <emphasis
+                role="bold">hostroute</emphasis> is required for older
+                distributions but <emphasis role="bold">nohostroute</emphasis>
+                (below) is appropriate for recent distributions. <emphasis
+                role="bold">hostroute</emphasis> may interfere with Zebra's
+                ability to add routes on some distributions such as Debian
+                7.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">nohostroute</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.21. nohostroute inhibits addition
+                of a host route to the defined <emphasis
+                role="bold">GATEWAY</emphasis> being inserted into the main
+                routing table and into the provider's routing table. <emphasis
+                role="bold">nohostroute</emphasis> is not appropriate for
+                older distributions but is appropriate for recent
+                distributions. <emphasis role="bold">nohostroute</emphasis>
+                allows Zebra's to correctly add routes on some distributions
+                such as Debian 7.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">persistent</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.2 and alters the behavior of the
+                <command>disable</command> command:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The provider's routing table still contains the
+                    apprioriate default route.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Unless the <option>noautosrc</option> option is
+                    specified, routing rules are generated to route traffic
+                    from the interfaces address(es) out of the provider's
+                    routing table.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Persistent routing rules in <ulink
+                    url="shorewall-rtrules.html">shorewall6-rtrules(5)</ulink>
+                    are present.</para>
+                  </listitem>
+                </itemizedlist>
+
+                <note>
+                  <para>The generated script will attempt to reenable a
+                  disabled persistent provider during execution of the
+                  <command>start</command>, <command>restart</command> and
+                  <command>reload</command> commands. When
+                  <option>persistent</option> is not specified, only the
+                  <command>enable</command> and <command>reenable</command>
+                  commands can reenable the provider.</para>
+                </note>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">COPY</emphasis> -
+        [{<option>none</option>|<emphasis>interface</emphasis><emphasis
+        role="bold">[,</emphasis><emphasis>interface</emphasis>]...}]</term>
+
+        <listitem>
+          <para>A comma-separated list of other interfaces on your firewall.
+          Wildcards specified using an asterisk ("*") are permitted (e.g.,
+          tun* ). Usually used only when DUPLICATE is <option>main</option>.
+          Only copy routes through INTERFACE and through interfaces listed
+          here. If you only wish to copy routes through INTERFACE, enter
+          <option>none</option> in this column.</para>
+
+          <para>Beginning with Shorewall 4.5.17, blackhole, unreachable and
+          prohibit routes are no longer copied by default but may be copied by
+          including <emphasis role="bold">blackhole</emphasis>,<emphasis
+          role="bold">unreachable</emphasis> and <emphasis
+          role="bold">prohibit</emphasis> respectively in the COPY
+          list.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Examples</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1:</term>
+
+        <listitem>
+          <para>You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2.
+          Your DMZ interface is eth2</para>
+
+          <programlisting>        #NAME   NUMBER  MARK DUPLICATE  INTERFACE GATEWAY              OPTIONS
+        Squid   1       1    -          eth2      2002:ce7c:92b4:1::2  -</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>eth0 connects to ISP 1. The ISP's gateway router has IP
+          address 2001:ce7c:92b4:1::2.</para>
+
+          <para>eth1 connects to ISP 2. The ISP's gateway router has IP
+          address 2001:d64c:83c9:12::8b.</para>
+
+          <para>eth2 connects to a local network.</para>
+
+          <programlisting>        #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY               OPTIONS    COPY
+        ISP1  1       1    main      eth0     2001:ce7c:92b4:1::2   track      eth2
+        ISP2  2       2    main      eth1     2001:d64c:83c9:12::8b track      eth2</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/providers</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-rtrules(5), shorewall6-routestopped(5),
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-proxyndp.xml
+++ b/Shorewall6/manpages/shorewall6-proxyndp.xml
--- a/Shorewall6/manpages/shorewall6-routes.xml
+++ b/Shorewall6/manpages/shorewall6-routes.xml
@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-routes</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>routes</refname>
+
+    <refpurpose>Shorewall6 file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/routes</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file was added in Shorewall 4.4.15 and is used to define routes
+    to be added to provider routing tables.</para>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">PROVIDER</emphasis></term>
+
+        <listitem>
+          <para>The name or number of a provider defined in <ulink
+          url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>
+          (5). Beginning with Shorewall 4.5.14, you may also enter
+          <option>main</option> in this column to add routes to the main
+          routing table.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST</emphasis></term>
+
+        <listitem>
+          <para>Destination host address or network address.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">GATEWAY</emphasis> (Optional)</term>
+
+        <listitem>
+          <para>If specified, gives the IP address of the gateway to the
+          DEST.</para>
+
+          <para>Beginning with Shorewall 4.5.14, you may specify
+          <option>blackhole</option> in this column to create a blackhole
+          route.</para>
+
+          <para>Beginning with Shorewall 4.5.15, you may specify
+          <option>prohibit</option> or <option>unreachable</option> in this
+          column to create a <firstterm>prohibit</firstterm> or
+          <firstterm>unreachable</firstterm> route respectively.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEVICE</emphasis> (Optional)</term>
+
+        <listitem>
+          <para>Specifies the device route. If neither DEVICE nor GATEWAY is
+          given, then the INTERFACE specified for the PROVIDER in <ulink
+          url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>
+          (5).This column must be omitted if <option>blackhole</option>,
+          <option>prohibit</option> or <option>unreachable</option> is
+          specified in the GATEWAY column.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">OPTIONS</emphasis> (Optional)</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.2.</para>
+
+          <para>Allowed options are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">persistent</emphasis></term>
+
+              <listitem>
+                <para>If specified, the route remains in the provider's
+                routing table even when the provider is disabled.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Files</title>
+
+    <para>/etc/shorewall6/routes</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
+    shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-rtrules.xml
+++ b/Shorewall6/manpages/shorewall6-rtrules.xml
@@ -0,0 +1,201 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-rtrules</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>rtrules</refname>
+
+    <refpurpose>Shorewall6 Routing Rules file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall6/rtrules</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>Entries in this file cause traffic to be routed to one of the
+    providers listed in <ulink
+    url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> (Optional) - {<emphasis
+        role="bold">-</emphasis>|<emphasis>interface</emphasis>|<emphasis>address</emphasis>|<emphasis>interface</emphasis><firstterm>:</firstterm><emphasis>&lt;address</emphasis>&gt;}</term>
+
+        <listitem>
+          <para>An ip <emphasis>address</emphasis> (network or host) that
+          matches the source IP address in a packet. May also be specified as
+          an <emphasis>interface</emphasis> name optionally followed by ":"
+          and an address. If the device <emphasis role="bold">lo</emphasis> is
+          specified, the packet must originate from the firewall
+          itself.</para>
+
+          <para>Beginning with Shorewall 4.5.0, you may specify
+          &amp;<replaceable>interface</replaceable> in this column to indicate
+          that the source is the primary IP address of the named
+          interface.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST</emphasis> (Optional) - {<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>}</term>
+
+        <listitem>
+          <para>An ip address (network or host) that matches the destination
+          IP address in a packet.</para>
+
+          <para>If you choose to omit either <emphasis
+          role="bold">SOURCE</emphasis> or <emphasis
+          role="bold">DEST</emphasis>, place "-" in that column. Note that you
+          may not omit both <emphasis role="bold">SOURCE</emphasis> and
+          <emphasis role="bold">DEST</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.6.8, you may specify a
+          comma-separated list of addresses in this column.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROVIDER</emphasis> -
+        {<emphasis>provider-name</emphasis>|<emphasis>provider-number</emphasis>|<emphasis
+        role="bold">main</emphasis>}</term>
+
+        <listitem>
+          <para>The provider to route the traffic through. May be expressed
+          either as the provider name or the provider number. May also be
+          <emphasis role="bold">main</emphasis> or 254 for the main routing
+          table. This can be used in combination with VPN tunnels, see example
+          2 below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PRIORITY</emphasis> -
+        <emphasis>priority</emphasis><emphasis
+        role="bold">[!]</emphasis></term>
+
+        <listitem>
+          <para>The rule's numeric <emphasis>priority</emphasis> which
+          determines the order in which the rules are processed. Rules with
+          equal priority are applied in the order in which they appear in the
+          file.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>1000-1999</term>
+
+              <listitem>
+                <para>Before Shorewall-generated 'MARK' rules</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>11000-11999</term>
+
+              <listitem>
+                <para>After 'MARK' rules but before Shorewall-generated rules
+                for ISP interfaces.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>26000-26999</term>
+
+              <listitem>
+                <para>After ISP interface rules but before 'default'
+                rule.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>Beginning with Shorewall 5.0.2, the priority may be followed
+          optionally by an exclaimation mark ("!"). This causes the rule to
+          remain in place if the interface is disabled.</para>
+
+          <caution>
+            <para>Be careful when using rules of the same PRIORITY as some
+            unexpected behavior can occur when multiple rules have the same
+            SOURCE. For example, in the following rules, the second rule
+            overwrites the first unless the priority in the second is changed
+            to 19001 or higher:</para>
+
+            <programlisting>2601:601:8b00:bf0::/64 2001:470:b:787::542 provider1 19000
+2601:601:8b00:bf0::/64 -                   provider2 19000</programlisting>
+          </caution>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">MARK -
+        {-|<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>]}</emphasis></term>
+
+        <listitem>
+          <para>Optional -- added in Shorewall 4.4.25. For this rule to be
+          applied to a packet, the packet's mark value must match the
+          <replaceable>mark</replaceable> when logically anded with the
+          <replaceable>mask</replaceable>. If a
+          <replaceable>mask</replaceable> is not supplied, Shorewall supplies
+          a suitable provider mask.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Examples</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1:</term>
+
+        <listitem>
+          <para>You want all traffic coming in on eth1 to be routed to the
+          ISP1 provider.</para>
+
+          <programlisting>        #SOURCE                 DEST            PROVIDER        PRIORITY    MASK
+        eth1                    -               ISP1            1000
+</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall6/rtrules</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
+
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-routestopped(5),
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	f6ce03c506	Correct multiple fallback providers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-06-23 07:55:17 -07:00
Tom Eastep	83e0be6d0b	Don't generate multihop routes unnecessarily Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-06-18 09:30:51 -07:00
Tom Eastep	e027f5078f	Correct a runtime error with NFQUEUE. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-06-12 07:44:34 -07:00
Tom Eastep	81b42afa30	Clean up links in the manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-06-09 08:49:17 -07:00