Don't run 'find' in the PWD

- Also remove -mindepth so as to catch deletions in the directories Signed-off-by: Tom Eastep <teastep@shorewall.net>
Tweak Shared Config doc
2017-12-31 13:33:16 -08:00 · 2017-12-30 08:44:49 -08:00 · 2017-12-30 08:44:05 -08:00 · 2017-12-27 11:15:25 -08:00 · 2017-12-26 16:57:44 -08:00 · 2017-12-26 16:56:37 -08:00
90 changed files with 2038 additions and 1140 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -335,9 +335,8 @@ for f in lib.* ; do
 done

 if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
 fi

 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.base
+# Shorewall 5.1 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1137,16 +1137,31 @@ show_a_macro() {
    cat ${directory}/macro.$1
 }
 #
-# Don't dump empty SPD entries
+# Don't dump empty SPD entries or entries from the other address family
 #
-spd_filter()
-{
-    awk \
-    'BEGIN            { skip=0; }; \
-    /^src/            { skip=0; }; \
-    /^src 0.0.0.0\/0/ { skip=1; }; \
-    /^src ::\/0/      { skip=1; }; \
-                      { if ( skip == 0 ) print; };'
+spd_filter() {
+    #
+    # af   = Address Family (4 or 6)
+    # afok = Address Family of entry matches af
+    # p    = print the contents of A (entry is not empty)
+    # i    = Number of lines stored in A
+    #
+    awk -v af=$g_family \
+	'function prnt(A,i,    j) { while ( j < i ) print A[j++]; };\
+\
+	 /^src / { if (p) prnt( A, i );\
+		   afok = 1;\
+		   p	= 0;\
+		   i	= 0;\
+		   if ( af == 4 )\
+		       { if ( /:/ )  afok = 0; }\
+		   else\
+		       { if ( /\./ ) afok = 0; }\
+		 };\
+		 { if ( afok ) A[i++] = $0; };\
+	 /tmpl/	 { p = afok; };\
+\
+	 END	 { if (p) prnt( A, i ); }'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1159,7 +1174,8 @@ heading() {

 show_ipsec() {
    heading "PFKEY SPD"
-    $IP -s xfrm policy | spd_filter
+    $IP -s -$g_family xfrm policy | spd_filter
+
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -1797,7 +1813,7 @@ do_dump_command() {

    echo

-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }

    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -2770,7 +2786,7 @@ determine_capabilities() {
    GOTO_TARGET=
    LOGMARK_TARGET=
    IPMARK_TARGET=
-    LOG_TARGET=Yes
+    LOG_TARGET=
    ULOG_TARGET=
    NFLOG_TARGET=
    PERSISTENT_SNAT=
@@ -3138,7 +3154,7 @@ determine_capabilities() {
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG || LOG_TARGET=
+    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
    qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.core
+# Shorewall 5.1 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #

-SHOREWALL_LIBVERSION=50100
+SHOREWALL_LIBVERSION=50108

 #
 # Fatal Error
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -1,6 +1,6 @@
 #
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -1,6 +1,6 @@
 #
 #
-# Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -3187,14 +3187,15 @@
    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-mangle(5),
-    shorewall-masq(5), shorewall-modules(5), shorewall-nat(5),
-    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall6-proxyndp(5), shorewall-routes(5), shorewall-rtrules(5),
-    shorewall-rtrules(5), shorewall-rules(5), shorewall-secmarks(5),
-    shorewall-snat(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcfilters(5), shorewall-tcinterfaces(5), shorewall-tcpri(5),
-    shorewall-tunnels(5), shorewall-vardir(5), shorewall-zones(5)</para>
+    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
+    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
+    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
+    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
+    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
+    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.0
+#     Shorewall Packet Filtering Firewall Control Program - V5.1
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,6 +25,10 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
+#
+# Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
+# options
+#
 PRODUCT=shorewall

 #
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -73,12 +73,16 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ -x ${STATEDIR}/firewall ]; then
+        return 0
    else
-	return 0
+        if [ $PRODUCT = shorewall ]; then
+            ${SBINDIR}/shorewall compile
+        elif [ $PRODUCT = shorewall6 ]; then
+            ${SBINDIR}/shorewall -6 compile
+        else
+            return 1
+        fi
    fi
 }

@@ -108,16 +112,14 @@ shorewall_start () {

  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-              #
-	      # Run in a sub-shell to avoid name collisions
-	      #
-	      (
-		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		      ${STATEDIR}/firewall ${OPTIONS} stop
-		  fi
-	      )
-	  fi
+          #
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  (
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
+	  )
      fi
  done

@@ -145,9 +147,7 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear
      fi
  done

@@ -159,8 +159,9 @@ shorewall_stop () {

      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
      else
+	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
      fi

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,12 +44,14 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 0
+	return 1
    fi
 }

@@ -66,20 +68,20 @@ start () {

    printf "Initializing \"Shorewall-based firewalls\": "

+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
    for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?

 	if [ $retval -eq 0 ]; then
-	    if [ -x "${STATEDIR}/firewall" ]; then
-		${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
-		retval=${PIPESTATUS[0]}
-		[ $retval -ne 0 ] && break
-	    else
-		retval=6 #Product not configured
-		break
-	    fi
+	    ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ $retval -ne 0 ] && break
 	else
+	    retval=6 #Product not configured
 	    break
 	fi
    done
@@ -106,20 +108,25 @@ stop () {
 	retval=$?

 	if [ $retval -eq 0 ]; then
-	    if [ -x "${STATEDIR}/firewall" ]; then
-		${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
-		retval=${PIPESTATUS[0]}
-		[ $retval -ne 0 ] && break
-	    else
-		retval=6 #Product not configured
-		break
-	    fi
+	    ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ $retval -ne 0 ] && break
 	else
+	    retval=6 #Product not configured
 	    break
 	fi
    done

    if [ $retval -eq 0 ]; then
+	if [ -n "$SAVE_IPSETS" ]; then
+	    mkdir -p $(dirname "$SAVE_IPSETS")
+	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
+		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	    else
+		rm -f "${SAVE_IPSETS}.tmp"
+	    fi
+	fi
+
 	rm -f $lockfile
 	success
    else
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,12 +75,14 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 0
+	return 1
    fi
 }

@@ -92,10 +94,8 @@ start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
-	      fi
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      ${STATEDIR}/firewall ${OPTIONS} stop
 	  fi
      fi
  done
@@ -103,6 +103,8 @@ start () {
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
+
+  return 0
 }

 boot () {
@@ -117,17 +119,19 @@ stop () {
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
-		${STATEDIR}/firewall ${OPTIONS} clear
-	    fi
+	    ${STATEDIR}/firewall ${OPTIONS} clear
 	fi
    done

    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi
+
+    return 0
 }

--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -69,10 +69,12 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
-	return 0
+	return 1
    fi
 }

@@ -84,10 +86,8 @@ shorewall_start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
-	      fi
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      ${STATEDIR}/firewall ${OPTIONS} stop
 	  fi
      fi
  done
@@ -107,16 +107,16 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear
      fi
  done

  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi

--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,12 +79,14 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+	return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 0
+	return 6
    fi
 }

@@ -96,10 +98,8 @@ shorewall_start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x $STATEDIR/firewall ]; then
-	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
-	      fi
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
 	  fi
      fi
  done
@@ -117,16 +117,16 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} clear
-	  fi
+	  ${STATEDIR}/firewall ${OPTIONS} clear
      fi
  done

  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+      else
+	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi
 }
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,12 +33,12 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ $PRODUCT = shorewall ]; then
+    if [ -x ${STATEDIR}/firewall ]; then
+       return 0
+    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
-    else
-	return 0
    fi
 }

@@ -67,16 +67,14 @@ shorewall_start () {
    printf "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
-		#
-		# Run in a sub-shell to avoid name collisions
-		#
-		(
-		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-			${STATEDIR}/firewall ${OPTIONS} stop
-		    fi
-		)
-	    fi
+	    #
+	    # Run in a sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} stop
+		fi
+	    )
 	fi
    done

@@ -95,9 +93,7 @@ shorewall_stop () {
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    if [ -x ${STATEDIR}/firewall ]; then
-		${STATEDIR}/firewall ${OPTIONS} clear
-	    fi
+	    ${STATEDIR}/firewall ${OPTIONS} clear
 	fi
    done

--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -13,7 +13,6 @@ DEFAULTS ACCEPT
    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
 ?else
 ?COMMENT Needed ICMP types (RFC4890)
-
    @1	-		-	ipv6-icmp	destination-unreachable
    @1	-		-	ipv6-icmp	packet-too-big
    @1	-		-	ipv6-icmp	time-exceeded
@@ -38,7 +37,7 @@ DEFAULTS ACCEPT
    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
    @1	-		-	ipv6-icmp	149	# Certificate path advertisement

-# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
--- a/Shorewall/Actions/action.FIN
+++ b/Shorewall/Actions/action.FIN
@@ -30,4 +30,4 @@

 DEFAULTS ACCEPT,-

-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH
+@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
@@ -26,4 +26,4 @@ $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
+$tcpflags_action	-	-	;;+ -p 6 --syn --sport 0
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -15,6 +15,7 @@ PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
 PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
+PARAM	-	-	tcp	3520		# Remote Console (Redfish)
 PARAM	-	-	udp	623		# RMCP
 HTTP
 HTTPS
--- a/Shorewall/Makefile-lite
+++ b/Shorewall/Makefile-lite
@@ -1,82 +0,0 @@
-#     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-################################################################################
-# Place this file in each export directory. Modify each copy to set HOST
-# to the name of the remote firewall corresponding to the directory.
-#
-#	To make the 'firewall' script, type "make".
-#
-#	Once the script is compiling correctly, you can install it by
-#	typing "make install".
-#
-################################################################################
-#                             V A R I A B L E S
-#
-# Files in the export directory on which the firewall script does not depend
-#
-IGNOREFILES =  firewall% Makefile% trace% %~
-#
-# Remote Firewall system
-#
-HOST = gateway
-#
-# Save some typing
-#
-LITEDIR = /var/lib/shorewall-lite
-#
-# Set this if the remote system has a non-standard modules directory
-#
-MODULESDIR=
-#
-# Default target is the firewall script
-#
-################################################################################
-#                                T A R G E T S
-#
-all: firewall
-#
-# Only generate the capabilities file if it doesn't already exist
-#
-capabilities:
-	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
-	scp root@$(HOST):$(LITEDIR)/capabilities .
-#
-# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
-# 'filter-out' will be presented with the list of files in this directory rather than "*"
-#
-firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
-	shorewall compile -e . firewall
-#
-# Only reload on demand.
-#
-install: firewall
-	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
-	ssh root@$(HOST) "/sbin/shorewall-lite restart"
-#
-# Save running configuration
-#
-save:
-	ssh root@$(HOST) "/sbin/shorewall-lite save"
-#
-# Remove generated files
-#
-clean:
-	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1403,13 +1403,15 @@ sub compatible( $$ ) {
    }
    #
    # Don't combine chains where each specifies
-    #    -m policy
+    #    -m policy and the policies are different
    # or when one specifies
    #    -m multiport
    # and the other specifies
    #    --dport or --sport or -m multiport
    #
-    return ! ( $ref1->{policy} && $ref2->{policy} ||
+    my ( $p1, $p2 );
+
+    return ! ( ( ( $p1 = $ref1->{policy} ) && ( $p2 = $ref2->{policy} ) && $p1 ne $p2 ) ||
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
 		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
@@ -3673,7 +3675,7 @@ sub optimize_level4( $$ ) {
 				#
 				delete_chain_and_references( $chainref );
 				$progress = 1;
-			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
+			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
@@ -8461,7 +8463,7 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
-	  qq(    [ -n "\&g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
+	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
 	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);

--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -59,7 +59,7 @@ our $have_arptables;
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
    Shorewall::Chains::initialize ($family, 1, $export );
    Shorewall::Zones::initialize ($family, $_[0]);
    Shorewall::Nat::initialize($family);
@@ -268,8 +268,8 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes]' );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
 	emit( '' );
    }

@@ -692,6 +692,7 @@ sub compiler {
    set_timestamp( $timestamp );
    set_debug( $debug , $confess );
    #
+    #                                      S H O R E W A L L R C ,
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
    get_configuration( $export , $update , $annotate , $inline );
@@ -796,13 +797,10 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
    }

-    disable_script;
    #
    #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
-    enable_script;
-    #
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -30,6 +30,84 @@
 #   into those files (emitters) and finalizing those files (renaming
 #   them to their final name and setting their mode appropriately).
 #
+#   A significant portion of this module is dedicated to the preprocessor:
+#
+#	process_compiler_directive() - processes compiler directives
+#
+#	embedded_shell() - handles embedded shell scripting
+#
+#	embedded_perl() - handles embedded perl scripting
+#
+#	read_a_line() - Reads the next configuration file record to
+#			be passed to the function processing the file.
+#
+#	    - Detects compiler directives and passes then to
+#	      process_compiler_directive() for handling.
+#
+#	    - Handles line continuation
+#
+#	    - Invokes a callback when the first (concatinated) non-directive
+#	      record is read from a file.
+#
+#	    - Conditionally expands variables.
+#
+#	    - Conditionally detects embedded Shell and Perl and passes them
+#	      off to embedded_shell() and embedded_perl() respectively.
+#
+#	    - Conditionally detects and handles [?}INCLUDE directives.
+#
+#	    - Conditionally detects and handles ?SECTION directives.
+#	      File processing functions can supply a callback to be
+#	      called during this processing.
+#
+#   File processing routines may need to open a second (third, fourth, ...)
+#   file while processing the main file (macro and/or action files). Two
+#   functions are provided to make that possible:
+#
+#      push_open() - open a file while leaving the current file open.
+#
+#      pop_open() - close the current file, and make the previous
+#		    file (if any) the current one.
+#
+#   Because this module expands variables, it must be aware of action
+#   parameters.
+#
+#	push_action_params() - populates the %actparams hash and
+#			       returns a reference to the previous
+#			       contents of that hash. The caller is
+#			       expected to store those contents locally.
+#
+#	pop_action_params()  - Restores the %actparams hash from
+#			       the reference returned by
+#			       push_action_params().
+#
+#   The following routines are provided for INLINE PERL within
+#   action bodies:
+#
+#	default_action_params() - called to fill in omitted
+#				  arguments when a DEFAULTS
+#				  line is encountered.
+#
+#	get_action_params() - returns an array of arguments.
+#
+#	setup_audit_action() - helper for A_* actions.
+#
+#	get_action_logging() - returns log level and tag
+#			       from the action's invocation.
+#
+#	get_action_chain_name() - returns chain name.
+#
+#	set_action_name_to_caller() - replace chain name
+#				      with that of invoking
+#				      chain for logging purposes.
+#
+#	set_action_disposition() - set the current action
+#				   disposition for logging purposes.
+#
+#	get_action_disposition() - get the current action disposition.
+#
+#	set_action_param() - set the value of an argument.
+#
 package Shorewall::Config;

 use strict;
@@ -42,6 +120,7 @@ use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
+use Errno qw(:POSIX);

 our @ISA = qw(Exporter);
 #
@@ -596,6 +675,7 @@ our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.

 our $family;                 # Protocol family (4 or 6)
+our $export;                 # True when compiling for export
 our $toolname;               # Name of the tool to use (iptables or iptables6)
 our $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
@@ -709,8 +789,8 @@ sub add_variables( \% );
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$$) {
-    ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+sub initialize( $;$$$) {
+    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;

    if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -754,7 +834,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.5-RC1",
+		    VERSION                 => "5.1.8-Beta1",
 		    CAPVERSION              => 50106 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -1009,7 +1089,7 @@ sub initialize( $;$$) {
 	       CONNLIMIT_MATCH => undef,
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
-	       LOG_TARGET => 1,         # Assume that we have it.
+	       LOG_TARGET => undef,
 	       ULOG_TARGET => undef,
 	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
@@ -1993,6 +2073,7 @@ sub find_file($)
    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
+	$!{ENOENT} || fatal_error "Unable to access $file: " . $!; 
    }

    "$config_path[0]$filename";
@@ -2575,7 +2656,7 @@ sub open_file( $;$$$$ ) {
 	$max_format       = supplied $mf ? $mf : 1;
 	$comments_allowed = supplied $ca ? $ca : 0;
 	$nocomment        = $nc;
-	do_open_file $fname;;
+	do_open_file $fname;
    } else {
 	$ifstack = @ifstack;
 	'';
@@ -5248,7 +5329,13 @@ sub ensure_config_path() {
 	fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH};
    }

-    @config_path = split /:/, $config{CONFIG_PATH};
+    my $path = $config{CONFIG_PATH};
+
+    my $chop = ( $path =~ s/^:// );
+
+    @config_path = split /:/, $path;
+
+    shift @config_path if $chop && ( $export || $> != 0 );

    #
    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -2448,7 +2448,7 @@ sub setup_mss( ) {
    my $clampmss = $config{CLAMPMSS};
    my $option;
    my @match;
-    my $chainref = $filter_table->{FORWARD};
+    my $chainref = $mangle_table->{FORWARD};

    if ( $clampmss ) {
 	if ( "\L$clampmss" eq 'yes' ) {
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -125,7 +125,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $mask   = in_hex( $globals{PROVIDER_MASK} );
    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
@@ -512,6 +512,9 @@ sub process_a_provider( $ ) {
 	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
+
+	$gateway = $1 if $family == F_IPV6 && $gateway =~ /^\[(.+)\]$/;
+
 	validate_address $gateway, 0;

 	if ( defined $mac ) {
@@ -602,6 +605,7 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'nohostroute' ) {
 		$hostroute = 0;
 	    } elsif ( $option eq 'persistent' ) {
+		warning_message "When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option may not work as expected" if $config{RESTORE_DEFAULT_ROUTE};
 		$persistent = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -688,7 +692,6 @@ sub process_a_provider( $ ) {
 	    
 	    $pref = 10000 + $number - 1;
 	}
-
    }

    unless ( $loose || $pseudo ) {
@@ -847,7 +850,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}

@@ -863,7 +866,7 @@ sub add_a_provider( $$ ) {
 		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }

-	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
 	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}

@@ -873,24 +876,24 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" );
-		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
+		emit  ( "find_interface_addresses $physical | while read address; do",
+			"    qt \$IP -$family rule del from \$address",
+			"    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
 			'done'
 		      );
 	    }
+	}

-	    if ( @{$providerref->{persistent_routes}} ) {
-		emit '';
-		emit $_ for @{$providers{$table}->{persistent_routes}};
-	    }
+	if ( @{$providerref->{persistent_routes}} ) {
+	    emit '';
+	    emit $_ for @{$providers{$table}->{persistent_routes}};
+	}

-	    if ( @{$providerref->{persistent_rules}} ) {
-		emit '';
-		emit $_ for @{$providers{$table}->{persistent_rules}};
-	    }
+	if ( @{$providerref->{persistent_rules}} ) {
+	    emit '';
+	    emit $_ for @{$providers{$table}->{persistent_rules}};
 	}

 	pop_indent;
@@ -898,7 +901,6 @@ sub add_a_provider( $$ ) {
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );

-
 	pop_indent;

 	emit( "}\n" );
@@ -924,7 +926,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $id";
+		emit "run_ip route replace default dev $physical table $id";
 	    }
 	}
    }
@@ -956,7 +958,7 @@ CEOF
 	my $hexmark = in_hex( $mark );
 	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';

-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $persistent || $config{DELETE_THEN_ADD};

 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
@@ -985,7 +987,7 @@ CEOF
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}

-	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	emit "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm";
    }

    if ( $balance ) {
@@ -997,14 +999,16 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route add default table $id dev $physical metric $number);
+	    emit qq(run_ip route replace default table $id dev $physical metric $number);
 	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}

+	emit( 'g_fallback=Yes' ) if $persistent;
+
 	$metrics = 1;
    }

@@ -1026,12 +1030,13 @@ CEOF
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
 		if ( $persistent ) {
-		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
+		    emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),
+			  qq(    qt \$IP -$family rule del from $address pref 20000),
 			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
-		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		    emit  "qt \$IP -$family rule del from $address" if $persistent || $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
@@ -1092,6 +1097,17 @@ CEOF
 	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
 	    );

+	if ( ! $pseudo && $config{USE_DEFAULT_RT} && $config{RESTORE_DEFAULT_ROUTE} ) {
+	    emit  ( '#',
+		    '# We now have a viable default route in the \'default\' table so delete any default routes in the main table',
+		    '#',
+		    'while qt \$IP -$family route del default table ' . MAIN_TABLE . '; do',
+		    '    true',
+		    'done',
+		    ''
+		);
+	}
+
 	emit_started_message( '', 2, $pseudo, $table, $number );

 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1241,9 +1257,9 @@ CEOF
 	    );

 	if ( $pseudo ) {
-	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
+	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
 	} else {
-	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	    emit( "progress_message2 \"Provider $table ($number) stopped\"" );
 	}

 	pop_indent;
@@ -1344,7 +1360,7 @@ sub add_an_rtrule1( $$$$$ ) {

    $priority = "pref $priority";

-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $persistent || $config{DELETE_THEN_ADD};
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";

    if ( $persistent ) {
@@ -1442,22 +1458,22 @@ sub add_a_route( ) {

    if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes,            qq(run_ip route add $dest via $gateway dev $physical table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway dev $physical table $id) if $persistent;
+	    push @$routes,            qq(run_ip route replace $dest via $gateway dev $physical table $id);
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway dev $physical table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} elsif ( $null ) {
-	    push @$routes,            qq(run_ip route add $null $dest table $id);
-	    push @$persistent_routes, qq(run_ip route add $null $dest table $id) if $persistent;
+	    push @$routes,            qq(run_ip route replace $null $dest table $id);
+	    push @$persistent_routes, qq(run_ip route replace $null $dest table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes,            qq(run_ip route add $dest via $gateway table $id);
-	    push @$persistent_routes, qq(run_ip route add $dest via $gateway table $id) if $persistent;
+	    push @$routes,            qq(run_ip route replace $dest via $gateway table $id);
+	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
    } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes,            qq(run_ip route add $dest dev $physical table $id);
-	push @$persistent_routes, qq(run_ip route add $dest dev $physical table $id) if $persistent;
+	push @$routes,            qq(run_ip route replace $dest dev $physical table $id);
+	push @$persistent_routes, qq(run_ip route replace $dest dev $physical table $id) if $persistent;
 	push @$routes,             q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
    }

@@ -1559,7 +1575,7 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        while qt \$IP -6 route delete default table $table; do true; done",
 		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
 		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
@@ -1580,7 +1596,7 @@ sub finish_providers() {
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );

 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit qq(    [ -z "\${FALLBACK_ROUTE}\${g_fallback}" ] && restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -1607,7 +1623,7 @@ sub finish_providers() {
 	}

 	emit ( '#',
-	       '# Delete any routes in the \'balance\' table',
+	       '# Delete any default routes with metric 0 in the \'balance\' table',
 	       '#',
 	       "while qt \$IP -$family route del default table $balance; do",
 	       '    true',
@@ -1622,7 +1638,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}

@@ -1635,7 +1651,10 @@ sub finish_providers() {
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( "delete_default_routes $default",
+	emit( '#',
+	      '# No balanced fallback routes - delete any routes with metric 0 from the \'default\' table',
+	      '#',
+	      "delete_default_routes $default",
 	      ''
 	    );
    }
@@ -1680,7 +1699,7 @@ sub process_providers( $ ) {
    }

    if ( $providers ) {
-	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
+	fatal_error q(Either all 'fallback' providers must specify a weight or none of them can specify a weight) if $fallback && $metrics;

 	my $fn = open_file( 'route_rules' );

@@ -1919,7 +1938,6 @@ sub setup_providers() {

 	emit "fi\n";
    }
-
 }

 #
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -96,7 +96,7 @@ use constant { NULL_SECTION          => 0x00,
 	       INVALID_SECTION       => 0x10,
 	       UNTRACKED_SECTION     => 0x20,
 	       NEW_SECTION           => 0x40,
-	       DEFAULTACTION_SECTION => 0x80 };
+	       POLICYACTION_SECTION  => 0x80 };
 #
 # Number of elements in the action tuple
 #
@@ -927,6 +927,28 @@ sub process_policies()
 #
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);

+#
+# Determine the protocol to be used in the jump to the passed action
+#
+sub determine_action_protocol( $$ ) {
+    my ( $action, $proto ) = @_;
+
+    if ( my $actionproto = $actions{$action}{proto} ) {
+	if ( $proto eq '-' ) {
+	    $proto = $actionproto;
+	} else {
+	    if ( defined( my $protonum = resolve_proto( $proto ) ) ) {
+		fatal_error( "The $action action is only usable with " . proto_name( $actionproto ) ) unless $actionproto == $protonum;
+		$proto = $protonum;
+	    } else {
+		fatal_error( "Unknown protocol ($proto)" );
+	    }
+	}
+    }
+
+    $proto;
+}
+
 sub add_policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;

@@ -942,12 +964,16 @@ sub add_policy_rules( $$$$$ ) {

 	    if ( ( $targets{$action} || 0 ) & ACTION ) {
 		#
-		# Default action is a regular action -- jump to the action chain
+		# Policy action is a regular action -- jump to the action chain
 		#
-		add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
+		if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
+		    add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
+		} else {
+		    add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
+		}
 	    } else {
 		#
-		# Default action is an inline 
+		# Policy action is an inline 
 		#
 		( undef, my $level )   = split /:/, $paction, 2;
 		( $action, my $param ) = get_target_param( $action );
@@ -1262,7 +1288,7 @@ sub finish_chain_section ($$$) {
 	if ( $chain1ref->{is_policy} ) {
 	    if ( $chain1ref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $chain1ref;
-		if ( $section == DEFAULTACTION_SECTION ) {
+		if ( $section == POLICYACTION_SECTION ) {
 		    if ( $chain1ref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
 			add_ijump $chain1ref, j => $synchainref, p => 'tcp --syn';
 		    }
@@ -1298,7 +1324,7 @@ sub ensure_rules_chain( $ )
    $chainref = new_rules_chain( $chain ) unless $chainref;

    unless ( $chainref->{referenced} ) {
-	if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
+	if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID,UNTRACKED';
 	} elsif ( $section == UNTRACKED_SECTION ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID';
@@ -1417,13 +1443,13 @@ sub external_name( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$$$$ ) {
+sub new_action( $$$$$$ ) {

-    my ( $action , $type, $options , $actionfile , $state ) = @_;
+    my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;

    fatal_error "Invalid action name($action)" if reserved_name( $action );

-    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state };
+    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };

    $targets{$action} = $type;
 }
@@ -1641,7 +1667,7 @@ sub merge_inline_source_dest( $$ ) {
 		    return join( ':', $invocation, $body );
 		}
 	    } else {
-		fatal_error 'Interface names cannot appear in the DEST column within an action body' if $body =~ /:\[|:\+|/;
+		fatal_error 'Interface names cannot appear in the DEST column within an action body' if $body =~ /:\[|:\+/;

 		if ( $invocation =~ /:\[|:\+/ ) {
 		    $invocation =~ s/:.*//;
@@ -1751,6 +1777,14 @@ sub process_action(\$\$$) {
 	fatal_error "Action $action may not be used in the mangle file"  if $chainref->{table} eq 'mangle';
    }

+    if ( $type & NAT_TABLE ) {
+	fatal_error "Action $action may only be used in the snat file" unless $chainref->{table} eq 'nat';
+    } else {
+	fatal_error "Action $action may not be used in the snat file"  if $chainref->{table} eq 'nat';
+    }
+
+    $param = $1 if $param =~ /^.*\|(.*)$/; #Strip interface name off of the parameters
+
    my $actionfile = $actionref->{file};

    progress_message2 "$doing $actionfile for chain $chainref->{name}...";
@@ -1939,7 +1973,7 @@ sub process_action(\$\$$) {

 	    for my $proto (split_list( $protos, 'Protocol' ) ) {
 		process_snat1( $chainref,
-			       $action,
+			       $nolog ? $action : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $action ),
 			       $source,
 			       $dest,
 			       $proto,
@@ -2041,9 +2075,10 @@ sub process_actions() {
 	    my $opts = $type == INLINE ? NOLOG_OPT : 0;

 	    my $state = '';
+	    my $proto = 0;

 	    if ( $action =~ /:/ ) {
-		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
+		warning_message 'Policy Actions are now specified in /etc/shorewall/shorewall.conf';
 		$action =~ s/:.*$//;
 	    }

@@ -2057,6 +2092,9 @@ sub process_actions() {
 			} else {
 			    fatal_error( q(The 'state' option is reserved for use in the actions.std file) );
 			}
+		    } elsif ( /^proto=(.+)$/ ) {
+			fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
+			fatal_error "A protocol may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
 		    } else {
 			fatal_error "Invalid option ($_)" unless $options{$_};
 			$opts |= $options{$_};
@@ -2066,9 +2104,9 @@ sub process_actions() {
 		unless ( $type & INLINE ) {
 		    $type = INLINE if $opts & INLINE_OPT;
 		}
-	    }

-	    fatal_error "Conflicting OPTIONS ($options)" if ( $opts & NOINLINE_OPT && $type == INLINE ) || ( $opts & INLINE_OPT && $opts & BUILTIN_OPT );
+		fatal_error "Conflicting OPTIONS ($options)" if ( $opts & NOINLINE_OPT && $type == INLINE ) || ( $opts & INLINE_OPT && $opts & BUILTIN_OPT );
+	    }

 	    if ( my $actiontype = $targets{$action} ) {
 		if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
@@ -2077,6 +2115,11 @@ sub process_actions() {
 			next;
 		    }

+		    $proto = $actions{$action}{proto} unless $proto;
+		    delete $actions{$action};
+		    delete $targets{$action};
+		} elsif ( ( $actiontype & INLINE ) && ( $type == ACTION ) && $opts & NOINLINE_OPT ) {
+		    $proto = $actions{$action}{proto} unless $proto;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -2086,6 +2129,8 @@ sub process_actions() {
 	    }

 	    if ( $opts & BUILTIN_OPT ) {
+		warning_message( "The 'proto' option has no effect when specified on a builtin action" ) if $proto;
+
 		my $actiontype = USERBUILTIN | OPTIONS;
 		$actiontype   |= MANGLE_TABLE if $opts & MANGLE_OPT;
 		$actiontype   |= RAW_TABLE    if $opts & RAW_OPT;
@@ -2118,7 +2163,7 @@ sub process_actions() {

 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;

-		new_action ( $action, $type, $opts, $actionfile , $state );
+		new_action ( $action, $type, $opts, $actionfile , $state , $proto );
 	    }
 	}
    }
@@ -2156,7 +2201,7 @@ sub process_reject_action() {
    #
    # This gets called very early in the compilation process so we fake the section
    #
-    $section = DEFAULTACTION_SECTION;
+    $section = POLICYACTION_SECTION;

    if ( ( $targets{$action} || 0 ) == ACTION ) {
 	add_ijump $rejectref, j => use_policy_action( $action, $rejectref->{name} );
@@ -2490,7 +2535,7 @@ sub verify_audit($;$$) {
 # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument. A chain
-# reference is also passed when rules are being generated during processing of a macro used as a default action.
+# reference is also passed when rules are being generated during processing of a macro used as a policy action.
 #

 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
@@ -3001,6 +3046,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $actionchain; # Name of the action chain

    if ( $actiontype & ACTION ) {
+	#
+	# Verify action 'proto', if any
+	#
+	$proto = determine_action_protocol( $basictarget, $proto );
 	#
 	# Save NAT-oriented column contents
 	#
@@ -3151,7 +3200,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     );
    }

-    unless ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ||
+    unless ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ||
 	     $inaction ||
 	     $blacklist ||
 	     $basictarget eq 'dropInvalid' ) {
@@ -3287,7 +3336,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $log_action ,
 		     $exceptionrule ,
 		     $usergenerated && ! $loglevel )
-	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
+	    unless unreachable_warning( $wildcard || $section == POLICYACTION_SECTION, $chainref );
    }

    $generated = 1;
@@ -3365,7 +3414,7 @@ sub check_state( $ ) {
 	}
    }

-    if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
+    if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
 	if ( $state eq 'NEW' ) {
 	    #
 	    # If an INVALID or UNTRACKED rule would be emitted then we must include the state match
@@ -3906,7 +3955,7 @@ sub process_rules() {
    #
    # No need to finish the NEW section since no rules need to be generated
    #
-    $section = $next_section = DEFAULTACTION_SECTION;
+    $section = $next_section = POLICYACTION_SECTION;
 }

 sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
@@ -4142,10 +4191,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		expand_rule( $chainref,
 			     $restriction,
 			     $prerule ,
+			     do_proto( $proto, $ports, $sports ) .
 			     $match .
 			     do_user( $user ) .
-			     do_test( $testval, $globals{TC_MASK} ) .
-			     do_test( $testval, $globals{TC_MASK} ) .
+			     do_test( $testval, $mask ) .
 			     do_length( $length ) .
 			     do_tos( $tos ) .
 			     do_connbytes( $connbytes ) .
@@ -4153,6 +4202,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 			     do_headers( $headers ) .
 			     do_probability( $probability ) .
 			     do_dscp( $dscp ) .
+			     do_time( $time ) .
 			     do_condition( $condition, $chainref->{name} ) .
 			     state_match( $state ) .
 			     $raw_matches ,
@@ -4588,6 +4638,52 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},

+	TCPMSS     => {
+	    defaultchain   => FORWARD,
+	    allowedchains  => FORWARD | POSTROUTING,
+	    minparams      => 0,
+	    maxparams      => 2,
+	    function       => sub () {
+		if ( $proto eq '-' ) {
+		    $proto = TCP;
+		} else {
+		    fatal_error 'TCPMSS only valid with TCP' unless $proto eq '6' || $proto eq 'tcp';
+		}
+
+		$target   = 'TCPMSS ';
+		$matches .= '--tcp-flags SYN,RST SYN ';
+
+		if ( supplied $params ) {
+		    my ( $mss, $ipsec ) = split /,/, $params;
+
+		    if ( supplied $mss ) {
+			if ( $mss eq 'pmtu' ) {
+			    $target .= '--clamp-mss-to-pmtu';
+			} else {
+			    my $num = numeric_value $mss;
+			    fatal_error "Invalid MSS ($mss)" unless defined $num && $num >= 500 && $num < 65534;
+			    $target .= "--set-mss $num";
+			}
+		    } else {
+			$target .= '--clamp-mss-to-pmtu';
+		    }
+		    if ( supplied $ipsec && $ipsec ne 'all' ) {
+			if ( $ipsec eq '-' || $ipsec eq 'none' ) {
+			    $matches .= '-m policy --pol none --dir out ';
+			} elsif ( $ipsec eq 'ipsec' ) {
+			    $matches .= '-m policy --pol ipsec --dir out ';
+			} else {
+			    fatal_error "Invalid ipsec parameter ($ipsec)";
+			}
+
+			require_capability 'POLICY_MATCH', "The $ipsec ipsec option", 's';
+		    }
+		} else {
+		    $target .= '--clamp-mss-to-pmtu';
+		}
+	    },
+	},
+
 	TOS        => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
@@ -4611,8 +4707,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		my ( $port, $ip, $bad );

 		if ( $params ) {
-		    ( $port, $ip, $bad ) = split_list $params, 'Parameter';
-		    fatal_error "Invalid TPROXY specification( TPROXY($params) )" if defined $bad;
+		    ( $port, $ip ) = split /,/, $params, 2;
 		}

 		my $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
@@ -4679,6 +4774,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	function          => sub() {
 	    fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
 	    #
+	    # Verify action 'proto', if any
+	    #
+	    $proto = determine_action_protocol( $cmd, $proto );
+	    #
 	    # Create the action:level:tag:param tuple.
 	    #
 	    my $normalized_target = normalize_action( $cmd, '', $params );
@@ -5204,18 +5303,23 @@ sub process_mangle_rule( $ ) {
    }
 }

-sub process_snat_inline( $$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+sub process_snat_inline( $$$$$$$$$$$$$$ ) {
+    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;

+    my ( $level,
+	 $tag )    = split( ':', $loglevel, 2 );
    my $oldparms   = push_action_params( $inline,
 					 $chainref,
 					 $params,
-					  'none',
-					 '' ,
+					 supplied $level ? $level : 'none',
+					 defined  $tag   ? $tag   : '' ,
 					 $chainref->{name} );

-    my $inlinefile = $actions{$inline}{file};
-    my $matches    = fetch_inline_matches;
+    my $actionref    = $actions{$inline};
+    my $inlinefile   = $actionref->{file};
+    my $options      = $actionref->{options};
+    my $nolog        = $options & NOLOG_OPT;
+    my $matches      = fetch_inline_matches;

    progress_message "..Expanding inline action $inlinefile...";

@@ -5249,6 +5353,8 @@ sub process_snat_inline( $$$$$$$$$$$$$ ) {
 	    next;
 	}

+	$maction = merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $maction ) unless $nolog;
+
 	$msource = $source if $msource eq '-';

 	if ( $mdest eq '-' ) {
@@ -5293,7 +5399,7 @@ sub process_snat_inline( $$$$$$$$$$$$$ ) {
 # Process a record in the snat file
 #
 sub process_snat1( $$$$$$$$$$$$ ) {
-    my ( $chainref, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;

    my $inchain;
    my $inaction;
@@ -5310,6 +5416,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
    my $actiontype;
    my $interfaces;
    my $normalized_action;
+    my ( $action, $loglevel ) = split_action( $origaction );
+    my $logaction;
+    my $param;

    if ( $action =~ /^MASQUERADE(\+)?(?:\((.+)\))?$/ ) {
 	$target     = 'MASQUERADE';
@@ -5318,6 +5427,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$addresses  = ( $2 || '' );
 	$options    = 'random' if $addresses =~ s/:?random$//;
 	$add_snat_aliases = '';
+	$logaction  = 'MASQ';
    } elsif ( $action =~ /^SNAT(\+)?\((.+)\)$/ ) {
 	$pre_nat    = $1;
 	$addresses  = $2;
@@ -5326,13 +5436,16 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	$options   .= ':persistent' if $addresses =~ s/:persistent//;
 	$options   .= ':random'     if $addresses =~ s/:random//;
 	$options   =~ s/^://;
+	$logaction = 'SNAT';
    } elsif ( $action =~ /^CONTINUE(\+)?$/ ) {
 	$add_snat_aliases = 0;
 	$actiontype = $builtin_target{$target = 'RETURN'};
 	$pre_nat    = $1;
+	$logaction = 'RETURN';
    } elsif ( $action eq 'MASQUERADE' ) {
 	$actiontype = $builtin_target{$target = 'MASQUERADE'};
 	$add_snat_aliases = '';
+	$logaction  = 'MASQ';
    } else {
 	( $target , $params ) = get_target_param1( $action );

@@ -5340,11 +5453,24 @@ sub process_snat1( $$$$$$$$$$$$ ) {

 	$actiontype = ( $targets{$target} || 0 );

-	fatal_error "Invalid ACTION ($action)" unless $actiontype & ( ACTION | INLINE );
+	if ( $actiontype & LOGRULE ) {
+	    $logaction = 'LOG';
+	    if ( $target eq 'LOG' ) {
+		fatal_error 'LOG requires a log level' unless supplied $loglevel;
+	    } else {
+		$target   = "$target($params)";
+		validate_level( $action );
+		$loglevel = supplied $loglevel ? join( ':', $target, $loglevel ) : $target;
+		$target   = 'LOG';
+	    }
+	} else {
+	    fatal_error "Invalid ACTION ($action)" unless $actiontype & ( ACTION | INLINE );
+	    $logaction = '';
+	}
    }

    if ( $inchain = defined $chainref ) {
-	( $inaction, undef, $interfaces, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 5 if $chainref->{action};
+	( $inaction, undef,undef,undef,$param ) = split( /:/, $normalized_action = $chainref->{action}) if $chainref->{action};
 	fatal_error q('+' is not allowed within an action body) if $pre_nat;
    }
    #
@@ -5352,6 +5478,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
    #
    if ( $inaction ) {
 	$destnets = $dest;
+	assert( $param =~ /^(.*)\|/ );
+	$interfaces=$1;
    } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^([^:]+)::([^:]*)$/ ) {
 	    $add_snat_aliases = 0;
@@ -5593,6 +5721,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    process_snat_inline( $target,
 				 $chainref,
 				 $params,
+				 $loglevel,
 				 $source,
 				 supplied $destnets && $destnets ne '-' ? $inaction ? $destnets : join( ':', $interface, $destnets ) : $inaction ? '-' : $interface,
 				 $proto,
@@ -5607,10 +5736,14 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( $actiontype & ACTION ) {
 		fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
 		#
+		# Verify action 'proto', if any
+		#
+		$proto = determine_action_protocol( $target, $proto );
+		#
 		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
 		# the interface name in the log tag
 		#
-		my $normalized_target = normalize_action( $target, "none:$interface", $params );
+		my $normalized_target = normalize_action( $target, "$loglevel", "$interface|$params" );
 		fatal_error( "Action $target invoked Recursively (" .  join( '->', map( external_name( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$target};

 		my $ref = use_action( 'nat', $normalized_target );
@@ -5620,9 +5753,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		    # First reference to this tuple - process_action may modify both $normalized_target and $ref!!!
 		    #
 		    process_action( $normalized_target, $ref, $chainref->{name} );
-		    #
-		    # Capture the name of the action chain
-		    #
 		} else {
 		    #
 		    # We've seen this tuple before
@@ -5631,6 +5761,12 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 		}

 		$target = $ref->{name};
+
+		if ( $actions{$target}{options} & LOGJUMP_OPT ) {
+		    $logaction = $target;
+		} else {
+		    $loglevel = '';
+		}
 	    } else {
 		for my $option ( split_list2( $options , 'option' ) ) {
 		    if ( $option eq 'random' ) {
@@ -5659,8 +5795,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			 $destnets ,
 			 $origdest ,
 			 $target ,
-			 '' ,
-			 '' ,
+			 $loglevel ,
+			 $logaction ,
 			 $exceptionrule ,
 			 '' )
 		unless unreachable_warning( 0, $chainref );
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -225,11 +225,11 @@ sub handle_in_bandwidth( $$$ ) {
    if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
-		  "    police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
+		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst drop\n" );
 	} else {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
 		  "    estimator $in_interval $in_decay basic \\",
-		  "    police drop avrate ${in_avrate}kbit\n" );
+		  "    police avrate ${in_avrate}kbit drop\n" );
 	}
    } else {
 	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -90,7 +90,6 @@ our @EXPORT = ( qw( NOTHING
 		    interface_is_optional
 		    interface_is_required
 		    find_interfaces_by_option
-		    find_interfaces_by_option1
 		    get_interface_option
 		    get_interface_origin
 		    interface_has_option
@@ -253,6 +252,17 @@ use constant { NO_UPDOWN   => 1,

 our %validinterfaceoptions;

+our %procinterfaceoptions=( accept_ra   => 1,
+			    arp_filter  => 1,
+			    arp_ignore  => 1,
+			    forward     => 1,
+			    logmartians => 1,
+			    proxyarp    => 1,
+			    proxyndp    => 1,
+			    routefilter => 1,
+			    sourceroute => 1,
+			  );
+
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -317,7 +327,7 @@ sub initialize( $$ ) {
    %mapbase = ();
    %mapbase1 = ();
    $baseseq = 0;
-    $minroot = 0;
+    $minroot = undef;
    $loopback_interface = '';

    %validzoneoptions = ( mss            => NUMERIC,
@@ -339,7 +349,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
-				  dbl         => ENUM_IF_OPTION,
+				  dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -363,9 +373,9 @@ sub initialize( $$ ) {
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
-				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
+				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST + IF_OPTION_WILDOK,
 				  unmanaged   => SIMPLE_IF_OPTION,
-				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				  wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -390,7 +400,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
-				    dbl         => ENUM_IF_OPTION,
+				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -402,18 +412,18 @@ sub initialize( $$ ) {
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER + IF_OPTION_WILDOK,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => BINARY_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK,
 				    unmanaged   => SIMPLE_IF_OPTION,
 				    upnp        => SIMPLE_IF_OPTION,
 				    upnpclient  => SIMPLE_IF_OPTION,
-				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				    wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -714,7 +724,7 @@ sub interface_match( $$ ) {
    return 1 if $piface eq $cifaceref->{bridge};
    return 1 if $ciface eq $pifaceref->{bridge};

-    if ( $minroot ) {
+    if ( defined $minroot ) {
 	if ( $piface =~ /\+$/ ) {
 	    my $root    = $pifaceref->{root};
 	    my $rlength = length( $root );
@@ -1204,15 +1214,16 @@ sub process_interface( $$ ) {
    }

    my $wildcard = 0;
+    my $physwild = 0;
    my $root;

    if ( $interface =~ /\+$/ ) {
-	$wildcard = 1;
+	$wildcard = $physwild = 1; # Default physical name is the logical name
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;

-	if ( $minroot ) {
+	if ( defined $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
 	    $minroot = $len;
@@ -1258,8 +1269,6 @@ sub process_interface( $$ ) {
 	my %hostoptions = ( dynamic => 0 );

 	for my $option (split_list1 $options, 'option' ) {
-	    next if $option eq '-';
-
 	    ( $option, my $value ) = split /=/, $option;

 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
@@ -1296,7 +1305,6 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
@@ -1320,7 +1328,6 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
-		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1372,7 +1379,9 @@ sub process_interface( $$ ) {

 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );

-		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
+		    $physwild = ( $value =~ /\+$/ );
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $physwild;
+
 		    $physical = $value;
 		} else {
 		    assert(0);
@@ -1400,6 +1409,14 @@ sub process_interface( $$ ) {
 	    $options{ignore} = 0;
 	}

+	for my $option ( keys %options ) {
+	    if ( $root ) {
+		warning_message( "The '$option' option is ignored when used with a wildcard physical name" ) if $physwild && $procinterfaceoptions{$option};
+	    } else {
+		warning_message( "The '$option' option is ignored when used with interface name '+'" ) unless $validinterfaceoptions{$option} & IF_OPTION_WILDOK;
+	    }
+	}
+
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
@@ -1458,6 +1475,7 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
+						   physwild   => $physwild, # Currently unused
 					         };

    $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1616,7 +1634,7 @@ sub known_interface($)

    my $iface = $interface;

-    if ( $minroot ) {
+    if ( defined $minroot ) {
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
@@ -1857,7 +1875,8 @@ sub find_interfaces_by_option( $;$ ) {
    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};

-	next unless $interfaceref->{root};
+	next unless $interfaceref->{root};                                   # Don't return '+' interface
+	next if $procinterfaceoptions{$option} && $interfaceref->{physwild}; # Ignore /proc options on wildcard interface

 	my $optionsref = $interfaceref->{options};
 	if ( $nonzero ) {
@@ -1872,35 +1891,6 @@ sub find_interfaces_by_option( $;$ ) {
    \@ints;
 }

-#
-# Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
-#
-# - All entries in %interfaces are searched.
-# - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
-#
-sub find_interfaces_by_option1( $ ) {
-    my $option = $_[0];
-    my @ints = ();
-    my $wild = 0;
-
-    for my $interface ( @interfaces ) {
-	my $interfaceref = $interfaces{$interface};
-
-	next unless defined $interfaceref->{physical};
-
-	my $optionsref = $interfaceref->{options};
-
-	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= $interfaceref->{wildcard};
-	    push @ints , $interface
-	}
-    }
-
-    return unless defined wantarray;
-
-    wantarray ? ( \@ints, $wild ) : \@ints;
-}
-
 #
 # Return the value of an option for an interface
 #
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1,4 +1,4 @@
-#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -369,7 +369,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 delete_default_routes() # $1 = table number
 {
    $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
-	qt $IP -$g_family route del $route
+	qt $IP -$g_family route del $route table $1
    done
 } 

--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -78,11 +78,13 @@ reload_command() {
    detect_configuration
    define_firewall
    status=$?
-    if [ -n "$SUBSYSLOCK" ]; then
- 	[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-    fi

-    [ $status -eq 0 ] && progress_message3 "done."
+    if [ $status -eq 0 ]; then
+	[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+	progress_message3 "done."
+    else
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+    fi
 }

 ################################################################################
@@ -127,8 +129,10 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
+g_dockeringress=
 g_dockernetwork=
 g_forcereload=
+g_fallback=

 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=

@@ -264,8 +268,10 @@ case "$COMMAND" in
 	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
-	    $g_tool -Z
-	    $g_tool -t mangle -Z
+	    for table in raw mangle nat filter; do
+		qt $g_tool -t $table -Z
+	    done
+
 	    date > ${VARDIR}/restarted
 	    status=0
 	    progress_message3 "$g_product Counters Reset"
@@ -418,9 +424,12 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
+	    COMMAND=disable
 	    detect_configuration $1
-	    COMMAND=enable  disable_provider $1 Yes
-	    COMMAND=disable enable_provider  $1 Yes
+	    disable_provider $1 Yes
+	    COMMAND=enable
+	    detect_configuration $1
+	    enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -77,7 +77,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,4 +14,4 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
+net     NET_IF          dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=eth0
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -88,7 +88,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
-dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
+net     NET_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+dmz     DMZ_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -85,7 +85,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		eth0
+			192.168.0.0/16		NET_IF
--- a/Shorewall/Samples/three-interfaces/stoppedrules
+++ b/Shorewall/Samples/three-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2015 by the Shorewall Team
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,8 +13,8 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
-ACCEPT		eth2		-
-ACCEPT		-		eth2
+ACCEPT		LOC_IF		-
+ACCEPT		-		LOC_IF
+ACCEPT		DMZ_IF		-
+ACCEPT		-		DMZ_IF

--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,5 +14,5 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
+net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -88,7 +88,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
-# Copyright (C) 2006-2016 by the Shorewall Team
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		eth0
+			192.168.0.0/16		NET_IF
--- a/Shorewall/Samples/two-interfaces/stoppedrules
+++ b/Shorewall/Samples/two-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012-2015 by the Shorewall Team
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,5 +13,5 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
+ACCEPT		LOC_IF		-
+ACCEPT		-		LOC_IF
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -21,35 +21,46 @@ allowMcast   inline		# Silently Allow Multicast
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
+?if __ADDRTYPE
+Broadcast    inline,audit	# Handles Broadcast/Anycast
+?else
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
-DNSAmp				# Matches one-question recursive DNS queries
+?endif
+DNSAmp	     proto=17		# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
-dropBcasts    inline		# Silently Drop Broadcast
+dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
-DropDNSrep   inline		# Drops DNS replies
+dropNotSyn   noinline,proto=6	# Silently Drop Non-syn TCP packets
+DropDNSrep   inline,proto=17	# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
-FIN	     inline,audit	# Handles ACK,FIN,PSH packets
+FIN	     inline,audit,\	# Handles ACK,FIN packets
+	     proto=6
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
 Limit	     noinline		# Limit the rate of connections from each individual IP address
+?if __ADDRTYPE
+Multicast    inline,audit	# Handles Multicast
+?else
 Multicast    noinline,audit	# Handles Multicast
+?endif
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
-rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
+NotSyn	     inline,audit,\	# Handles TCP packets which do not have SYN=1 and ACK=0
+	     proto=6
+rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
 Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit	# Handle packets with RST set
+RST	     inline,audit,\	# Handle packets with RST set
+	     proto=6
 SetEvent     inline		# Initialize an event
-TCPFlags			# Handle bad flag combinations.
+TCPFlags     proto=6		# Handle bad flag combinations.
 Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED	#
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -77,7 +77,7 @@ UNTRACKED_LOG_LEVEL=

 ARPTABLES=

-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

--- a/Shorewall/configpath
+++ b/Shorewall/configpath
@@ -3,4 +3,4 @@
 #
 # /usr/share/shorewall/configpath
 #
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -211,30 +211,35 @@ get_config() {
 	LOG_VERBOSITY=-1
    fi

-    if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then
-	if [ ! -x "$SHOREWALL_SHELL" ]; then
-	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
-	    SHOREWALL_SHELL=/bin/sh
+    if [ -z "${g_export}${g_test}" ]; then
+	if [ -n "$SHOREWALL_SHELL" ]; then
+	    if [ ! -x "$SHOREWALL_SHELL" ]; then
+		echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
+		SHOREWALL_SHELL=/bin/sh
+	    fi
 	fi
-    fi

-    if [ -n "$IP" ]; then
-	case "$IP" in
-	    */*)
-		if [ ! -x "$IP" ] ; then
-		    fatal_error "The program specified in IP ($IP) does not exist or is not executable"
-		fi
-		;;
-	    *)
-		prog="$(mywhich $IP 2> /dev/null)"
-		if [ -z "$prog" ] ; then
-		    fatal_error "Can't find $IP executable"
-		fi
-		IP=$prog
-		;;
-	esac
+	if [ -n "$IP" ]; then
+	    case "$IP" in
+		*/*)
+		    if [ ! -x "$IP" ] ; then
+			fatal_error "The program specified in IP ($IP) does not exist or is not executable"
+		    fi
+		    ;;
+		*)
+		    prog="$(mywhich $IP 2> /dev/null)"
+		    if [ -z "$prog" ] ; then
+			fatal_error "Can't find $IP executable"
+		    fi
+		    IP=$prog
+		    ;;
+	    esac
+	else
+	    IP='ip'
+	fi
    else
-	IP='ip'
+	[ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh
+	[ -n "$IP" ]              || IP='ip'
    fi

    case $VERBOSITY in
@@ -367,13 +372,21 @@ uptodate() {
    local dir
    local ifs

+    if [ -n "$g_shorewalldir" ]; then
+	if [ -n "$(find ${dir} -maxdepth 1 -newer $1)" ]; then
+	    return 1;
+	fi
+    fi
+
    ifs="$IFS"
    IFS=':'

-    for dir in $g_shorewalldir $CONFIG_PATH; do
-	if [ -n "$(find ${dir} -newer $1)" ]; then
-	    IFS="$ifs"
-	    return 1;
+    for dir in $CONFIG_PATH; do
+	if [ -n "$dir" ]; then
+	    if [ -n "$(find ${dir} -maxdepth 1 -newer $1)" ]; then
+		IFS="$ifs"
+		return 1;
+	    fi
 	fi
    done

@@ -770,6 +783,10 @@ check_command() {
 			    g_profile=Yes
 			    option=${option#p}
 			    ;;
+			t*)
+			    g_test=Yes
+			    option=${option#t}
+			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -854,6 +871,10 @@ update_command() {
 			    g_profile=Yes
 			    option=${option#p}
 			    ;;
+			t*)
+			    g_test=Yes
+			    option=${option#t}
+			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -1527,6 +1548,8 @@ remote_reload_command() # $* = original arguments less the command.
 	litedir="${VARDIR}-lite"
    fi

+    g_export=Yes
+
    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
@@ -1566,8 +1589,6 @@ remote_reload_command() # $* = original arguments less the command.

    file=$(resolve_file $g_shorewalldir/firewall)

-    g_export=Yes
-
    program=$sbindir/${PRODUCT}-lite
    #
    # Handle nonstandard remote VARDIR
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -791,11 +791,7 @@
    <title>See ALSO</title>

    <para><ulink
-    url="/Accounting.html">http://www.shorewall.net/Accounting.html
-    </ulink></para>
-
-    <para><ulink
-    url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
+    url="shorewall-logging.htm">shorewall-logging(5)</ulink></para>

    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -191,6 +191,27 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><option>proto</option>=<replaceable>protocol</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.10. Specifies that the action is
+                only usable with the specified
+                <replaceable>protocol</replaceable> (name or number). When the
+                action is invoked with no protocol specified in the PROTO
+                column, or if the action is used as a Policy Action, the named
+                <replaceable>protocol</replaceable> will be assumed. If a
+                protocol is specified in the PROTO column of an invocation,
+                then it must match the named
+                <replaceable>protocol</replaceable>.</para>
+
+                <para>The <option>proto</option> option has no effect if the
+                <option>inline</option> or <option>builtin</option> option is
+                specified. A warning is issued if <option>proto</option> is
+                specified along with <option>builtin</option>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><option>section</option></term>

--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -167,7 +167,7 @@
              <listitem>
                <para>queues matching packets to a back end logging daemon via
                a netlink socket then continues to the next rule. See <ulink
-                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
              </listitem>
            </varlistentry>

@@ -258,7 +258,7 @@
          <para>You may also specify <emphasis role="bold">NFLOG</emphasis>
          (must be in upper case) as a log level.This will log to the NFLOG
          target for routing to a separate log through use of ulogd (<ulink
-          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
+          url="shorewall-logging.html">shorewall-logging.htm</ulink>).</para>

          <para>Actions specifying logging may be followed by a log tag (a
          string of alphanumeric characters) which is appended to the string
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -447,7 +447,7 @@

              <listitem>
                <para>This form combines the preceding two and requires that
-                both the incoming interace and source address match.</para>
+                both the incoming interface and source address match.</para>
              </listitem>
            </varlistentry>

@@ -543,7 +543,7 @@

              <listitem>
                <para>This form combines the preceding two and requires that
-                both the outgoing interace and destination address
+                both the outgoing interface and destination address
                match.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -112,7 +112,10 @@ loc     eth2            -</programlisting>
          url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
          for a discussion of this problem.</para>

-          <para>Shorewall allows '+' as an interface name.</para>
+          <para>Shorewall allows '+' as an interface name, but that usage is
+          deprecated. A better approach is to specify
+          '<option>physical</option>=+' in the OPTIONS column (see
+          below).</para>

          <para>There is no need to define the loopback interface (lo) in this
          file.</para>
@@ -193,6 +196,54 @@ loc     eth2            -</programlisting>
          should have no embedded white-space.</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">accept_ra</emphasis>[={0|1|2}]</term>
+
+              <listitem>
+                <para>IPv6 only; added in Shorewall 4.5.16. Values are:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>0</term>
+
+                    <listitem>
+                      <para>Do not accept Router Advertisements.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>1</term>
+
+                    <listitem>
+                      <para>Accept Route Advertisements if forwarding is
+                      disabled.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>2</term>
+
+                    <listitem>
+                      <para>Overrule forwarding behavior. Accept Route
+                      Advertisements even if forwarding is enabled.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+
+                <para>If the option is specified without a value, then the
+                value 1 is assumed.</para>
+
+                <note>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
+                </note>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>

@@ -209,12 +260,12 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

-                <para/>
-
                <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                </note>
              </listitem>
            </varlistentry>
@@ -243,16 +294,14 @@ loc     eth2            -</programlisting>

                <para>8 - do not reply for all local addresses</para>

-                <para/>
-
                <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                </note>

-                <para/>
-
                <warning>
                  <para>Do not specify <emphasis
                  role="bold">arp_ignore</emphasis> for any interface involved
@@ -430,6 +479,25 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
+
+              <listitem>
+                <para>IPv6 only Sets the
+                /proc/sys/net/ipv6/conf/interface/forwarding option to the
+                specified value. If no value is supplied, then 1 is
+                assumed.</para>
+
+                <note>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
+                </note>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">ignore[=1]</emphasis></term>

@@ -496,9 +564,11 @@ loc     eth2            -</programlisting>
                <para/>

                <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                </note>

                <blockquote>
@@ -625,7 +695,10 @@ loc     eth2            -</programlisting>

                <para>If the <emphasis>interface</emphasis> name is a wildcard
                name (ends with '+'), then the physical
-                <emphasis>name</emphasis> must also end in '+'.</para>
+                <emphasis>name</emphasis> must also end in '+'. The physical
+                <replaceable>name</replaceable> may end in '+' (or be exactly
+                '+') when the <replaceable>interface</replaceable> name is not
+                a wildcard name.</para>

                <para>If <option>physical</option> is not specified, then it's
                value defaults to the <emphasis>interface</emphasis>
@@ -647,9 +720,13 @@ loc     eth2            -</programlisting>
                url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
                </ulink></para>

-                <para><emphasis role="bold">Note</emphasis>: This option does
-                not work with a wild-card <replaceable>interface</replaceable>
-                name (e.g., eth0.+) in the INTERFACE column.</para>
+                <note>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
+                </note>

                <para>Only those interfaces with the <option>proxyarp</option>
                option will have their setting changed; the value assigned to
@@ -665,9 +742,13 @@ loc     eth2            -</programlisting>
                <para>IPv6 only. Sets
                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>

-                <para><emphasis role="bold">Note</emphasis>: This option does
-                not work with a wild-card <replaceable>interface</replaceable>
-                name (e.g., eth0.+) in the INTERFACE column.</para>
+                <note>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
+                </note>

                <para>Only those interfaces with the <option>proxyndp</option>
                option will have their setting changed; the value assigned to
@@ -731,9 +812,11 @@ loc     eth2            -</programlisting>
                filtering.</para>

                <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                </note>

                <para>This option can also be enabled globally via the
@@ -842,9 +925,11 @@ loc     eth2            -</programlisting>
                specified (if any) or 1 if no value is given.</para>

                <note>
-                  <para>This option does not work with a wild-card
-                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
-                  the INTERFACE column.</para>
+                  <para>This option does not work with a wild-card <emphasis
+                  role="bold">physical</emphasis> name (e.g., eth0.+).
+                  Beginning with Shorewall 5.1.10, If this option is
+                  specified, a warning is issued and the option is
+                  ignored.</para>
                </note>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-logging.xml
+++ b/Shorewall/manpages/shorewall-logging.xml
@@ -0,0 +1,385 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-logging</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>logging</refname>
+
+    <refpurpose>Shorewall logging</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command><replaceable>action</replaceable>:<replaceable>level</replaceable></command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>NFLOG(<replaceable>nflog-parameters</replaceable>)</command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>ULOG(<replaceable>ulog-parameters</replaceable>)</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The disposition of packets entering a Shorewall firewall is
+    determined by one of a number of Shorewall facilities. Only some of these
+    facilities permit logging.</para>
+
+    <orderedlist>
+      <listitem>
+        <para>The packet is part of an established connection. While the
+        packet can be logged using LOG rules in the ESTABLISHED section of
+        <ulink
+        url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that
+        is not recommended because of the large amount of information that may
+        be logged.</para>
+      </listitem>
+
+      <listitem>
+        <para>The packet represents a connection request that is related to an
+        established connection (such as a <ulink url="FTP.html">data
+        connection associated with an FTP control connection</ulink>). These
+        packets may be logged using LOG rules in the RELATED section of <ulink
+        url="manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
+      </listitem>
+
+      <listitem>
+        <para>The packet is rejected because of an option in <ulink
+        url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) or <ulink
+        url="manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
+        These packets can be logged by setting the appropriate logging-related
+        option in <ulink
+        url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>.</para>
+      </listitem>
+
+      <listitem>
+        <para>The packet matches a rule in <ulink
+        url="manpages/shorewall-rules.html">shorewall-rules</ulink>(5). By
+        including a syslog level (see below) in the ACTION column of a rule
+        (e.g., <quote>ACCEPT<emphasis role="bold">:info</emphasis> net $FW tcp
+        22</quote>), the connection attempt will be logged at that
+        level.</para>
+      </listitem>
+
+      <listitem>
+        <para>The packet doesn't match a rule so it is handled by a policy
+        defined in <ulink
+        url="manpages/shorewall-policy.html">shorewall-policy(5)</ulink>.
+        These may be logged by specifying a syslog level in the LOG LEVEL
+        column of the policy's entry (e.g., <quote>loc net ACCEPT <emphasis
+        role="bold">info</emphasis></quote>).</para>
+      </listitem>
+    </orderedlist>
+  </refsect1>
+
+  <refsect1>
+    <title>Default Logging</title>
+
+    <para>By default, Shorewall directs Netfilter to log using syslog (8).
+    Syslog classifies log messages by a <emphasis>facility</emphasis> and a
+    <emphasis>priority</emphasis> (using the notation
+    <emphasis>facility.priority</emphasis>).</para>
+
+    <para>The facilities defined by syslog are <emphasis>auth, authpriv, cron,
+    daemon, kern, lpr, mail, mark, news, syslog, user, uucp</emphasis> and
+    <emphasis>local0</emphasis> through <emphasis>local7.</emphasis></para>
+
+    <para>Throughout the Shorewall documentation, the term
+    <emphasis>level</emphasis> rather than <emphasis>priority is used,
+    </emphasis>since <emphasis>level</emphasis> is the term used by Netfilter.
+    The syslog documentation uses the term
+    <emphasis>priority</emphasis>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Syslog Levels</title>
+
+    <para>Syslog levels are a method of describing to syslog (8) the
+    importance of a message. A number of Shorewall parameters have a syslog
+    level as their value.</para>
+
+    <para>Valid levels are:</para>
+
+    <simplelist>
+      <member>7 - <emphasis role="bold">debug</emphasis> (Debug-level
+      messages)</member>
+
+      <member>6 - <emphasis role="bold">info</emphasis>
+      (Informational)</member>
+
+      <member>5 - <emphasis role="bold">notice</emphasis> (Normal but
+      significant Condition)</member>
+
+      <member>4 - <emphasis role="bold">warning</emphasis> (Warning
+      Condition)</member>
+
+      <member>3 - <emphasis role="bold">err</emphasis> (Error
+      Condition)</member>
+
+      <member>2 - <emphasis role="bold">crit</emphasis> (Critical
+      Conditions)</member>
+
+      <member>1 - <emphasis role="bold">alert</emphasis> (must be handled
+      immediately)</member>
+
+      <member>0 - <emphasis role="bold">emerg</emphasis> (System is
+      unusable)</member>
+    </simplelist>
+
+    <para>For most Shorewall logging, a level of 6 (info) is appropriate.
+    Shorewall log messages are generated by Netfilter and are logged using the
+    <emphasis>kern</emphasis> facility and the level that you specify. If you
+    are unsure of the level to choose, 6 (info) is a safe bet. You may specify
+    levels by name or by number.</para>
+
+    <para>Beginning with Shorewall 4.5.5, the <replaceable>level</replaceable>
+    name or number may be optionally followed by a comma-separated list of one
+    or more<replaceable> log options</replaceable>. The list is enclosed in
+    parentheses. Log options cause additional information to be included in
+    each log message.</para>
+
+    <para>Valid log options are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ip_options</emphasis></term>
+
+        <listitem>
+          <para>Log messages will include the option settings from the IP
+          header.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">macdecode</emphasis></term>
+
+        <listitem>
+          <para>Decode the MAC address and protocol.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">tcp_sequence</emphasis></term>
+
+        <listitem>
+          <para>Include TCP sequence numbers.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">tcp_options</emphasis></term>
+
+        <listitem>
+          <para>Include options from the TCP header.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">uid</emphasis></term>
+
+        <listitem>
+          <para>Include the UID of the sending program; only valid for packets
+          originating on the firewall itself.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>Example: <emphasis
+    role="bold">info(tcp_options,tcp_sequence)</emphasis></para>
+
+    <para>Syslogd writes log messages to files (typically in <filename
+    class="directory">/var/log/</filename>*) based on their facility and
+    level. The mapping of these facility/level pairs to log files is done in
+    /etc/syslog.conf (5). If you make changes to this file, you must restart
+    syslogd before the changes can take effect.</para>
+
+    <para>Syslog may also write to your system console. See <ulink
+    url="FAQ.htm#faq16">Shorewall FAQ 16</ulink> for ways to avoid having
+    Shorewall messages written to the console.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Configuring a Separate Log for Shorewall Messages (ulogd)</title>
+
+    <para>There are a couple of limitations to syslogd-based logging:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>If you give, for example, kern.info its own log destination then
+        that destination will also receive all kernel messages of levels 5
+        (notice) through 0 (emerg).</para>
+      </listitem>
+
+      <listitem>
+        <para>All kernel.info messages will go to that destination and not
+        just those from Netfilter.</para>
+      </listitem>
+
+      <listitem>
+        <para>Netfilter (Shorewall) messages show up in
+        <command>dmesg</command>.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>If your kernel has NFLOG target support (and most vendor-supplied
+    kernels do), you may also specify a log level of NFLOG (must be all caps).
+    When NFLOG is used, Shorewall will direct Netfilter to log the related
+    messages via the NFLOG target which will send them to a process called
+    <quote>ulogd</quote>. The ulogd program is included in most
+    distributions.</para>
+
+    <note>
+      <para>The NFLOG logging mechanism is <emphasis
+      role="underline">completely separate</emphasis> from syslog. Once you
+      switch to NFLOG, the settings in <filename>/etc/syslog.conf</filename>
+      have absolutely no effect on your Shorewall logging (except for
+      Shorewall status messages which still go to syslog).</para>
+    </note>
+
+    <para>You will need to change all instances of log levels (usually
+    <quote>info</quote>) in your Shorewall configuration files to
+    <quote>NFLOG</quote> - this includes entries in the policy, rules and
+    shorewall.conf files. If you initially installed using Shorewall 5.1.2 or
+    later, you can simply change the setting of LOG_LEVEL in
+    shorewall.conf.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Understanding the Contents of Shorewall Log Messages</title>
+
+    <para>For general information on the contents of Netfilter log messages,
+    see <ulink
+    url="http://logi.cc/en/2010/07/netfilter-log-format/">http://logi.cc/en/2010/07/netfilter-log-format/</ulink>.</para>
+
+    <para>For Shorewall-specific information, see <ulink
+    url="/FAQ.htm#faq17">FAQ #17</ulink>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Customizing the Content of Shorewall Log Messages</title>
+
+    <para>In a Shorewall logging rule, the log level can be followed by a
+    <firstterm>log tag</firstterm> as in "DROP:NFLOG:junk". The generated log
+    message will include "<emphasis>chain-name</emphasis> junk DROP".</para>
+
+    <para>By setting the LOGTAGONLY option to Yes in <ulink
+    url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
+    url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
+    disposition ('DROP' in the above example) will be omitted. Consider the
+    following rule:</para>
+
+    <programlisting>#ACTION                                    SOURCE          DEST           PROTO
+REJECT(icmp-proto-unreachable):notice:IPv6 loc             net            41      # who's using IPv6 tunneling</programlisting>
+
+    <para>This rule generates the following warning at compile time:</para>
+
+    <simplelist>
+      <member>WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p "
+      /etc/shorewall/rules (line 212)</member>
+    </simplelist>
+
+    <para>and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp-p
+    ".</para>
+
+    <para>Now consider this similar rule:</para>
+
+    <programlisting>#ACTION                                              SOURCE          DEST           PROTO
+REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net            41      # who's using IPv6 tunneling</programlisting>
+
+    <para>With LOGTAGONLY=Yes, no warning is generated and the prefix becomes
+    "Shorewall:IPv6:tunneling:"</para>
+
+    <para>See the <ulink url="shorewall.conf.html">shorewall[6].conf man
+    page</ulink> for further information about how LOGTAGONLY=Yes can be
+    used.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Log Backends</title>
+
+    <para>Netfilter logging allows configuration of multiple backends. Logging
+    backends provide the The low-level forward of log messages. There are
+    currently three backends:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>LOG (ipt_LOG and ip6t_LOG).</term>
+
+        <listitem>
+          <para>Normal kernel-based logging to a syslog daemon.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>ULOG (ipt_ULOG)</term>
+
+        <listitem>
+          <para>ULOG logging as described ablve. Only available for
+          IPv4.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>netlink (nfnetlink_log)</term>
+
+        <listitem>
+          <para>The logging backend behind NFLOG, defined above.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>The currently-available and currently-selected IPv4 and IPv6
+    backends are shown in /proc/sys/net/netfilter/nf_log:</para>
+
+    <programlisting>cat /proc/net/netfilter/nf_log
+ 0 NONE (nfnetlink_log)
+ 1 NONE (nfnetlink_log)
+ 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
+ 3 NONE (nfnetlink_log)
+ 4 NONE (nfnetlink_log)
+ 5 NONE (nfnetlink_log)
+ 6 NONE (nfnetlink_log)
+ 7 NONE (nfnetlink_log)
+ 8 NONE (nfnetlink_log)
+ 9 NONE (nfnetlink_log)
+10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
+11 NONE (nfnetlink_log)
+12 NONE (nfnetlink_log)</programlisting>
+
+    <para>The magic numbers (0-12) are Linux address family numbers (AF_INET
+    is 2 and AF_INET6 is 10).</para>
+
+    <para>The name immediately following the number is the currently-selected
+    backend, and the ones in parentheses are the ones that are available. You
+    can change the currently selected backend by echoing it's name into
+    /proc/net/netfilter/nf_log.<replaceable>number</replaceable>.</para>
+
+    <para>Example - change the IPv4 backend to LOG:</para>
+
+    <programlisting>sysctl net.netfilter.nf_log.2=ipt_LOG</programlisting>
+
+    <para>Beginning with Shorewall 4.6.4, you can configure the backend using
+    the LOG_BACKEND option in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
+    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+
+    <para><ulink
+    url="/shorewall_logging.htm">http://www.shorewall.net/shorewall_logging.html</ulink></para>
+  </refsect1>
+</refentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -674,6 +674,43 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">TCPMSS</emphasis>([<replaceable>mss</replaceable>[,<replaceable>ipsec</replaceable>]])</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.9. This target only applies to
+                TCP traffic and alters the MSS value in SYN packets. It may be
+                used in the FORWARD and POSTROUTING chains; the default is
+                FORWARD.</para>
+
+                <para>The <replaceable>mss</replaceable> parameter may be
+                either <option>pmtu</option> or an integer in the range
+                500:65533. The value <option>pmtu</option> automatically
+                clamps the MSS value to (path_MTU - 40 for IPv4; -60 for
+                IPv6). This may not function as desired where asymmetric
+                routes with differing path MTU exist — the kernel uses the
+                path MTU which it would use to send packets from itself to the
+                source and destination IP addresses. Prior to Linux 2.6.25,
+                only the path MTU to the destination IP address was considered
+                by this option; subsequent kernels also consider the path MTU
+                to the source IP address. If an integer is given, the MSS
+                option is set to the specified value. If the MSS of the packet
+                is already lower than <replaceable>mss</replaceable>, it will
+                not be increased (from Linux 2.6.25 onwards) to avoid more
+                problems with hosts relying on a proper MSS. If
+                <replaceable>mss</replaceable> is omitted,
+                <option>pmtu</option> is assumed.</para>
+
+                <para>The <replaceable>ipsec</replaceable> parameter
+                determines whether the rule applies to IPSEC traffic
+                (<option>ipsec</option> is passed), non-IPSEC traffic
+                (<option>none</option> is passed) or both
+                (<option>all</option> is passed). If omitted,
+                <option>all</option> is assumed.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</term>
@@ -710,7 +747,7 @@ Normal-Service       =&gt; 0x00</programlisting>

            <varlistentry>
              <term><emphasis
-              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])</term>
+              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>[,<replaceable>address</replaceable>]])</term>

              <listitem>
                <para>Transparently redirects a packet without altering the IP
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -279,8 +279,8 @@
          separate log through use of ulogd (<ulink
          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>

-          <para>For a description of log levels, see <ulink
-          url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+          <para>For a description of logging, see <ulink
+          url="/shorewall_logging.html">shorewall-logging(5)</ulink>.</para>

          <para>If you don't want to log but need to specify the following
          column, place "-" here.</para>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -84,7 +84,7 @@

          <para>If PROVIDER_OFFSET is non-zero in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          the value must be a mutiple of 2^^PROVIDER_OFFSET. In all cases, the
+          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the
          number of significant bits may not exceed PROVIDER_OFFSET +
          PROVIDER_BITS.</para>
        </listitem>
@@ -220,7 +220,7 @@
                  <para>In IPV6, the <option>balance</option> option does not
                  cause balanced default routes to be created; it rather
                  causes a sequence of default routes with different metrics
-                  to be created. </para>
+                  to be created.</para>
                </caution>
              </listitem>
            </varlistentry>
@@ -438,6 +438,14 @@
                  <command>enable</command> and <command>reenable</command>
                  commands can reenable the provider.</para>
                </note>
+
+                <important>
+                  <para>RESTORE_DEFAULT_OPTION=Yes in shorewall[6].conf is not
+                  recommended when the <option>persistent</option> option is
+                  used, as restoring default routes to the main routing table
+                  can prevent link status monitors such as foolsm from
+                  correctly detecting non-working providers.</para>
+                </important>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -67,7 +67,7 @@
          this section.</para>

          <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE</para>
+          REJECT, LOG, NFLOG, NFQUEUE and QUEUE</para>

          <para>There is an implicit ACCEPT rule inserted at the end of this
          section.</para>
@@ -82,7 +82,7 @@
          section.</para>

          <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE</para>
+          REJECT, LOG, NFLOG, NFQUEUE and QUEUE</para>

          <para>There is an implicit rule added at the end of this section
          that invokes the RELATED_DISPOSITION (<ulink
@@ -98,7 +98,7 @@
          processed by rules in this section.</para>

          <para>The only Actions allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE.</para>
+          REJECT, LOG, NFLOG, NFQUEUE and QUEUE.</para>

          <para>There is an implicit rule added at the end of this section
          that invokes the INVALID_DISPOSITION (<ulink
@@ -114,7 +114,7 @@
          processed by rules in this section.</para>

          <para>The only Actions allowed in this section are ACCEPT, DROP,
-          REJECT, LOG, NFQUEUE and QUEUE.</para>
+          REJECT, LOG, NFLOG, NFQUEUE and QUEUE.</para>

          <para>There is an implicit rule added at the end of this section
          that invokes the UNTRACKED_DISPOSITION (<ulink
@@ -908,7 +908,7 @@
                <para>IPv4 only. Added in Shorewall 4.5.10. Queues matching
                packets to a back end logging daemon via a netlink socket then
                continues to the next rule. See <ulink
-                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>

                <para>Similar to<emphasis role="bold">
                LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],
@@ -956,7 +956,7 @@
          (IPv4 only) or <emphasis role="bold">NFLOG</emphasis> (must be in
          upper case) as a log level.This will log to the ULOG or NFLOG target
          for routing to a separate log through use of ulogd (<ulink
-          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
+          url="shorewall-logging.html">shorewall-logging(5)</ulink>).</para>

          <para>Actions specifying logging may be followed by a log tag (a
          string of alphanumeric characters) which is appended to the string
@@ -2636,15 +2636,15 @@
  <refsect1>
    <title>See ALSO</title>

+    <para><ulink
+    url="shorewall-logging.html">shorewall-logging(5)</ulink></para>
+
    <para><ulink
    url="/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>

    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para><ulink
-    url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
-
    <para>shorewall(8)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -52,12 +52,52 @@
        <term><emphasis role="bold">ACTION</emphasis></term>

        <listitem>
-          <para>Defines the type of rule to generate. Choices are:</para>
+          <para>Defines the type of rule to generate. Beginning with Shorewall
+          5.1.9, with the exception of NFLOG and ULOG, the action may be
+          followed by a colon (":") and a <replaceable>log level</replaceable>
+          (see <ulink
+          url="shorewall-logging.html">shorewall-logging(5)</ulink>).</para>
+
+          <para>Choices for ACTION are:</para>

          <variablelist>
            <varlistentry>
              <term><emphasis
-              role="bold">MASQUERADE[+]</emphasis>[([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
+              role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)][:<replaceable>level</replaceable>]</term>
+
+              <listitem>
+                <para>where <replaceable>action</replaceable> is an action
+                declared in <ulink
+                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>
+                with the <option>nat</option> option. See <ulink
+                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
+                further information.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">CONTINUE</emphasis>[+]:<replaceable>level</replaceable></term>
+
+              <listitem>
+                <para>Causes matching packets to be exempted from any
+                following rules in the file.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.9. Simply log the packet and
+                continue with the next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">MASQUERADE[+]</emphasis>[([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])][:<replaceable>level</replaceable>]</term>

              <listitem>
                <para>Causes matching outgoing packages to have their source
@@ -73,12 +113,52 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.9. Queues matching packets to a
+                back end logging daemon via a netlink socket then continues to
+                the next rule. See <ulink
+                url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
+
+                <para>The <replaceable>nflog-parameters</replaceable> are a
+                comma-separated list of up to 3 numbers:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The first number specifies the netlink group
+                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
+                    0 is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The second number specifies the maximum number of
+                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The third number specifies the number of log
+                    messages that should be buffered in the kernel before they
+                    are sent to user space. The default is 1.</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para>NFLOG is similar to<emphasis role="bold">
+                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
+                except that the log level is not changed when this ACTION is
+                used in an action or macro body and the invocation of that
+                action or macro specifies a log level.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">SNAT[+]</emphasis>([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
              role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
              role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
-              role="bold">detect</emphasis>|</term>
+              role="bold">detect</emphasis>)[:<replaceable>level</replaceable>]</term>

              <listitem>
                <para>If you specify an address here, matching packets will
@@ -132,26 +212,21 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">CONTINUE</emphasis>[+]</term>
-
-              <listitem>
-                <para>Causes matching packets to be exempted from any
-                following rules in the file.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis
-              role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)]</term>
+              role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>

              <listitem>
-                <para>where <replaceable>action</replaceable> is an action
-                declared in <ulink
-                url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>
-                with the <option>nat</option> option. See <ulink
-                url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
-                further information.</para>
+                <para>IPv4 only. Added in Shorewall 5.1.9. Queues matching
+                packets to a back end logging daemon via a netlink socket then
+                continues to the next rule. See <ulink
+                url="shorewall-logging.html">shorewall-logging(5)</ulink>.</para>
+
+                <para>Similar to<emphasis role="bold">
+                LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],
+                except that the log level is not changed when this ACTION is
+                used in an action or macro body and the invocation of that
+                action or macro specifies a log level.</para>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@@ -160,7 +160,9 @@
          how often the rate is estimated and how many samples are retained
          for estimating. Please see <ulink
          url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink>
-          for details.</para>
+          for details. If not specified, the default
+          <replaceable>interval</replaceable> is 250ms and the default
+          <replaceable>decay_interval</replaceable> is 4sec.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-tcinterfaces.xml
+++ b/Shorewall/manpages/shorewall-tcinterfaces.xml
@@ -172,7 +172,9 @@
          how often the rate is estimated and how many samples are retained
          for estimating. Please see <ulink
          url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink>
-          for details.</para>
+          for details. If not specified, the default
+          <replaceable>interval</replaceable> is 250ms and the default
+          <replaceable>decay_interval</replaceable> is 4sec.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-zones.xml
+++ b/Shorewall/manpages/shorewall-zones.xml
@@ -107,7 +107,7 @@
                <simplelist>
                  <member>2 + 6 + 2*M + 1 = 29</member>

-                  <member>2M = 29 - 2 + 6 + 1 = 20</member>
+                  <member>2M = 29 - 2 - 6 - 1 = 20</member>

                  <member>M = 10</member>
                </simplelist>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -673,7 +673,7 @@

      <varlistentry>
        <term><emphasis
-        role="bold">CONFIG_PATH</emphasis>=[<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term>
+        role="bold">CONFIG_PATH</emphasis>=[[:]<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term>

        <listitem>
          <para>Specifies where configuration files other than
@@ -701,6 +701,16 @@
          /etc/shorewall:/usr/share/shorewall but your particular distribution
          may set it differently. See the output of shorewall show config for
          the default on your system.</para>
+
+          <para>Beginning with Shorewall 5.1.10, the CONFIG_PATH setting may
+          begin with a colon (":"), to signal that the first
+          <replaceable>directory</replaceable> listed will be skipped if the
+          user performing a compilation is not root or if the configuration is
+          being compiled for export (-e option specified or if running one of
+          the remote-* commands) . This prevents the compiler from looking in
+          <filename>/etc/shorewall[6]</filename>/ when compilation is being
+          done by a non-root user or if the generated script is to be sent to
+          a remote firewall system.</para>
        </listitem>
      </varlistentry>

@@ -720,6 +730,14 @@
          and <command>restart</command> commands will succeed even if no DNS
          server is reachable (assuming that the configuration hasn't changed
          since the compiled script was last generated).</para>
+
+          <important>
+            <para>When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS
+            change makes it necessary to recompile an existing firewall
+            script, the <option>-c</option> option must be used with the
+            <command>reload</command> or <command>restart</command> command to
+            force recompilation.</para>
+          </important>
        </listitem>
      </varlistentry>

@@ -1566,10 +1584,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
          If not assigned or if assigned an empty value, /var/log/messages is
          assumed. For further information, see <ulink
-          url="/manpages/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
-          Beginning with Shorewall 5.0.10.1, you may specify
-          <option>systemd</option> to use <command>journelctl -r</command> to
-          read the log.</para>
+          url="shorewall-logging.html">shorewall-logging(8)</ulink>. Beginning
+          with Shorewall 5.0.10.1, you may specify <option>systemd</option> to
+          use <command>journelctl -r</command> to read the log.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/Makefile-lite
+++ b/Shorewall6/Makefile-lite
@@ -1,82 +0,0 @@
-#     Shorewall6 Packet Filtering Firewall Export Directory Makefile - V4.2
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-################################################################################
-# Place this file in each export directory. Modify each copy to set HOST
-# to the name of the remote firewall corresponding to the directory.
-#
-#	To make the 'firewall' script, type "make".
-#
-#	Once the script is compiling correctly, you can install it by
-#	typing "make install".
-#
-################################################################################
-#                             V A R I A B L E S
-#
-# Files in the export directory on which the firewall script does not depend
-#
-IGNOREFILES =  firewall% Makefile% trace% %~
-#
-# Remote Firewall system
-#
-HOST = gateway
-#
-# Save some typing
-#
-LITEDIR = /var/lib/shorewall6-lite
-#
-# Set this if the remote system has a non-standard modules directory
-#
-MODULESDIR=
-#
-# Default target is the firewall script
-#
-################################################################################
-#                                T A R G E T S
-#
-all: firewall
-#
-# Only generate the capabilities file if it doesn't already exist
-#
-capabilities:
-	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall6-lite/shorecap > $(LITEDIR)/capabilities"
-	scp root@$(HOST):$(LITEDIR)/capabilities .
-#
-# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
-# 'filter-out' will be presented with the list of files in this directory rather than "*"
-#
-firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
-	shorewall6 compile -e . firewall
-#
-# Only reload on demand.
-#
-install: firewall
-	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
-	ssh root@$(HOST) "/sbin/shorewall6-lite restart"
-#
-# Save running configuration
-#
-save:
-	ssh root@$(HOST) "/sbin/shorewall6-lite save"
-#
-# Remove generated files
-#
-clean:
-	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall6/Samples6/Universal/interfaces
+++ b/Shorewall6/Samples6/Universal/interfaces
@@ -11,5 +11,5 @@
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
-net	all		dhcp,physical=+,routeback,sourceroute=0
+net	all		dhcp,physical=+,routeback

--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
+CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

--- a/Shorewall6/Samples6/one-interface/interfaces
+++ b/Shorewall6/Samples6/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 5 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2015 by the Shorewall Team
+# Shorewall6 - Sample Interfaces File for one-interface configuration.
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,4 +14,4 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags
+net     NET_IF          tcpflags,physical=eth0
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -75,7 +75,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

--- a/Shorewall6/Samples6/three-interfaces/interfaces
+++ b/Shorewall6/Samples6/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2014by the Shorewall Team
+# Shorewall6 - Sample Interfaces File for three-interface configuration.
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,forward=1,sourceroute=0
-loc     eth1            tcpflags,forward=1
-dmz     eth2            tcpflags,forward=1
+net     NET_IF          tcpflags,forward=1,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,forward=1,physical=eth1
+dmz     DMZ_IF          tcpflags,forward=1,physical=eth2
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
+CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

--- a/Shorewall6/Samples6/three-interfaces/stoppedrules
+++ b/Shorewall6/Samples6/three-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.5 Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2014 by the Shorewall Team
+# Shorewall6 - Sample Stoppedrules File for three-interface configuration.
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,8 +13,7 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
-ACCEPT		eth2		-
-ACCEPT		-		eth2
-
+ACCEPT		LOC_IF		-
+ACCEPT		-		LOC_IF
+ACCEPT		DMZ_IF		-
+ACCEPT		-		DMZ_IF
--- a/Shorewall6/Samples6/two-interfaces/interfaces
+++ b/Shorewall6/Samples6/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2014 by the Shorewall Team
+# Shorewall6 - Sample Interfaces File for two-interface configuration.
+# Copyright (C) 2006-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,5 +14,5 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,forward=1,sourceroute=0
-loc     eth1            tcpflags,forward=1
+net     NET_IF          tcpflags,forward=1,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,forward=1,physical=eth1
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
+CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

--- a/Shorewall6/Samples6/two-interfaces/stoppedrules
+++ b/Shorewall6/Samples6/two-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.5 Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012-2014 by the Shorewall Team
+# Shorewall6 - Sample Stoppedrules File for two-interface configuration.
+# Copyright (C) 2012-2017 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,5 +13,5 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
+ACCEPT		LOC_IF		-
+ACCEPT		-		LOC_IF
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -8,42 +8,43 @@
 #
 ###############################################################################
 #ACTION
-A_Drop	                        # Audited Default Action for DROP policy
-A_Reject	                # Audited Default Action for REJECT policy
-A_AllowICMPs	                # Audited Accept needed ICMP6 types
-AllowICMPs   	                # Accept needed ICMP6 types
+A_Drop				# Audited Default Action for DROP policy
+A_Reject			# Audited Default Action for REJECT policy
+A_AllowICMPs proto=58		# Audited Accept needed ICMP6 types
+AllowICMPs   proto=58		# Accept needed ICMP6 types
 allowBcast   inline		# Silently Allow Broadcast
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 allowMcast   inline		# Silently Allow Multicast
-AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
-AutoBLL      noinline           # Helper for AutoBL
+AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
+AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
-Broadcast    noinline      	# Handles Broadcast/Anycast
-Drop		        	# Default Action for DROP policy (deprecated)
+Broadcast    noinline		# Handles Broadcast/Anycast
+Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
-DropDNSrep   inline		# Drops DNS replies
-DropSmurfs   noinline     	# Handles packets with a broadcast source address
+dropNotSyn   noinline,proto=6	# Silently Drop Non-syn TCP packets
+DropDNSrep   inline,proto=17	# Drops DNS replies
+DropSmurfs   noinline		# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
-FIN	     inline,audit	# Handles ACK,FIN,PSH packets
+FIN	     inline,audit,\	# Handles ACK,FIN,PSH packets
+	     proto=6
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
-IfEvent      noinline           # Perform an action based on an event
-Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-             state=INVALID
-Multicast    noinline      	# Handles Multicast
+IfEvent	     noinline		# Perform an action based on an event
+Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
+	     state=INVALID
+Multicast    noinline		# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
-Reject		        	# Default Action for REJECT policy (deprecated)
-rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
-Related      inline,\		# Handles packets in the RELATED conntrack state
-             state=RELATED
+NotSyn	     inline,proto=6	# Handles TCP packets that do not have SYN=1 and ACK=0
+Reject				# Default Action for REJECT policy (deprecated)
+rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
+Related	     inline,\		# Handles packets in the RELATED conntrack state
+	     state=RELATED
 ResetEvent   inline		# Reset an Event
-RST	     inline             # Handle packets with RST set
+RST	     inline,proto=6	# Handle packets with RST set
 SetEvent     inline		# Initialize an event
-TCPFlags    			# Handles bad flags combinations
-Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
+TCPFlags     proto=6		# Handles bad flags combinations
+Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL=
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE

--- a/Shorewall6/configpath
+++ b/Shorewall6/configpath
@@ -3,4 +3,4 @@
 #
 # /usr/share/shorewall6/configpath
 #
-CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
+CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall"
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -162,8 +162,7 @@
            <entry><ulink url="traffic_shaping.htm">Bandwidth
            Control</ulink></entry>

-            <entry>Manpages (<ulink url="Manpages.html">IPv4</ulink>) (<ulink
-            url="Manpages6.html">IPv6</ulink>)</entry>
+            <entry><ulink url="Manpages.html">Manpages</ulink></entry>

            <entry><ulink
            url="starting_and_stopping_shorewall.htm">Starting/stopping the
--- a/docs/Helpers.xml
+++ b/docs/Helpers.xml
@@ -71,7 +71,7 @@
      </listitem>

      <listitem>
-        <para>PPTP (TCP 1729)</para>
+        <para>PPTP (TCP 1723)</para>
      </listitem>

      <listitem>
@@ -121,9 +121,10 @@
      of your system.</para>

      <para>Many of the modules allow parameters to be specified when the
-      module is loaded. Among the common parameters is the ports parameter
-      that lists one or more ports that the module is to monitor. This allows
-      running the application on a non-standard port.</para>
+      module is loaded. Among the common parameters is the
+      <option>ports</option> parameter that lists one or more ports that the
+      module is to monitor. This allows running the application on a
+      non-standard port.</para>
    </section>

    <section>
--- a/docs/Manpages.xml
+++ b/docs/Manpages.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2007-2015</year>
+      <year>2007-2017</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -83,6 +83,9 @@
        Describes how to specify set names in Shorewall configuration
        files.</member>

+        <member><ulink url="manpages/shorewall-logging.html">logging</ulink> -
+        Provides an overview of Shorewall packet logging facilities</member>
+
        <member><ulink url="manpages/shorewall-maclist.html">maclist</ulink> -
        Define MAC verification.</member>

@@ -115,7 +118,11 @@
        routing tables, usually for multiple Internet links.</member>

        <member><ulink url="manpages/shorewall-proxyarp.html">proxyarp</ulink>
-        - Define Proxy ARP.</member>
+        - Define Proxy ARP (IPv4)</member>
+
+        <member><ulink
+        url="manpages6/shorewall-proxyndp.html">proxyndp</ulink> - Define
+        Proxy NDP (IPv6)</member>

        <member><ulink url="manpages/shorewall-rtrules.html">rtrules</ulink> -
        Define routing rules.</member>
@@ -157,10 +164,18 @@
        url="manpages/shorewall.conf.html">shorewall.conf</ulink> - Specify
        values for global Shorewall options.</member>

+        <member><ulink
+        url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> - Specify
+        values for global Shorewall6 options.</member>
+
        <member><ulink
        url="manpages/shorewall-lite.conf.html">shorewall-lite.conf</ulink> -
        Specify values for global Shorewall Lite options.</member>

+        <member><ulink
+        url="manpages6/shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>
+        - Specify values for global Shorewall6 Lite options.</member>
+
        <member><ulink url="manpages/shorewall-vardir.html">vardir</ulink> -
        Redefine the directory where Shorewall keeps its state
        information.</member>
@@ -182,16 +197,8 @@
    <blockquote>
      <simplelist>
        <member><ulink url="manpages/shorewall.html">shorewall</ulink> -
-        /sbin/shorewall command syntax and semantics.</member>
-
-        <member><ulink
-        url="manpages/shorewall-init.html">shorewall-init</ulink> - Companion
-        package that allows for automatic start/stop of other Shorewall
-        products based on network events.</member>
-
-        <member><ulink
-        url="manpages/shorewall-lite.html">shorewall-lite</ulink> -
-        /sbin/shorewall-lite command syntax and semantics.</member>
+        /sbin/shorewall, /sbin/shorewall6/, /sbin/shorewall-lite and
+        /sbin/shorewall6-line command syntax and semantics.</member>
      </simplelist>
    </blockquote>
  </section>
--- a/docs/SharedConfig.xml
+++ b/docs/SharedConfig.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
-  <!--$Id$-->
+  <!--mangle$Id$-->

  <articleinfo>
    <title>Shared Shorewall and Shorewall6 Configuration</title>
@@ -65,6 +65,10 @@
    mail exchanger, and an IMAPS mail access server. The second bridge (br1)
    provides access to a container running irssi under screen, allowing
    constant access to and monitoring of IRC channels.</para>
+
+    <para>Here is a diagram of this installation:</para>
+
+    <graphic fileref="images/Network2017.png"/>
  </section>

  <section>
@@ -72,44 +76,76 @@

    <para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>

-    <programlisting>root@gateway:/etc# ls -l shorewall shorewall6
-shorewall:
-total 88
-rw-r--r-- 1 root root  201 Mar 19 08:43 action.Mirrors
-rw-r--r-- 1 root root  109 Jun 29 15:13 actions
-rw-r--r-- 1 root root  655 Jun 29 15:13 conntrack
-rw-r--r-- 1 root root  107 Jul  1 10:40 hosts
+    <programlisting>root@gateway:~# ls -l /etc/shorewall/
+total 92
+-rw-r--r-- 1 root root  201 Mar 19  2017 action.Mirrors
+-rw-r--r-- 1 root root  109 Oct 20 09:18 actions
+-rw-r--r-- 1 root root  654 Oct 13 13:46 conntrack
+-rw-r--r-- 1 root root  104 Oct 13 13:21 hosts
 -rw-r--r-- 1 root root  867 Jul  1 10:50 interfaces
 -rw-r--r-- 1 root root  107 Jun 29 15:14 isusable
-rw-r--r-- 1 root root  497 Jul  1 10:42 mangle
-rw-r--r-- 1 root root    7 Jul  6 09:24 masq
+-rw-r--r-- 1 root root  240 Oct 13 13:34 macro.FTP
+-rw-r--r-- 1 root root  559 Oct 19 12:56 mangle
 -rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors
-rw-r--r-- 1 root root 2650 Jul  2 08:05 params
-rw-r--r-- 1 root root  645 Jun 28 10:04 policy
-rw-r--r-- 1 root root 1828 Jul  1 15:43 providers
-rw-r--r-- 1 root root  398 Mar 18 20:18 proxyarp
-rw-r--r-- 1 root root  702 Jul  1 10:42 rtrules
-rw-r--r-- 1 root root 6214 Jul  2 08:45 rules
-lrwxrwxrwx 1 root root   29 Jul  6 12:42 shorewall6.conf -&gt; ../shorewall6/shorewall6.conf
-rw-r--r-- 1 root root 5571 Jun 25 18:09 shorewall.conf
-rw-r--r-- 1 root root 1084 Jul  1 10:42 snat
+-rw-r--r-- 1 root root 2687 Oct 15 14:20 params
+-rw-r--r-- 1 root root  738 Oct 15 12:16 policy
+-rw-r--r-- 1 root root 1838 Oct 11 08:29 providers
+-rw-r--r-- 1 root root  398 Mar 18  2017 proxyarp
+-rw-r--r-- 1 root root  738 Nov  8 09:34 routes
+-rw-r--r-- 1 root root  729 Nov  7 12:52 rtrules
+-rw-r--r-- 1 root root 6367 Oct 13 13:21 rules
+-rw-r--r-- 1 root root 5520 Oct 19 10:01 shorewall.conf
+-rw-r--r-- 1 root root 1090 Oct 25 15:17 snat
 -rw-r--r-- 1 root root  181 Jun 29 15:12 started
-rw-r--r-- 1 root root  437 Jun 28 10:45 tunnels
-rw-r--r-- 1 root root  928 Jun 29 08:25 zones
-
-shorewall6:
-total 12
-rw------- 1 root root  954 Jul  6 12:48 conntrack
+-rw-r--r-- 1 root root  435 Oct 13 13:21 tunnels
+-rw-r--r-- 1 root root  941 Oct 15 11:27 zones
+root@gateway:~# ls -l /etc/shorewall6/
+total 8
 lrwxrwxrwx 1 root root   20 Jul  6 16:35 mirrors -&gt; ../shorewall/mirrors
 lrwxrwxrwx 1 root root   19 Jul  6 12:48 params -&gt; ../shorewall/params
-rw-r--r-- 1 root root 5328 Jul  6 12:45 shorewall6.conf
-root@gateway:/etc# </programlisting>
+-rw-r--r-- 1 root root 5332 Oct 14 11:53 shorewall6.conf
+root@gateway:~# 
+</programlisting>

    <para>The various configuration files are described in the sections that
    follow. Note that in all cases, these files use the <ulink
    url="/configuration_file_basics.htm#Pairs">alternate format for column
    specification</ulink>.</para>

+    <section>
+      <title>/usr/share/shorewall/shorewallrc</title>
+
+      <para>The key setting here is SPARSE=Very</para>
+
+      <programlisting>#
+# Created by Shorewall Core version 5.0.12-RC1 configure.pl - Sep 25 2016 09:30:55
+# rc file: shorewallrc.debian.systemd
+#
+HOST=debian
+PREFIX=/usr
+SHAREDIR=${PREFIX}/share
+LIBEXECDIR=${PREFIX}/share
+PERLLIBDIR=${PREFIX}/share/shorewall
+CONFDIR=/etc
+SBINDIR=/sbin
+MANDIR=${PREFIX}/share/man
+INITDIR=
+INITSOURCE=init.debian.sh
+INITFILE=
+AUXINITSOURCE=
+AUXINITFILE=
+SERVICEDIR=/lib/systemd/system
+SERVICEFILE=$PRODUCT.service.debian
+SYSCONFFILE=default.debian
+SYSCONFDIR=/etc/default
+SPARSE=Very
+ANNOTATED=
+VARLIB=/var/lib
+VARDIR=${VARLIB}/$PRODUCT
+DEFAULT_PAGER=/usr/bin/less
+</programlisting>
+    </section>
+
    <section>
      <title>shorewall.conf and shorewall6.conf</title>

@@ -117,15 +153,11 @@ root@gateway:/etc# </programlisting>
      address families. The key setting is CONFIG_PATH in
      shorewall6.conf:</para>

-      <programlisting>CONFIG_PATH="<emphasis role="bold">${CONFDIR}/shorewall:</emphasis>/usr/share/shorewall6:${SHAREDIR}/shorewall"</programlisting>
+      <programlisting>CONFIG_PATH="<emphasis role="bold">${CONFDIR}/shorewall6:${CONFDIR}/shorewall:</emphasis>/usr/share/shorewall6:${SHAREDIR}/shorewall"</programlisting>

      <para><filename>/etc/shorewall6/</filename> is only used for processing
      the <filename>params</filename> and <filename>shorewall6.conf</filename>
-      files. <filename>/etc/shorewall6/conntrack</filename> is installed when
-      SPARSE=Yes, but is not used.</para>
-
-      <para>The /etc/shorewall/shorewall6.conf symbolic link is required once
-      the above CONFIG_PATH setting is in effect.</para>
+      files.</para>

      <section>
        <title>shorewall.conf</title>
@@ -134,6 +166,13 @@ root@gateway:/etc# </programlisting>
        follows:</para>

        <programlisting>###############################################################################
+#
+#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
+#
+#  For information about the settings in this file, type "man shorewall.conf"
+#
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
+###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=Yes
@@ -230,7 +269,7 @@ DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=No
 HELPERS="ftp,irc"
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
@@ -244,8 +283,7 @@ MACLIST_TTL=60
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
-MINIUPNPD=Yes
-MODULE_SUFFIX="ko ko.xz"
+MINIUPNPD=No
 MULTICAST=No
 MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=unreachable
@@ -267,13 +305,13 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 TRACK_PROVIDERS=Yes
 TRACK_RULES=No
 USE_DEFAULT_RT=Yes
-USE_NFLOG_SIZE=No
+USE_NFLOG_SIZE=Yes
 USE_PHYSICAL_NAMES=Yes
 USE_RT_NAMES=Yes
 VERBOSE_MESSAGES=No
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
-ZERO_MARKS=Yes
+ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
@@ -304,6 +342,14 @@ ZONE_BITS=0
        <para>The contents of /etc/shorewall6/shorewall6.conf are:</para>

        <programlisting>###############################################################################
+#
+#  Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
+#
+#  For information about the settings in this file, type "man shorewall6.conf"
+#
+#  Manpage also online at
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=Yes
@@ -343,7 +389,7 @@ UNTRACKED_LOG_LEVEL=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH="${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
 IP6TABLES=
 IP=
@@ -378,7 +424,7 @@ ACCOUNTING=Yes
 ACCOUNTING_TABLE=mangle
 ADMINISABSENTMINDED=Yes
 AUTOCOMMENT=Yes
-AUTOHELPERS=Yes
+AUTOHELPERS=No
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
@@ -393,8 +439,8 @@ DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
-FORWARD_CLEAR_MARK=Yes
-HELPERS=
+FORWARD_CLEAR_MARK=No
+HELPERS=ftp
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=No
@@ -406,8 +452,7 @@ MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
-MINIUPNPD=Yes
-MODULE_SUFFIX=ko
+MINIUPNPD=No
 MUTEX_TIMEOUT=60
 OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
@@ -415,7 +460,7 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 REQUIRE_INTERFACE=No
 RESTART=restart
-RESTORE_DEFAULT_ROUTE=Yes
+RESTORE_DEFAULT_ROUTE=No
 RESTORE_ROUTEMARKS=Yes
 SAVE_IPSETS=No
 TC_ENABLED=Shared
@@ -424,10 +469,10 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 TRACK_PROVIDERS=Yes
 TRACK_RULES=No
 USE_DEFAULT_RT=Yes
-USE_NFLOG_SIZE=No
+USE_NFLOG_SIZE=Yes
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
-VERBOSE_MESSAGES=Yes
+VERBOSE_MESSAGES=No
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
 ZERO_MARKS=No
@@ -485,11 +530,12 @@ if [ $g_family = 4 ]; then
    LISTS=70.90.191.124	   # IP address of lists.shorewall.net (MX)
    MAIL=70.90.191.122	   # IP address of mail.shorewall.net  (IMAPS)
    SERVER=70.90.191.125   # IP address of www.shorewall.org
-    PROXY=Yes		   # Use TPROXY for local web access
+    PROXY=		   # Use TPROXY for local web access
    ALL=0.0.0.0/0	   # Entire address space
    LOC_ADDR=172.20.1.253  # IP address of the local LAN interface
    FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface
    FAST_MARK=0x20000	   # Multi-ISP mark setting for IF_FAST
+    IPSECMSS=1460
    #
    # Interface Options
    #
@@ -508,11 +554,12 @@ else
    LISTS=[2001:470:b:227::42]		      # IP address of lists.shorewall.net (MX and HTTPS)
    MAIL=[2001:470:b:227::45]		      # IP address of mail.shorewall.net  (IMAPS and HTTPS)
    SERVER=[2001:470:b:227::43]		      # IP address of www.shorewall.org   (HTTP, FTP and RSYNC)
-    PROXY=
+    PROXY=3				      # Use TPROXY for local web access
    ALL=[::]/0				      # Entire address space
-    LOC_ADDR=[2601:601:8b00:bf0::1]	      # IP address of the local LAN interface
+    LOC_ADDR=[2601:601:a000:16f0::1]	      # IP address of the local LAN interface
    FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf    # Default gateway through the IF_FAST interface
    FAST_MARK=0x100			      # Multi-ISP mark setting for IF_FAST
+    IPSECMSS=1440
    #
    # Interface Options
    #
@@ -521,8 +568,7 @@ else
    LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2
    DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0
    IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1
-fi
-</programlisting>
+fi</programlisting>
    </section>

    <section>
@@ -530,17 +576,20 @@ fi

      <para>Here is the /etc/shorewall/zones file:</para>

-      <programlisting>#ZONE	TYPE	OPTIONS			IN			OUT
+      <programlisting>###############################################################################
+#ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
+
 #
 # By using the 'ip' type, both Shorewall and Shorewall6 can share this file
 #
+
 fw	{ TYPE=firewall }
 net	{ TYPE=ip }
 loc	{ TYPE=ip }
 dmz	{ TYPE=ip }
 apps	{ TYPE=ip }
-vpn1	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp }
+vpn	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
 </programlisting>
    </section>

@@ -551,6 +600,8 @@ vpn1	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp }
      /etc/shorewall/params:</para>

      <programlisting>#
+# The two address families use different production interfaces and different 
+#
 # LOC_IF is the local LAN for both families
 # FAST_IF is a Comcast IPv6 beta uplink which is used for internet access from the local lan for both families
 # PROD_IF is the interface used by shorewall.org servers
@@ -563,7 +614,8 @@ loc  { INTERFACE=LOC_IF,  OPTIONS=$LOC_OPTIONS }
 net  { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS }
 net  { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS }
 dmz  { INTERFACE=DMZ_IF,  OPTIONS=$DMZ_OPTIONS }
-apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }</programlisting>
+apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }
+</programlisting>
    </section>

    <section>
@@ -572,9 +624,9 @@ apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }</programlisting>
      <para>/etc/shorewall/hosts is used to define the vpn zone:</para>

      <programlisting>#ZONE		HOSTS				OPTIONS
-vpn1 { HOSTS=PROD_IF:$ALL }
-vpn1 { HOSTS=FAST_IF:$ALL }
-vpn1 { HOSTS=LOC_IF:$ALL }
+vpn { HOSTS=PROD_IF:$ALL }
+vpn { HOSTS=FAST_IF:$ALL }
+vpn { HOSTS=LOC_IF:$ALL }
 </programlisting>
    </section>

@@ -583,17 +635,22 @@ vpn1 { HOSTS=LOC_IF:$ALL }

      <para>The same set of policies apply to both address families:</para>

-      <programlisting>#SOURCE         DEST            POLICY					LOGLEVEL		RATE
-$FW { DEST=dmz,net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
-$FW { DEST=all, POLICY=ACCEPT }
-loc { DEST=net, POLICY=ACCEPT }
-loc,vpn1,apps { DEST=loc,vpn1,apps POLICY=ACCEPT }
-loc { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
-net { DEST=net, POLICY=NONE }
-net { DEST=fw, POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
-net { DEST=all, POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
-dmz { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
-all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
+      <programlisting>#SOURCE	       DEST		 POLICY									  LOGLEVEL	      RATE
+
+$FW	     { DEST=dmz,net,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+$FW	     { DEST=all,	 POLICY=ACCEPT }
+
+loc	     { DEST=net,	 POLICY=ACCEPT }
+loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT }
+loc	     { DEST=fw,		 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+
+net	     { DEST=net,	 POLICY=NONE }
+net	     { DEST=fw,		 POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
+net	     { DEST=all,	 POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL,				  LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
+
+dmz	     { DEST=fw,		 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+
+all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 </programlisting>
    </section>

@@ -631,7 +688,7 @@ all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
    # FAST_IF is primary, PROD_IF is fallback
    #
    ?info Compiling with FALLBACK
-    IPv6Fast	    { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,primary,persistent }
+    IPv6Beta	    { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,primary,persistent,noautosrc }
    ?if __IPV4
 	ComcastB    { NUMBER=4, MARK=0x10000,	 INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,fallback,persistent }
    ?else    
@@ -641,19 +698,19 @@ all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
    # Statistically balance traffic between FAST_IF and PROD_IF
    ?info Compiling with STATISTICAL
    ?if __IPV4
-    	IPv6Fast    { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary }
+    	IPv6Beta    { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary }
    ?else
 	HE	    { NUMBER=2, MARK=0x200,   INTERFACE=PROD_IF,                        OPTIONS=track,load=0.33333333,persistent }
    ?endif
 ?else
    ?INFO Compiling with BALANCE
-    IPv6Fast	 { NUMBER=1, MARK=0x100,   INTERFACE=eth0,    GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
+    IPv6Beta	 { NUMBER=1, MARK=0x100,   INTERFACE=eth0,    GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
    ?if __IPV4
 	ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=IPV4_IF, GATEWAY=10.1.10.1,     OPTIONS=nohostroute,loose,balance,persistent }
    ?else
-        ?warning No BALANCE IPv6 configuration - using FALLBACK  
+        ?warning No BALANCE IPv6 configuration
 	HE	 { NUMBER=2, MARK=0x200,   INTERFACE=PROD_IF,			     OPTIONS=fallback,persistent }
-    ?endif
+    ?endif    
 ?endif

 Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
@@ -670,19 +727,35 @@ Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }

 #
 # This file ensures that the DMZ is routed out of the IF_PROD interface
-# and that the IPv6 subnets delegated by the Fast router are routed out
+# and that the IPv6 subnets delegated by the Beta router are routed out
 # of the IF_FAST interface.
 #
 ?if __IPV4
-    { SOURCE=70.90.191.121,70.90.191.123, PROVIDER=ComcastB, PRIORITY=1000! }
-    { SOURCE=&amp;FAST_IF,	              	  PROVIDER=IPv6Fast, PRIORITY=1000! }
-    { SOURCE=br0,	     		  PROVIDER=ComcastB, PRIORITY=11000 }
+    { SOURCE=70.90.191.121,70.90.191.123,10.1.10.1 PROVIDER=ComcastB, PRIORITY=1000! }
+    { SOURCE=&amp;FAST_IF,	              	  	   PROVIDER=IPv6Beta, PRIORITY=1000! }
+    { SOURCE=br0,	     		  	   PROVIDER=ComcastB, PRIORITY=11000 }
 ?else
-    { SOURCE=2001:470:A:227::/64,         PROVIDER=HE,	     PRIORITY=1000! }
-    { SOURCE=2001:470:B:227::/64,         PROVIDER=HE,	     PRIORITY=11000 }
-    { SOURCE=2601:601:8b00:bf0::/60	  PROVIDER=IPv6Fast, PRIORITY=11000 }
-?endif
-</programlisting>
+    { SOURCE=2601:601:a000:1600::/64		   PROVIDER=IPv6Beta, PRIORITY=1000! }
+    { SOURCE=2001:470:B:227::/64,         	   PROVIDER=HE,	      PRIORITY=1000! }
+    { SOURCE=2601:601:a000:16f0::/60	  	   PROVIDER=IPv6Beta, PRIORITY=11000 }
+?endif</programlisting>
+    </section>
+
+    <section>
+      <title>routes</title>
+
+      <para>This file is used only for IPv6:</para>
+
+      <programlisting>#PROVIDER		DEST			GATEWAY		DEVICE	OPTIONS
+?if __IPV6
+    #
+    # In my version of FOOLSM (1.0.10), the 'sourceip' option doesn't work.
+    # As a result, routing rules that specify the source IPv6 address are
+    # not effective in routing the 'ping' request packets out of FAST_IF.
+    # The following route solves that problem.
+    #
+    { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=fe80::22e5:2aff:feb7:f2cf, DEVICE=FAST_IF, OPTIONS=persistent }
+?endif</programlisting>
    </section>

    <section>
@@ -705,6 +778,20 @@ $1	$MIRRORS
 </programlisting>
    </section>

+    <section>
+      <title>Macros</title>
+
+      <para>/etc/shorewall/macro.FTP:</para>
+
+      <programlisting>###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+PARAM	-	-	tcp	21
+</programlisting>
+
+      <para>This is just the normal Shorewall FTP macro without the helper
+      logic -- we take care of that in the conntrack file below.</para>
+    </section>
+
    <section>
      <title>conntrack</title>

@@ -749,6 +836,8 @@ Trcrt(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 }
 ACCEPT		{ SOURCE=all, DEST=dmz:$SERVER, PROTO=tcp,  DPORT=61001:62000,  helper=ftp }
 ACCEPT		{ SOURCE=dmz, DEST=all,		PROTO=tcp,  helper=ftp }
 ACCEPT		{ SOURCE=all, DEST=net,		PROTO=tcp,  helper=ftp }
+ACCEPT		{ SOURCE=$FW, DEST=loc,		PROTO=tcp,  helper=ftp }
+ACCEPT		{ SOURCE=loc, DEST=$FW,		PROTO=tcp,  helper=ftp }
 ACCEPT		{ SOURCE=all, DEST=all,		PROTO=icmp }
 RST(ACCEPT)	{ SOURCE=all, DEST=all }
 ACCEPT		{ SOURCE=dmz, DEST=dmz }
@@ -773,8 +862,8 @@ CONTINUE	  { SOURCE=$FW, DEST=all }
 ######################################################################################################
 # Stop certain outgoing traffic to the net
 #
-REJECT:$LOG_LEVEL { SOURCE=loc,vpn1,apps DEST=net, PROTO=tcp, DPORT=25 }		#Stop direct loc-&gt;net SMTP (Comcast uses submission).
-REJECT:$LOG_LEVEL { SOURCE=loc,vpn1,apps DEST=net, PROTO=udp, DPORT=1025:1031 }	#MS Messaging
+REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=tcp, DPORT=25 }		#Stop direct loc-&gt;net SMTP (Comcast uses submission).
+REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 }	#MS Messaging

 REJECT		{ SOURCE=all, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" }
 REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" }
@@ -795,7 +884,7 @@ REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" }
 ######################################################################################################
 # Ping
 #
-Ping(ACCEPT)	  { SOURCE=$FW,loc,dmz,vpn1, DEST=$FW,loc,dmz,vpn1 }
+Ping(ACCEPT)	  { SOURCE=$FW,loc,dmz,vpn, DEST=$FW,loc,dmz,vpn }
 Ping(ACCEPT)	  { SOURCE=all,              DEST=net }
 ######################################################################################################
 # SSH
@@ -809,7 +898,7 @@ SSH(DNAT-)	  { SOURCE=net,              DEST=172.20.2.44, PROTO=tcp, DPORT=ssh,
 ######################################################################################################
 # DNS
 #
-DNS(ACCEPT)	  { SOURCE=loc,dmz,vpn1,apps, DEST=$FW }
+DNS(ACCEPT)	  { SOURCE=loc,dmz,vpn,apps, DEST=$FW }
 DNS(ACCEPT)	  { SOURCE=$FW, DEST=net }
 ######################################################################################################
 # Traceroute
@@ -825,27 +914,31 @@ SMTP(REJECT)	   { SOURCE=dmz:$LISTS, DEST=net }
 IMAPS(ACCEPT)  	   { SOURCE=all, DEST=dmz:$MAIL }
 Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS }
 SMTPS(ACCEPT) 	   { SOURCE=all, DEST=dmz:$LISTS }
-IMAP(ACCEPT)	   { SOURCE=loc,vpn1, DEST=net }
+IMAP(ACCEPT)	   { SOURCE=loc,vpn, DEST=net }
 ######################################################################################################
 # NTP
 #
 NTP(ACCEPT)	   { SOURCE=all, DEST=net }
-NTP(ACCEPT)	   { SOURCE=loc,vpn1,dmz,apps DEST=$FW }
+NTP(ACCEPT)	   { SOURCE=loc,vpn,dmz,apps DEST=$FW }
+######################################################################################################
+# Squid
+ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 } 
 ######################################################################################################
 # HTTP/HTTPS
 #
-Web(ACCEPT)	   { SOURCE=loc,vpn1 DEST=$FW }
+Web(ACCEPT)	   { SOURCE=loc,vpn DEST=$FW }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=proxy }
 Web(DROP)	   { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist web crawlers" }
-HTTP(ACCEPT)	   { SOURCE=net,loc,vpn1,apps,$FW DEST=dmz:$SERVER,$LISTS }
-HTTPS(ACCEPT)	   { SOURCE=net,loc,vpn1,apps,$FW DEST=dmz:$LISTS,$MAIL }
+HTTP(ACCEPT)	   { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
+HTTPS(ACCEPT)	   { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$LISTS,$MAIL }
 Web(ACCEPT)	   { SOURCE=dmz,apps DEST=net,$FW }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=root }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=teastep }
+Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=_apt }
 ######################################################################################################
 # FTP
 #
-FTP(ACCEPT)	   { SOURCE=loc,vpn1,apps DEST=net }
+FTP(ACCEPT)	   { SOURCE=loc,vpn,apps DEST=net }
 FTP(ACCEPT)	   { SOURCE=dmz,          DEST=net }
 FTP(ACCEPT)	   { SOURCE=$FW,          DEST=net, USER=root }
 FTP(ACCEPT)	   { SOURCE=all,          DEST=dmz:$SERVER }
@@ -866,11 +959,11 @@ Whois(ACCEPT)	   { SOURCE=all, DEST=net }
 # SMB
 #
 SMBBI(ACCEPT)	    { SOURCE=loc, DEST=$FW }
-SMBBI(ACCEPT)	    { SOURCE=vpn1, DEST=$FW }
+SMBBI(ACCEPT)	    { SOURCE=vpn, DEST=$FW }
 ######################################################################################################
 # IRC
 #
-IRC(ACCEPT)	    { SOURCE=loc,vpn1,apps:IRC_IF, DEST=net }
+IRC(ACCEPT)	    { SOURCE=loc,apps, DEST=net }
 ######################################################################################################
 # Rsync
 #
@@ -913,7 +1006,7 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
      <programlisting>#ACTION         SOURCE			DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY

 ?if __IPV4
-    MASQUERADE		{ SOURCE=172.20.1.0/24,172.20.2.0/24, DEST=FAST_IF }
+    MASQUERADE		{ SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF }
    MASQUERADE 		{ SOURCE=70.90.191.120/29, 	      DEST=FAST_IF }
    SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,  PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
    SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,                    COMMENT="Masquerade Local Network" }
@@ -931,8 +1024,8 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
      <para>Both address families define IPSEC tunnels:</para>

      <programlisting>#TYPE			ZONE		GATEWAY			GATEWAY_ZONE
-ipsecnat {ZONE=net,  GATEWAY=$ALL, GATEWAY_ZONE=vpn1 }
-ipsecnat {ZONE=loc,  GATEWAY=$ALL, GATEWAY_ZONE=vpn1 }
+ipsecnat {ZONE=net,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
+ipsecnat {ZONE=loc,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
 </programlisting>
    </section>

--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -85,7 +85,7 @@
    url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
    There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
    standard and custom macros as well as standard and custom actions. See
-    <ulink url="manpages/shorewall-rules.html">shorewall-blrules</ulink> (5)
+    <ulink url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)
    for details.</para>

    <para>Example:</para>
@@ -265,7 +265,7 @@ DROP            net:200.55.14.18        all

    <para>Beginning with Shorewall 5.1.1, it is possible to specify BLACKLIST
    in the POLICY column of <ulink
-    url="manpages/shorewall-policies.html">shorewall-policies</ulink>(5) when
+    url="manpages/shorewall-policy.html">shorewall-policy</ulink>(5) when
    ipset-based dynamic blacklisting is being used. When a packet is disposed
    of via the BLACKLIST policy, the packet's sender is added to the dynamic
    blacklist ipset and the packet is dropped.</para>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -2498,27 +2498,63 @@ gmail-pop.l.google.com. <emphasis role="bold">300</emphasis>   IN A     209.85.2
    <programlisting>#ACTION        SOURCE               DEST              PROTO             DPORT
 POP(ACCEPT)     loc                  net:pop.gmail.com</programlisting>

-    <para>If your firewall rules include DNS names then:</para>
+    <para>There are two options in <ulink
+    url="manpages/shorewall.conf.html">shorewall[6].conf(5)</ulink> that
+    affect the use of DNS names in Shorewall[6] config files:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>DEFER_DNS_RESOLUTION - When set to No, DNS names are resolved at
+        compile time; when set to Yes, DNS Names are resolved at
+        runtime.</para>
+      </listitem>
+
+      <listitem>
+        <para>AUTOMAKE - When set to Yes, <command>start</command>,
+        <command>restart</command> and <command>reload</command> only result
+        in compilation if one of the files on the CONFIG_PATH has changed
+        since the the last compilation.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>So by setting AUTOMAKE=Yes, and DEFER_DNS_RESOLUTION=No, compilation
+    will only take place at boot time if a change had been make to the config
+    but no <command>restart</command> or <command>reload</command> had taken
+    place. This is clearly spelled out in the shorewall.conf manpage. So with
+    these settings, so long as a 'reload' or 'restart' takes place after the
+    Shorewall configuration is changes, there should be no DNS-related
+    problems at boot time.</para>
+
+    <important>
+      <para>When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS change
+      makes it necessary to recompile an existing firewall script, the
+      <option>-c</option> option must be used with the
+      <command>reload</command> or <command>restart</command> command to force
+      recompilation.</para>
+    </important>
+
+    <para>If your firewall rules include DNS names then, even if
+    DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes:</para>

    <itemizedlist>
      <listitem>
        <para>If your <filename>/etc/resolv.conf </filename>is wrong then your
-        firewall won't start.</para>
+        firewall may not start.</para>
      </listitem>

      <listitem>
        <para>If your <filename>/etc/nsswitch.conf</filename> is wrong then
-        your firewall won't start.</para>
+        your firewall may not start.</para>
      </listitem>

      <listitem>
-        <para>If your Name Server(s) is(are) down then your firewall won't
+        <para>If your Name Server(s) is(are) down then your firewall may not
        start.</para>
      </listitem>

      <listitem>
        <para>If your startup scripts try to start your firewall before
-        starting your DNS server then your firewall won't start.</para>
+        starting your DNS server then your firewall may not start.</para>
      </listitem>

      <listitem>
@@ -2528,7 +2564,7 @@ POP(ACCEPT)     loc                  net:pop.gmail.com</programlisting>

      <listitem>
        <para>You must bring up your network interfaces prior to starting your
-        firewall.</para>
+        firewall, or the firewall may not start.</para>
      </listitem>
    </itemizedlist>

--- a/docs/images/Netfilter.dia
+++ b/docs/images/Netfilter.dia
--- a/docs/images/Netfilter.png
+++ b/docs/images/Netfilter.png
--- a/docs/images/Network2017.dia
+++ b/docs/images/Network2017.dia
--- a/docs/images/Network2017.png
+++ b/docs/images/Network2017.png
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -56,12 +56,13 @@
    <ulink url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
    if they are not available in your current distribution. Instructions for
    installing xtables-addons may be found in the <ulink
-    url="Dynamic.html">Dynamic Zones article</ulink>.
-    Note that xtables-addons might not be required
-    with the 'ipset' package provided by your distribution.
-    See also the section <ulink url="configuration_file_basics.htm#capabilities">capabilities</ulink>
-    in the <ulink url="configuration_file_basics.htm">configuration file basics article</ulink>
-    and the <ulink url="Shorewall-Lite.html#Shorecap">Shorecap program</ulink>.</para>
+    url="Dynamic.html">Dynamic Zones article</ulink>. Note that xtables-addons
+    might not be required with the 'ipset' package provided by your
+    distribution. See also the section <ulink
+    url="configuration_file_basics.htm#capabilities">capabilities</ulink> in
+    the <ulink url="configuration_file_basics.htm">configuration file basics
+    article</ulink> and the <ulink url="Shorewall-Lite.html#Shorecap">Shorecap
+    program</ulink>.</para>

    <para>Ipset allows you to create one or more named sets of addresses then
    use those sets to define Netfilter/iptables rules. Possible uses of ipsets
@@ -151,6 +152,11 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
        url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
      </listitem>

+      <listitem>
+        <para>You must have at least one entry in the other configuration
+        files that uses an ipset.</para>
+      </listitem>
+
      <listitem>
        <para>You cannot use an ipset in <ulink
        url="manpages/shorewall-stoppedulres.html">shorewall-stoppedrules</ulink>
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -248,7 +248,7 @@
      <para>If your kernel has NFLOG target support (and most vendor-supplied
      kernels do), you may also specify a log level of NFLOG (must be all
      caps). When NFLOG is used, Shorewall will direct Netfilter to log the
-      related messages via the ULOG target which will send them to a process
+      related messages via the NFLOG target which will send them to a process
      called <quote>ulogd</quote>. The ulogd program is included in most
      distributions and is also available from <ulink
      url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>.
@@ -258,7 +258,7 @@
      <note>
        <para>The NFLOG logging mechanism is <emphasis
        role="underline">completely separate</emphasis> from syslog. Once you
-        switch to ULOG, the settings in <filename>/etc/syslog.conf</filename>
+        switch to NFLOG, the settings in <filename>/etc/syslog.conf</filename>
        have absolutely no effect on your Shorewall logging (except for
        Shorewall status messages which still go to syslog).</para>
      </note>
@@ -278,7 +278,7 @@
      time:</para>

      <programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE'
-params:LOG=NFOG
+params:LOG=NFLOG
 policy:loc              $FW             REJECT          $LOG
 policy:net              all             DROP            $LOG            10/sec:40
 policy:all              all             REJECT          $LOG
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@@ -360,14 +360,6 @@ root@lists:~# </programlisting>
    are there, you may wish to review the list of options that are specified
    for the interface. Some hints:</para>

-    <tip>
-      <para>If your external interface is <filename
-      class="devicefile">ppp0</filename> or <filename
-      class="devicefile">ippp0</filename>, you can replace the
-      <quote>detect</quote> in the second column with <quote>-</quote> (minus
-      the quotes).</para>
-    </tip>
-
    <tip>
      <para>If your external interface is <filename
      class="devicefile">ppp0</filename> or <filename
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -485,20 +485,17 @@ root@lists:~# </programlisting>
    are there, you may wish to review the list of options that are specified
    for the interfaces. Some hints:</para>

-    <tip>
-      <para>If your external interface is <filename
-      class="devicefile">ppp0</filename> or <filename
-      class="devicefile">ippp0</filename>, you can replace the
-      <quote>detect</quote> in the second column with <quote>-</quote>
-      (without the quotes).</para>
-    </tip>
-
    <tip>
      <para>If your external interface is <filename
      class="devicefile">ppp0</filename> or <filename
      class="devicefile">ippp0</filename> or if you have a static IP address,
      you can remove <quote>dhcp</quote> from the option list.</para>
    </tip>
+
+    <para>Prior to Shorewall 5.1.9, it is also required to change the snat and
+    stoppedrules file, to replace <filename>eth0</filename> with the name of
+    your external interface and <filename>eth1</filename> with the name of
+    your local interface.</para>
  </section>

  <section id="Addresses">
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -442,12 +442,6 @@ root@lists:~# </programlisting>
    class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
    file accordingly. While you are there, you may wish to review the list of
    options that are specified for the interfaces. Some hints:<tip>
-        <para>If your external interface is <filename
-        class="devicefile">ppp0</filename> or <filename
-        class="devicefile">ippp0</filename>, you can replace the
-        <varname>detect</varname> in the second column with a <quote>-</quote>
-        (minus the quotes).</para>
-      </tip><tip>
        <para>If your external interface is <filename
        class="devicefile">ppp0</filename> or <filename
        class="devicefile">ippp0</filename> or if you have a static
@@ -459,6 +453,10 @@ root@lists:~# </programlisting>
        add the <varname>routeback</varname> option to the option
        list.</emphasis></para>
      </tip></para>
+
+    <para>Prior to Shorewall 5.1.9, you will also need to modify the snat and
+    stopped rules file, replacing eth1 with the name of your internal
+    interface.</para>
  </section>

  <section id="Addresses">
Author	SHA1	Message	Date
Tom Eastep	5053999442	Don't run 'find' in the PWD - Also remove -mindepth so as to catch deletions in the directories Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-31 13:33:16 -08:00
Tom Eastep	71f8bad300	Tweak Shared Config doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-30 08:44:49 -08:00
Tom Eastep	377c9f5708	Only search files in each CONFIG_PATH directory - no recursion Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-30 08:44:05 -08:00
Tom Eastep	675e41e6a6	Merge branch 'master' into 5.1.10	2017-12-27 11:15:25 -08:00
Tom Eastep	28f6379956	Fix broken links in the blacklisting article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-26 16:57:44 -08:00
Tom Eastep	c9b58e203b	Fix broken links in the blacklisting article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-26 16:56:37 -08:00
Tom Eastep	9afe8daae0	Merge branch '5.1.10' # Conflicts: # Shorewall-core/install.sh # Shorewall/install.sh	2017-12-26 15:45:20 -08:00
Tom Eastep	43adcd26a1	Make the /etc and the configfiles .conf files the same Signed-off-by: Tom Eastep <teastep@shorewall.net> # Conflicts: # Shorewall/install.sh	2017-12-26 15:39:26 -08:00
Tom Eastep	65371437b5	Correct installer for case where SHAREDIR != /usr/share/ Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-26 15:36:38 -08:00
Tom Eastep	cc2022e172	Correct installer for case where SHAREDIR != /usr/share/ Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-26 15:00:15 -08:00
Tom Eastep	f2a565729f	Replace $PRODUCT with ${PRODUCT} - Also correct one incidence of PRODUCT that should have been $PRODUCT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-26 14:00:00 -08:00
Tom Eastep	ea8b2a803a	Make the /etc and the configfiles .conf files the same Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-26 11:48:33 -08:00
Tom Eastep	16832149ca	Remove unneeded modification of $CONFDIR/$PRODUCT/$PRODUCT.conf Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-26 11:35:56 -08:00
Tom Eastep	7edf4918d7	Remove leading ":" from CONFIG_PATH in active shorewall[6].conf Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-26 10:27:19 -08:00
Tom Eastep	d3a1dc1e2a	Delete superfluous semicolon. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-25 08:45:42 -08:00
Matt Darfeuille	f68f47d01b	Init: Fix when to compile the firewall on Debian Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-25 08:37:00 -08:00
Tom Eastep	b1d1fa862a	Add comment noting that the 'physwild' interface member is currently unused Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-23 10:58:16 -08:00
Tom Eastep	24acf25451	Delete unused find_interfaces_by_option1() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-23 10:53:16 -08:00
Tom Eastep	229c47ac6c	Don't delete options that are to be ignored from %options - specifying some options can have side-effects that cause $interfaceref->{options}{$option} to be accessed Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-23 10:47:22 -08:00
Tom Eastep	38de9c1732	Make wildcard/option checks order-independent WRT the options Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-23 10:24:08 -08:00
Tom Eastep	17f4fd7cd2	Initialize $physwild to $wildcard Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-22 15:42:16 -08:00
Tom Eastep	cfd02c1bb6	More $minroot changes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-22 13:58:38 -08:00
Tom Eastep	02caeb5aa0	Remove sourceroute=0 from IPv6 Universal interface options Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-22 13:44:11 -08:00
Tom Eastep	19b7601c72	Improve handling of wildcard interfaces and options Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-22 13:43:45 -08:00
Tom Eastep	5a8e9cd0a3	Correct $minroot logic Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-22 09:08:27 -08:00
Tom Eastep	b5a6067588	Describe default interval and decay for rate estimator policing filters Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-20 09:04:52 -08:00
Tom Eastep	45468af2d2	Correct ingress policing for later releases of iproute2 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-18 11:52:19 -08:00
Tom Eastep	6c018f478c	Avoid unnecessary recompilation by Shorewall-init Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-18 10:25:56 -08:00
Tom Eastep	dec3cacb2a	Correct typo in the Helpers Article Port 1729 -> port 1723 for PPTP Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-08 15:28:01 -08:00
Tom Eastep	4ab8e1f0a2	Remove PSH from the FIN action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-05 15:25:54 -08:00
Tom Eastep	821d72093a	Rename DEFAULTACTION_SECTION to POLICYACTION_SECTION. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-02 16:25:15 -08:00
Tom Eastep	42d5d13780	Retain proto setting when switching inline <-> noinline Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-02 13:40:41 -08:00
Tom Eastep	7121a0f1b1	Disallow a protocol on the Reject Action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-02 12:58:05 -08:00
Tom Eastep	ab12d63a4f	Change 'default action' to 'policy action' in comments and messages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-02 12:55:17 -08:00
Tom Eastep	6ba1d5413b	Allow a protocol to be associated with an action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-02 11:24:08 -08:00
Tom Eastep	4fc572f664	Exit the IPv6 AllowICMPs chain if packet isn't ipv6-icmp Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-01 14:50:17 -08:00
Tom Eastep	138e64c54a	Improve the documentation surrounding DNS names. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-12-01 09:25:20 -08:00
Tom Eastep	b04b65cac8	Clear counters in all tables during 'reset' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-30 14:31:59 -08:00
Tom Eastep	c907748b52	Correct typo in 'dump' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-30 14:31:33 -08:00
Tom Eastep	7f3414e3d8	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2017-11-29 08:19:57 -08:00
Roberto C. Sánchez	c75fe2ea8d	Fix typo	2017-11-29 06:56:06 -05:00
Tom Eastep	5dcb684efc	Don't be specific when deleting IPv6 balanced/fallback default routes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-28 15:26:17 -08:00
Tom Eastep	3e87e5004a	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2017-11-27 09:36:13 -08:00
Roberto C. Sánchez	c89b113a61	Fix typos	2017-11-26 15:39:59 -05:00
Tom Eastep	7289175070	Chop first config dir if non-root or if compiling for export. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-23 09:57:12 -08:00
Tom Eastep	5aaf1e53de	IPv6 Samples use logical interface names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-22 09:56:45 -08:00
Tom Eastep	a9373d727b	Use logical interface names in the samples. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-22 09:40:15 -08:00
Tom Eastep	528b473f6b	Add some additional documentation to the Config module Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-22 08:41:37 -08:00
Tom Eastep	d22210c074	Set g_export before calling get_config() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-14 13:46:41 -08:00
Tom Eastep	89d6009200	Revert "Fix for copying SYSCONFFILE. Gave a Permission denied on OpenWRT" This reverts commit `f0cb3f50e4`.	2017-11-14 10:48:56 -08:00
Tom Eastep	f411f7dd31	Remove redundant test Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-14 10:45:10 -08:00
Tom Eastep	502e98eb9f	Add Redfish console to the IPMI macro Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-14 10:44:54 -08:00
Tom Eastep	f73bad440d	Don't verify IP and SHOREWALL_SHELL when compiling/checking for test Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-14 10:02:15 -08:00
W. van den Akker	f0cb3f50e4	Fix for copying SYSCONFFILE. Gave a Permission denied on OpenWRT Signed-off-by: W. van den Akker <wvdakker@wilsoft.nl> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-14 09:01:06 -08:00
W. van den Akker	23bc019a82	Add OpenWRT options. Signed-off-by: W. van den Akker <wvdakker@wilsoft.nl> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-14 09:00:46 -08:00
Tom Eastep	9d299ef866	Don't verify IP and SHOREWALL_SHELL setting when compiling for export Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-14 08:50:05 -08:00
Tom Eastep	2a9272ccd1	Clean up RAs involving "\|" Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-14 08:26:17 -08:00
Tom Eastep	130ddff9de	Correct a typo in an error message - Includes cosmetic changes to Providers.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-10 11:25:52 -08:00
Tom Eastep	9cf298482d	Merge branch '5.1.8'	2017-11-09 12:59:59 -08:00
Tom Eastep	c5a586aa37	Allow [...] around gateway address in the providers file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-09 12:20:01 -08:00
Tom Eastep	0670ecaf5e	Update Shared Configuration Article - Add network graphic Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-08 18:47:23 -08:00
Tom Eastep	d3eebde464	Add another restriction for SAVE_IPSETS=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-08 10:56:57 -08:00
Tom Eastep	832418585a	Don't make persistent routes and rules dependent on autosrc. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-08 09:46:25 -08:00
Tom Eastep	605f61fb3c	Don't make persistent routes and rules dependent on autosrc. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-08 09:45:59 -08:00
Tom Eastep	824f4ca570	Update Shared Configuration document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-08 09:44:40 -08:00
Tom Eastep	9acdbb5acf	Unify online manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-03 10:43:48 -07:00
Tom Eastep	8dfa0be611	Add shorewall-logging(5) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-02 15:26:14 -07:00
Tom Eastep	ef8b85fc3e	Implement support for logging in the SNAT file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-11-02 12:44:42 -07:00
Tom Eastep	2b5613026a	Merge branch '5.1.8'	2017-10-25 09:14:20 -07:00
Tom Eastep	c7c318c0e7	Align columns in actions.std Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-25 09:13:37 -07:00
Tom Eastep	b48e5a8932	Create new Netfilter diagram using Dia Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-25 09:13:08 -07:00
Tom Eastep	d1976189aa	Correct a couple of typos in the manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-22 12:59:31 -07:00
Tom Eastep	6b4905c2c0	Replace 'tcp' with '6' in action.TCPFlags Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-20 12:33:36 -07:00
Tom Eastep	774b707352	Inline Multicast when Address Type Match is available Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-20 12:01:41 -07:00
Tom Eastep	c3bd58827f	Align columns in actions.std Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-20 11:44:10 -07:00
Tom Eastep	b35f1112f4	Allow 'noinline' in /etc/shorewall[6]/actions to override 'inline' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-20 09:19:50 -07:00
Tom Eastep	a0eb91cb90	Inline the Broadcast action when ADDRTYPE match is available Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-20 08:49:14 -07:00
Tom Eastep	105e6a3d01	Create new Netfilter diagram using Dia Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-19 14:51:36 -07:00
Tom Eastep	77d9eeb915	Eliminate extra parameter editing of TPROXY parameter list. - Clarify syntax for actions with multiple parameters Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-19 13:08:12 -07:00
Tom Eastep	17838c1443	Add TCPMSS to the allowed mangle actions. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-19 12:58:38 -07:00
Tom Eastep	5867ce6c3b	CLAMPMSS now done in the mangle table. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-18 15:55:07 -07:00
Tom Eastep	84cd80eba9	Update the Shared Config document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-17 16:51:35 -07:00
Tom Eastep	9b02f7a922	Update Shared config article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-15 19:15:13 -07:00
Tom Eastep	f1975ae9b0	More robust detection of empty SPD entries. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-15 08:26:27 -07:00
Tom Eastep	7b9f7c095d	Don't dump SPD entries for the other address family Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-14 13:39:00 -07:00
Tom Eastep	8ea96098bf	Warning when 'persistent' used with RESTORE_DEFAULT_ROUTE=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-11 15:22:07 -07:00
Tom Eastep	02ed36332a	Revert "Warn when RESTORE_DEFAULT_ROUTE=Yes and a persistent provider is defined" This reverts commit `39a3c72057`.	2017-10-11 11:24:54 -07:00
Tom Eastep	15a3b29a32	Revert "Document warning when RESTORE_DEFAULT_ROUTE=Yes and 'persistent'" This reverts commit `bfab002dda`.	2017-10-11 11:24:39 -07:00
Tom Eastep	cb4f9e7261	Don't restore default routes when there is an enabled fallback provider Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-11 11:24:13 -07:00
Tom Eastep	bfab002dda	Document warning when RESTORE_DEFAULT_ROUTE=Yes and 'persistent' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-11 11:01:09 -07:00
Tom Eastep	ddb12fcad9	Add/correct comments Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-11 11:00:46 -07:00
Tom Eastep	42ce754961	Don't restore default routes when a fallback= provider is enabled Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-11 11:00:05 -07:00
Tom Eastep	5cd4d63bc5	Delete main default routes when a fallback provider is enabled Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-11 10:59:31 -07:00
Tom Eastep	5b567f2d8b	Correct delete_default_routes() in tables other than main Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-11 10:58:48 -07:00
Tom Eastep	39a3c72057	Warn when RESTORE_DEFAULT_ROUTE=Yes and a persistent provider is defined Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-11 10:58:09 -07:00
Tom Eastep	b47e633c38	Use 'route replace' rather than 'route add' to avoid persistence issues Previous failure case was: - disable interface - reload - enable interface Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-09 08:58:10 -07:00
Tom Eastep	1b55a37a28	Ensure that 'rule add' commands don't fail with persistent interfaces Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-08 08:53:53 -07:00
Tom Eastep	a97dcd23d0	Allow merging of rules that specify an IPSEC policy Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-07 13:17:43 -07:00
Tom Eastep	108b169d8d	Treat LOG_TARGET like all other capabilities - Previous implementation could generate unworkable script when LOAD_HELPERS_ONLY=Yes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-06 08:01:52 -07:00
Tom Eastep	a9fbaa57ed	Pass -$g_family to 'ip xfrm' commands - This currently doesn't work correctly, but maybe it will in the future Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-10-06 08:00:29 -07:00
Tom Eastep	317f12041b	Strengthen the test for empty SPD entries Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-30 15:43:17 -07:00
Tom Eastep	8469f983d8	Merge branch '5.1.7' # Conflicts: # Shorewall/Perl/prog.footer	2017-09-29 15:25:37 -07:00
Tom Eastep	f54acb665a	Correct handling of mark range in MARK target. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-29 14:44:33 -07:00
Tom Eastep	3d2e9eb93e	Improve the fix for SELinux "getattr" denials Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-28 15:16:50 -07:00
Tom Eastep	c6a939301f	Improve the fix for SELinux "getattr" denials Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-28 15:16:00 -07:00
Tom Eastep	1cb98254cc	Handle SELinux getattr denials in open() processing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-26 16:42:54 -07:00
Tom Eastep	baa791a1e3	Handle SELinux getattr denials in open() processing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-26 16:41:50 -07:00
Tom Eastep	8b4b965f63	Remove unnecessary disable/enable of script generation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-21 14:36:30 -07:00
Tom Eastep	8ee2d6246c	Update a comment in the compiler - get_configuration() also processes the shorewallrc file(s) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-21 12:32:34 -07:00
Tom Eastep	a7be3dfece	Align progress messages produced by 'reenable' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-19 13:29:13 -07:00
Tom Eastep	846e8c4ece	Correct reenable logic Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-19 13:29:08 -07:00
Tom Eastep	e2bf7e6584	Align progress messages produced by 'reenable' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-19 13:28:09 -07:00
Tom Eastep	ff3994f6a1	Correct reenable logic Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-19 13:17:50 -07:00
Tom Eastep	494ec9c59c	Avoid extra comparison in reload_command() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-19 10:49:11 -07:00
Tom Eastep	1cde92e8f3	Initialize g_dockeringress Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-19 10:43:44 -07:00
Tom Eastep	721a1e3b33	Initialize g_dockeringress Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-19 10:39:52 -07:00
Tom Eastep	84fa774cb7	Change copyright dates in lib.runtime Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-19 09:03:00 -07:00
Tom Eastep	c39bc7b65f	Update version of lib.*installer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-18 13:09:35 -07:00
Tom Eastep	2548e8741d	Update version and copyright dates in lib.common Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-18 13:07:37 -07:00
Tom Eastep	0a31fba6bb	Update version and copyright dates in lib.core Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-18 13:00:50 -07:00
Tom Eastep	9701c9c522	Update version and copyright dates in lib.base Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-18 12:57:02 -07:00
Tom Eastep	973d352209	Update shorewall script - Update copyright dates - Add a comment about PRODUCT setting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-18 12:51:27 -07:00
Tom Eastep	91e59c2ed4	Remove the Lite Makefiles Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-18 11:56:04 -07:00
Tom Eastep	be5aabcbfb	Correct typo in Chains.pm &g_dockeringress -> $g_dockeringress Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-18 10:14:22 -07:00
Tom Eastep	a8937e6bc8	Correct harmless typo Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-18 10:06:41 -07:00
Tom Eastep	e91bd9a0e9	Remove useless/empty .tmp file when SAVE_IPSETS is set - Add SAVE_IPSETS support to the Redhat/Fedora sysv init script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-09-18 09:28:43 -07:00