Correct $LOG_LEVEL expansion

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Revert "Remove 'Multicast' from IPv6 actions.std"
2017-03-10 10:23:17 -08:00 · 2017-03-10 09:09:31 -08:00 · 2017-03-10 09:09:23 -08:00 · 2017-03-10 09:09:12 -08:00 · 2017-03-10 07:30:20 -08:00 · 2017-03-09 14:37:45 -08:00
197 changed files with 20182 additions and 5227 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -190,7 +190,7 @@ for p in ${!params[@]}; do
 done

 echo '#'                                                                 > shorewallrc
-echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
+echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc

--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -173,12 +173,7 @@ my $outfile;

 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";

-if ( $ENV{SOURCE_DATE_EPOCH} ) {
-    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date  --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
-} else {
-    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
-}
-
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
 print $outfile "# rc file: $rcfilename\n#\n";

 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -22,20 +22,64 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version
+
 PRODUCT=shorewall-core
 Product="Shorewall Core"
-
+ 
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
+    echo "usage: $ME [ <configuration-file> ] "
+    echo "       $ME -v"
+    echo "       $ME -h"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -54,16 +98,16 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -82,7 +126,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
@@ -104,14 +148,14 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc
 	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
 	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -125,7 +169,7 @@ elif [ $# -eq 1 ]; then
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -241,12 +285,13 @@ case "$HOST" in
    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
    *)
-	fatal_error "Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
 	;;
 esac

 if [ -z "$file" ]; then
-    if [ $HOST = linux ]; then
+    if $HOST = linux; then
 	file=shorewallrc.default
    else
 	file=shorewallrc.${HOST}
@@ -259,8 +304,7 @@ if [ -z "$file" ]; then
    echo "" >&2
    echo "Example:" >&2
    echo "" >&2
-    echo "   ./install.sh $file" >&2
-    exit 1
+    echo "   ./install.sh $file" &>2
 fi

 if [ -n "$DESTDIR" ]; then
@@ -271,31 +315,45 @@ if [ -n "$DESTDIR" ]; then
    fi
 fi

-echo "Installing $Product Version $VERSION"
+echo "Installing Shorewall Core Version $VERSION"

 #
 # Create directories
 #
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/shorewall 0755
+mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
+chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall

-make_parent_directory ${DESTDIR}${SHAREDIR}/shorewall 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall

-make_parent_directory ${DESTDIR}${CONFDIR} 0755
+mkdir -p ${DESTDIR}${CONFDIR}
+chmod 755 ${DESTDIR}${CONFDIR}

-[ -n "${SYSCONFDIR}" ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+if [ -n "${SYSCONFDIR}" ]; then
+    mkdir -p ${DESTDIR}${SYSCONFDIR}
+    chmod 755 ${DESTDIR}${SYSCONFDIR}
+fi

 if [ -z "${SERVICEDIR}" ]; then
    SERVICEDIR="$SYSTEMD"
 fi

-[ -n "${SERVICEDIR}" ] && make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+if [ -n "${SERVICEDIR}" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
+    chmod 755 ${DESTDIR}${SERVICEDIR}
+fi

-make_parent_directory ${DESTDIR}${SBINDIR} 0755
+mkdir -p ${DESTDIR}${SBINDIR}
+chmod 755 ${DESTDIR}${SBINDIR}

-[ -n "${MANDIR}" ] && make_parent_directory ${DESTDIR}${MANDIR} 0755
+if [ -n "${MANDIR}" ]; then
+    mkdir -p ${DESTDIR}${MANDIR}
+    chmod 755 ${DESTDIR}${MANDIR}
+fi

 if [ -n "${INITFILE}" ]; then
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}

    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
@@ -324,14 +382,8 @@ echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 # Install the libraries
 #
 for f in lib.* ; do
-    case $f in
-        *installer)
-            ;;
-        *)
-            install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
-            echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
-            ;;
-    esac
+    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
+    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done

 if [ $SHAREDIR != /usr/share ]; then
@@ -346,11 +398,11 @@ fi
 if [ -n "$MANDIR" ]; then
    cd manpages

-    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/

    for f in *.8; do
 	gzip -9c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done

@@ -367,7 +419,7 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion

 if [ -z "${DESTDIR}" ]; then
    if [ $update -ne 0 ]; then
@@ -392,20 +444,14 @@ fi

 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
-        case $f in
-            *installer)
-                ;;
-            *)
-                if [ $BUILD != apple ]; then
-                    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
-                else
-                    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
-                fi
-                ;;
-        esac
+	if [ $BUILD != apple ]; then
+	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+	else
+	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+	fi
    done
 fi
 #
-# Report Success
+#  Report Success
 #
-echo "$Product Version $VERSION Installed"
+echo "Shorewall Core Version $VERSION Installed"
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.base
+# Shorewall 5.0 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=50106
+SHOREWALL_CAPVERSION=50100

 if [ -z "$g_basedir" ]; then
    #
@@ -1142,11 +1142,11 @@ show_a_macro() {
 spd_filter()
 {
    awk \
-    'BEGIN                                  { skip=0; }; \
-    /^src/                                  { skip=0; }; \
-    /^src 0.0.0.0\/0 dst 0.0.0.0\/0 uid 0$/ { skip=1; }; \
-    /^src ::\/0 dst ::\/0 uid 0$/           { skip=1; }; \
-                                            { if ( skip == 0 ) print; };'
+    'BEGIN            { skip=0; }; \
+    /^src/            { skip=0; }; \
+    /^src 0.0.0.0\/0/ { skip=1; }; \
+    /^src ::\/0/      { skip=1; }; \
+                      { if ( skip == 0 ) print; };'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1159,7 +1159,7 @@ heading() {

 show_ipsec() {
    heading "PFKEY SPD"
-    $IP -s -$g_family xfrm policy | spd_filter
+    $IP -s xfrm policy | spd_filter
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -2770,7 +2770,7 @@ determine_capabilities() {
    GOTO_TARGET=
    LOGMARK_TARGET=
    IPMARK_TARGET=
-    LOG_TARGET=
+    LOG_TARGET=Yes
    ULOG_TARGET=
    NFLOG_TARGET=
    PERSISTENT_SNAT=
@@ -2803,8 +2803,6 @@ determine_capabilities() {
    WAIT_OPTION=
    CPU_FANOUT=
    NETMAP_TARGET=
-    NFLOG_SIZE=
-    RESTORE_WAIT_OPTION=

    AMANDA_HELPER=
    FTP_HELPER=
@@ -2828,11 +2826,9 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi

-    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
-
    if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	g_tool="$g_tool --wait"
+	tool="$tool --wait"
    fi

    chain=fooX$$
@@ -3138,15 +3134,12 @@ determine_capabilities() {
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
+    qt $g_tool -A $chain -j LOG || LOG_TARGET=
    qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
+    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
    qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
-    if qt $g_tool -A $chain -j NFLOG; then
-	NFLOG_TARGET=Yes
-	qt $g_tool -A $chain -j NFLOG --nflog-size 64 && NFLOG_SIZE=Yes
-    fi

    if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -3302,11 +3295,9 @@ report_capabilities_unsorted() {
    if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
-	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
-	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    fi

    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3314,7 +3305,6 @@ report_capabilities_unsorted() {
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
-    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE

    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3421,8 +3411,6 @@ report_capabilities_unsorted1() {
    report_capability1 WAIT_OPTION
    report_capability1 CPU_FANOUT
    report_capability1 NETMAP_TARGET
-    report_capability1 NFLOG_SIZE
-    report_capability1 RESTORE_WAIT_OPTION

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3727,7 +3715,7 @@ ipcalc_command() {

    valid_address $address || fatal_error "Invalid IP address: $address"
    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"

    address=$address/$vlsm
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,48 +269,53 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
    local modulename
    modulename=$1
-    shift
-    local moduleoptions
-    moduleoptions=$*
    local modulefile
    local suffix

    if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		case $moduleloader in
-		    insmod)
-			for directory in $moduledirectories; do
-			    for modulefile in $directory/${modulename}.*; do
-				if [ -f $modulefile ]; then
-				    insmod $modulefile $moduleoptions
-				    return
-				fi
-			    done
-			done
-			;;
-		    *)
-			modprobe -q $modulename $moduleoptions
-			;;
-		esac
-	    fi
-	fi
-    elif ! list_search $modulename $DONT_LOAD $MODULES; then
-	case $moduleloader in
-	    insmod)
-		for directory in $moduledirectories; do
-		    for modulefile in $directory/${modulename}.*; do
+		shift
+
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
+
 			if [ -f $modulefile ]; then
-			    insmod $modulefile $moduleoptions
-			    return
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
 			fi
 		    done
 		done
-		;;
-	    *)
-		modprobe -q $modulename $moduleoptions
-		;;
-	esac
+	    fi
+	fi
+    elif ! list_search $modulename $DONT_LOAD $MODULES; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
    fi
 }

@@ -333,6 +338,8 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi

+    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
+
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -387,6 +394,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi

+    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
+
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.1 -- /usr/share/shorewall/lib.core
+# Shorewall 5.0 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #

-SHOREWALL_LIBVERSION=50108
+SHOREWALL_LIBVERSION=50100

 #
 # Fatal Error
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -1,89 +0,0 @@
-#
-#
-# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
-#
-#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# The purpose of this library is to hold those functions used by the products installer.
-#
-#########################################################################################
-
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
-make_directory() # $1 = directory , $2 = mode
-{
-    mkdir $1
-    chmod $2 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
-}
-
-make_parent_directory() # $1 = directory , $2 = mode
-{
-    mkdir -p $1
-    chmod $2 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNER:$GROUP $1
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
-}
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -1,106 +0,0 @@
-#
-#
-# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
-#
-#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# The purpose of this library is to hold those functions used by the products uninstaller.
-#
-#########################################################################################
-
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-remove_file() # $1 = file to remove
-{
-    if [ -n "$1" ] ; then
-        if [ -f $1 -o -L $1 ] ; then
-            rm -f $1
-            echo "$1 Removed"
-        fi
-    fi
-}
-
-remove_directory() # $1 = directory to remove
-{
-    if [ -n "$1" ] ; then
-        if [ -d $1 ] ; then
-            rm -rf $1
-            echo "$1 Removed"
-        fi
-    fi
-}
-
-remove_file_with_wildcard() # $1 = file with wildcard to remove
-{
-    if [ -n "$1" ] ; then
-        for f in $1; do
-            if [ -d $f ] ; then
-                rm -rf $f
-                echo "$f Removed"
-            elif [ -f $f -o -L $f ] ; then
-                rm -f $f
-                echo "$f Removed"
-            fi
-        done
-    fi
-}
-
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
-}
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -2016,7 +2016,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">remote-reload
+        <term><emphasis role="bold">remote-reload [-<option>n</option>]
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
@@ -2056,6 +2056,9 @@
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>

+          <para>The <option>-n</option> option causes Shorewall to avoid
+          updating the routing table(s).</para>
+
          <para>If <emphasis role="bold">-s</emphasis> is specified and the
          <emphasis role="bold">restart</emphasis> command succeeds, then the
          remote Shorewall-lite configuration is saved by executing <emphasis
@@ -3173,8 +3176,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/</para>
-
-    <para>/etc/shorewall6/</para>
  </refsect1>

  <refsect1>
@@ -3184,17 +3185,13 @@
    url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>

    <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
-    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-mangle(5),
-    shorewall-masq(5), shorewall-modules(5), shorewall-nat(5),
-    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall6-proxyndp(5), shorewall-routes(5), shorewall-rtrules(5),
-    shorewall-rtrules(5), shorewall-rules(5), shorewall-secmarks(5),
-    shorewall-snat(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcfilters(5), shorewall-tcinterfaces(5), shorewall-tcpri(5),
-    shorewall-tunnels(5), shorewall-vardir(5), shorewall-zones(5)</para>
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.1
+#     Shorewall Packet Filtering Firewall Control Program - V5.0
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,10 +25,6 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-#
-# Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
-# options
-#
 PRODUCT=shorewall

 #
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 4.5 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
 ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 4.5 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.sysvinit              #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,8 +1,8 @@
 #
 # Default Shorewall 5.0 rc file
 #
-BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux
+BUILD=                                  #Default is to detect the build system
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,8 +1,8 @@
 #
-# OpenWRT Shorewall 5.0 rc file
+# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
+#
+# Input: host=openwrt
 #
-BUILD=                                 #Default is to detect the build system
-HOST=openwrt
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Core Modules
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,75 +26,63 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx # The Build script inserts the actual version
-PRODUCT=shorewall-core
+VERSION=xxx #The Build script inserts the actual version
+PRODUCT="shorewall-core"
 Product="Shorewall Core"
-
+ 
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
-#
-# Parse the run line
-#
-finished=0
-
-while [ $finished -eq 0 ]; do
-    option=$1
-
-    case "$option" in
-	-*)
-	    option=${option#-}
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "$Product Firewall Uninstaller Version $VERSION"
-			exit 0
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
-	    ;;
-	*)
-	    finished=1
-	    ;;
-    esac
-done
-
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -104,11 +92,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -116,26 +104,20 @@ fi
 if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Core Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling $Product $VERSION"
+echo "Uninstalling Shorewall Core $VERSION"

-if [ -n "${MANDIR}" ]; then
-    remove_file_with_wildcard ${MANDIR}/man5/shorewall\*
-    remove_file_with_wildcard ${MANDIR}/man8/shorewall\*
-fi
+rm -rf ${SHAREDIR}/shorewall
+rm -f ~/.shorewallrc
+
+echo "Shorewall Core Uninstalled"

-remove_directory ${SHAREDIR}/shorewall
-remove_file ~/.shorewallrc

-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"
--- a/Shorewall-init/default.debian.systemd
+++ b/Shorewall-init/default.debian.systemd
@@ -1,21 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0
-#
-# Where Up/Down events get logged
-#
-LOGFILE=/var/log/shorewall-ifupdown.log
-
-# Startup options - set verbosity to 0 (minimal reporting)
-OPTIONS="-V0"
-
-# IOF
--- a/Shorewall-init/default.debian.sysvinit
+++ b/Shorewall-init/default.debian.sysvinit
@@ -1,27 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0
-#
-# Set this to the name of the file that is to hold
-# ipset contents. Shorewall-init will load those ipsets
-# during 'start' and will save them there during 'stop'.
-#
-SAVE_IPSETS=""
-#
-# Where Up/Down events get logged
-#
-LOGFILE=/var/log/shorewall-ifupdown.log
-
-# Startup options - set verbosity to 0 (minimal reporting)
-OPTIONS="-V0"
-
-# IOF
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -159,9 +159,8 @@ shorewall_stop () {

      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
-	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
      fi

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -66,10 +66,6 @@ start () {

    printf "Initializing \"Shorewall-based firewalls\": "

-    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-	ipset -R < "$SAVE_IPSETS"
-    fi
-
    for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?
@@ -124,15 +120,6 @@ stop () {
    done

    if [ $retval -eq 0 ]; then
-	if [ -n "$SAVE_IPSETS" ]; then
-	    mkdir -p $(dirname "$SAVE_IPSETS")
-	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
-		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	    else
-		rm -f "${SAVE_IPSETS}.tmp"
-	    fi
-	fi
-
 	rm -f $lockfile
 	success
    else
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -126,9 +126,7 @@ stop () {
    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	else
-	    rm -f "${SAVE_IPSETS}.tmp"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	fi
    fi
 }
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -116,9 +116,7 @@ shorewall_stop () {
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-      else
-	  rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      fi
  fi

--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -126,9 +126,7 @@ shorewall_stop () {
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-      else
-	  rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      fi
  fi
 }
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -27,21 +27,58 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version.
 PRODUCT=shorewall-init
 Product="Shorewall Init"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <configuration-file> ]"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

+fatal_error() 
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -60,16 +97,23 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 0755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+}
+
+require() 
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -90,7 +134,7 @@ while [ $finished -eq 0 ] ; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -115,17 +159,17 @@ done
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
+    #
+    # Load packager's settings if any
+    #
    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc || exit 1
 	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
-    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
-    else
-	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+     else
+	fatal_error "No configuration file specified and ~/.shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
@@ -133,11 +177,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -254,10 +298,12 @@ case "$HOST" in
 	echo "Installing Openwrt-specific configuration..."
 	;;
    linux)
-	fatal_error "Shorewall-init is not supported on this system"
+	echo "ERROR: Shorewall-init is not supported on this system" >&2
+	exit 1
 	;;
    *)
-	fatal_error "Unsupported HOST distribution: \"$HOST\""
+	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
+	exit 1;
 	;;
 esac

@@ -269,27 +315,30 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
    
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    make_directory ${DESTDIR}${INITDIR} 0755
 fi

-echo "Installing $Product Version $VERSION"
+echo "Installing Shorewall Init Version $VERSION"

 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi

-[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
+if [ -n "$DESTDIR" ]; then
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
+fi

 #
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${INITDIR}
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
    
@@ -308,21 +357,25 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    [ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
-    install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
-    echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
+	mkdir -p ${DESTDIR}${SBINDIR}
+        chmod 0755 ${DESTDIR}${SBINDIR}
+    fi
+    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
+    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi

 #
 # Create /usr/share/shorewall-init if needed
 #
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init

 #
 # Install logrotate file
@@ -335,53 +388,55 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version

 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/$PRODUCT/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
+    rm -f ${SHAREDIR}/shorewall-init/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi

 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
+	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
    elif [ $configure -eq 0 ]; then
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
    fi

-    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
-	[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
+	if [ -n "${DESTDIR}" ]; then
+	    mkdir -p ${DESTDIR}${ETC}/default
+	fi

-	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
-	install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
-	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
+	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
+	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi

    IFUPDOWN=ifupdown.debian.sh
 else
    if [ -n "$DESTDIR" ]; then
-	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+	mkdir -p ${DESTDIR}${SYSCONFDIR}

 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
-		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    elif [ $HOST = openwrt ]; then
-		# Not implemented on OpenWRT
+		# Not implemented on openwrt
 		/bin/true
 	    else
-		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
+		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi
@@ -403,13 +458,13 @@ if [ $HOST != openwrt ]; then

    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

-    make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
+    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init

-    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 fi

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
+    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

@@ -428,8 +483,8 @@ case $HOST in
    suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
-		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
-		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
 	    fi

 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
@@ -463,17 +518,17 @@ if [ -z "$DESTDIR" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
-                    echo "$Product will start automatically at boot"
+                    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif mywhich insserv; then
-		if insserv ${INITDIR}/$PRODUCT; then
-                    echo "$Product will start automatically at boot"
+		if insserv ${INITDIR}/shorewall-init; then
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif mywhich update-rc.d ; then
 		if update-rc.d $PRODUCT enable; then
-                    echo "$Product will start automatically at boot"
+		    echo "$PRODUCT will start automatically at boot"
 		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 		else
 		    cant_autostart
@@ -494,31 +549,31 @@ if [ -z "$DESTDIR" ]; then
 	    /bin/true
 	else
 	    if [ -n "$SERVICEDIR" ]; then
-		if systemctl enable ${PRODUCT}.service; then
-		    echo "$Product will start automatically at boot"
+		if systemctl enable shorewall-init.service; then
+		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
-		if insserv ${INITDIR}/$PRODUCT ; then
-		    echo "$Product will start automatically at boot"
+		if insserv ${INITDIR}/shorewall-init ; then
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
-		if chkconfig --add $PRODUCT ; then
-		    echo "$Product will start automatically at boot"
-		    chkconfig --list $PRODUCT
+		if chkconfig --add shorewall-init ; then
+		    echo "Shorewall Init will start automatically in run levels as follows:"
+		    chkconfig --list shorewall-init
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/rc-update ]; then
-		if rc-update add $PRODUCT default; then
-		    echo "$Product will start automatically at boot"
+		if rc-update add shorewall-init default; then
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
 		/etc/init.d/$PRODUCT enable
-		if /etc/init.d/$PRODUCT enabled; then
+		if /etc/init.d/shorewall-init enabled; then
 		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
@@ -532,11 +587,11 @@ else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
-		make_parent_directory ${DESTDIR}/etc/rcS.d 0755
+		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi

-	    ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
-	    echo "$Product will start automatically at boot"
+	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
+	    echo "Shorewall Init will start automatically at boot"
 	fi
    fi
 fi
@@ -547,8 +602,8 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-		make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
+		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
+		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
 	    done
 	    ;;
 	redhat)
@@ -559,19 +614,19 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
 		    if grep -qF Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
+			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
 			break
 		    fi
 		else
-		    cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		fi
 	    done
 	    ;;
    esac
 fi
 #
-# Report Success
+#  Report Success
 #
 echo "shorewall Init Version $VERSION Installed"
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -104,9 +104,7 @@ shorewall_stop () {
    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	else
-	    rm -f "${SAVE_IPSETS}.tmp"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	fi
    fi

--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Init
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,34 +26,62 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
-#
-# Parse the run line
-#
 finished=0
 configure=1

@@ -90,17 +118,16 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
-
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -110,72 +137,72 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file || exit 1
 else
    usage 1
 fi

-if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
+if [ -f ${SHAREDIR}/shorewall-init/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Init Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling $Product $VERSION"
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+
+echo "Uninstalling Shorewall Init $VERSION"

 [ -n "$SANDBOX" ] && configure=0

-[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+INITSCRIPT=${CONFDIR}/init.d/shorewall-init

-remove_file  ${SBINDIR}/$PRODUCT
-
-FIREWALL=${CONFDIR}/init.d/$PRODUCT
-
-if [ -f "$FIREWALL" ]; then
+if [ -f "$INITSCRIPT" ]; then
    if [ $configure -eq 1 ]; then
-	if [ $HOST = openwrt ] ; then
-	    if /etc/init.d/$PRODUCT enabled; then
-		/etc/init.d/$PRODUCT disable
+	if [ $HOST = openwrt ]; then
+	    if /etc/init.d/shorewall-init enabled; then
+		/etc/init.d/shorewall-init disable
 	    fi
+	elif mywhich updaterc.d ; then
+	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
-            insserv -r $FIREWALL
-	elif mywhich update-rc.d ; then
-	    update-rc.d ${PRODUCT} remove
+            insserv -r $INITSCRIPT
 	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $FIREWALL)
+	    chkconfig --del $(basename $INITSCRIPT)
 	fi
    fi

-    remove_file $FIREWALL
+    remove_file $INITSCRIPT
 fi

-[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi

 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    remove_file $SERVICEDIR/${PRODUCT}.service
+    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    rm -f $SERVICEDIR/shorewall-init.service
 fi

 if [ $HOST = openwrt ]; then
-    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 else
-    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 fi

-remove_file ${CONFDIR}/default/$PRODUCT
-remove_file ${CONFDIR}/sysconfig/$PRODUCT
+remove_file ${CONFDIR}/default/shorewall-init
+remove_file ${CONFDIR}/sysconfig/shorewall-init

 remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall

@@ -200,11 +227,10 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi

-remove_directory ${SHAREDIR}/$PRODUCT
-remove_directory ${LIBEXECDIR}/$PRODUCT
-remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
+rm -f  ${SBINDIR}/shorewall-init
+rm -rf ${SHAREDIR}/shorewall-init
+rm -rf ${LIBEXECDIR}/shorewall-init
+
+echo "Shorewall Init Uninstalled"
+

-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"
--- a/Shorewall-lite/default.debian.sysvinit
+++ b/Shorewall-lite/default.debian.sysvinit
@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following variable to 1 in order to allow Shorewall-lite to start
+# set the following varible to 1 in order to allow Shorewall-lite to start

 startup=0

@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=

 #
-# Global start/restart/reload/stop options
+# Startup options
 #
 OPTIONS=""

@@ -30,16 +30,6 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""

-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
--- a/Shorewall-lite/default.debian.systemd
+++ b/Shorewall-lite/default.debian.systemd
@@ -1,26 +0,0 @@
-#
-# Global start/restart/reload/stop options
-#
-OPTIONS=""
-
-#
-# Start options
-#
-STARTOPTIONS=""
-
-#
-# Restart options
-#
-RESTARTOPTIONS=""
-
-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
-# EOF
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,19 +22,62 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <configuration-file> ]"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -53,6 +96,19 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+
+}
+
+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
@@ -66,11 +122,6 @@ else
    Product="Shorewall6 Lite"
 fi

-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -117,14 +168,12 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc || exit 1
 	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. ~/.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -134,11 +183,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -269,7 +318,8 @@ case "$HOST" in
    linux)
 	;;
    *)
-	fatal_error "ERROR: Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
 	;;
 esac

@@ -281,7 +331,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi

-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    make_directory ${DESTDIR}${INITDIR} 755

 else
    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
@@ -321,20 +371,25 @@ fi

 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

-[ -n "${INITFILE}" ] && make_parent_directory ${DESTDIR}${INITDIR} 0755
+[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755

 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${SBINDIR} 0755
-make_parent_directory ${DESTDIR}${VARDIR} 0755
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${SBINDIR}
+mkdir -p ${DESTDIR}${VARDIR}
+
+chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT

 if [ -n "$DESTDIR" ]; then
-    make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
 fi

 if [ -n "$INITFILE" ]; then
@@ -355,9 +410,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -386,14 +441,8 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-        case $f in
-            *installer)
-                ;;
-            *)
-                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-                ;;
-        esac
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
    fi
 done

@@ -421,12 +470,12 @@ if [ -f modules ]; then
 fi

 if [ -f helpers ]; then
-    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 0600
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi

 for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done

@@ -437,19 +486,19 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages

-    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
+    mkdir -p ${DESTDIR}${MANDIR}/man5/

    for f in *.5; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

-    make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+    mkdir -p ${DESTDIR}${MANDIR}/man8/

    for f in *.8; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done

@@ -459,7 +508,7 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 fi

 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi

@@ -467,7 +516,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -490,7 +539,10 @@ ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-    [ ${DESTDIR} ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+    if [ ${DESTDIR} ]; then
+	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	chmod 755 ${DESTDIR}${SYSCONFDIR}
+    fi

    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
@@ -558,6 +610,6 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 fi

 #
-# Report Success
+#  Report Success
 #
 echo "$Product Version $VERSION Installed"
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,6 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Lite
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,7 +26,9 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall-lite
+Product="Shorewall Lite"

 usage() # $1 = exit status
 {
@@ -39,27 +41,46 @@ usage() # $1 = exit status
    exit $1
 }

-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}

-if [ -f shorewall-lite.service ]; then
-    PRODUCT=shorewall-lite
-    Product="Shorewall Lite"
-else
-    PRODUCT=shorewall6-lite
-    Product="Shorewall6 Lite"
-fi
+qt()
+{
+    "$@" >/dev/null 2>&1
+}

-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}

-#
-# Parse the run line
-#
 finished=0
 configure=1

@@ -76,7 +97,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Uninstaller Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -96,17 +117,16 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
-
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -116,50 +136,46 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi

-if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
+if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling $Product $VERSION"
+echo "Uninstalling Shorewall Lite $VERSION"

 [ -n "$SANDBOX" ] && configure=0

 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-	${SBINDIR}/$PRODUCT clear
-    elif qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
-	${SBINDIR}/$PRODUCT clear
+	shorewall-lite clear
    fi
 fi

-remove_file ${SBINDIR}/$PRODUCT
-
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
    if [ $HOST = openwrt ]; then
-	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
-	    /etc/init.d/$PRODUCT disable
+	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
+	    /etc/init.d/shorewall-lite disable
 	fi
 	
-	FIREWALL=$(readlink ${SHAREDIR}/$PRODUCT/init)
+	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
    else
-	FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
    fi
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
@@ -167,10 +183,10 @@ fi

 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if mywhich insserv ; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall-lite remove
+	elif mywhich insserv ; then
            insserv -r $FIREWALL
-	elif mywhich update-rc.d ; then
-	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
@@ -179,29 +195,26 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi

-[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
+[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"

 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    remove_file $SERVICEDIR/${PRODUCT}.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SERVICEDIR/shorewall-lite.service
 fi

-remove_directory ${CONFDIR}/$PRODUCT
-remove_directory ${VARDIR}
-remove_directory ${SHAREDIR}/$PRODUCT
-remove_directory ${LIBEXECDIR}/$PRODUCT
-remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
+rm -f ${SBINDIR}/shorewall-lite

-if [ -n "$SYSCONFDIR" ]; then
-    [ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
-fi
+rm -rf ${CONFDIR}/shorewall-lite
+rm -rf ${VARDIR}
+rm -rf ${SHAREDIR}/shorewall-lite
+rm -rf ${LIBEXECDIR}/shorewall-lite
+rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
+rm -f  ${SYSCONFDIR}/shorewall-lite

 if [ -n "${MANDIR}" ]; then
-    remove_file_with_wildcard ${MANDIR}/man5/${PRODUCT}\*
-    remove_file_with_wildcard ${MANDIR}/man8/${PRODUCT}\*
+    rm -f ${MANDIR}/man5/shorewall-lite*
+    rm -f ${MANDIR}/man8/shorewall-lite*
 fi

-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"
+echo "Shorewall Lite Uninstalled"
+
--- a/Shorewall/Actions/action.A_AllowICMPs.deprecated
+++ b/Shorewall/Actions/action.A_AllowICMPs.deprecated
@@ -1,9 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
-#
-# This action A_ACCEPTs needed ICMP types
-#
-###############################################################################
-#ACTION		SOURCE		DEST	PROTO		DPORT
-
-AllowICMPs(A_ACCEPT)
--- a/Shorewall/Actions/action.A_Drop.deprecated
+++ b/Shorewall/Actions/action.A_Drop.deprecated
@@ -13,7 +13,6 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ?require AUDIT_TARGET
-?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -32,10 +31,9 @@ Auth(A_DROP)
 #
 A_AllowICMPs	-	-	icmp
 #
-# Don't log broadcasts and multicasts
+# Don't log broadcasts
 #
 dropBcast(audit)
-dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
@@ -11,8 +11,6 @@
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-?require AUDIT_TARGET
-?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO
 #
@@ -27,11 +25,10 @@ COUNT
 #
 A_AllowICMPs	-	-	icmp
 #
-# Drop Broadcasts and multicasts so they don't clutter up the log
-# (these must *not* be rejected).
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
-dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -7,39 +7,5 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

 DEFAULTS ACCEPT
-
-?if __IPV4
-    @1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
-    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
-?else
-?COMMENT Needed ICMP types (RFC4890)
-
-    @1	-		-	ipv6-icmp	destination-unreachable
-    @1	-		-	ipv6-icmp	packet-too-big
-    @1	-		-	ipv6-icmp	time-exceeded
-    @1	-		-	ipv6-icmp	parameter-problem
-
-# The following should have a ttl of 255 and must be allowed to transit a bridge
-    @1	-		-	ipv6-icmp	router-solicitation
-    @1	-		-	ipv6-icmp	router-advertisement
-    @1	-		-	ipv6-icmp	neighbour-solicitation
-    @1	-		-	ipv6-icmp	neighbour-advertisement
-    @1	-		-	ipv6-icmp	137	# Redirect
-    @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
-    @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
-
-# The following should have a link local source address and must be allowed to transit a bridge
-    @1	fe80::/10	-	ipv6-icmp	130	# Listener query
-    @1	fe80::/10	-	ipv6-icmp	131	# Listener report
-    @1	fe80::/10	-	ipv6-icmp	132	# Listener done
-    @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
-
-# The following should be received with a ttl of 255 and must be allowed to transit a bridge
-    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
-    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
-
-# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
-    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
-    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
-    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
-?endif
+@1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
+@1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -20,7 +20,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# Broadcast[([<action>|[,{audit|-}])]
+# Broadcast[([<action>|-[,{audit|-}])]
 #
 # Default action is DROP
 #
@@ -29,37 +29,27 @@
 DEFAULTS DROP,-

 ?if __ADDRTYPE
-    @1	-	-	-	;; -m addrtype --dst-type BROADCAST
-    @1	-	-	-	;; -m addrtype --dst-type ANYCAST
+@1	-	-	-	;; -m addrtype --dst-type BROADCAST
+@1	-	-	-	;; -m addrtype --dst-type ANYCAST
 ?else
-    ?begin perl;
+?begin perl;

-    use strict;
-    use Shorewall::IPAddrs;
-    use Shorewall::Config;
-    use Shorewall::Chains;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;

-    my ( $action, $audit ) = get_action_params( 2 );
-    my $chainref           = get_action_chain;
-    my ( $level, $tag )    = get_action_logging;
+my ( $action )         = get_action_params( 1 );
+my $chainref           = get_action_chain;
+my ( $level, $tag )    = get_action_logging;

-    fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit';
+add_commands $chainref, 'for address in $ALL_BCASTS; do';
+incr_cmd_level $chainref;
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+add_jump $chainref, $action, 0, "-d \$address ";
+decr_cmd_level $chainref;
+add_commands $chainref, 'done';

-    my $target             = require_audit ( $action , $audit );
+1;

-    if ( $family == F_IPV4 ) {
-        add_commands $chainref, 'for address in $ALL_BCASTS; do';
-    } elsif ($family == F_IPV6 ) {
-        add_commands $chainref, 'for address in $ALL_ACASTS; do';
-    }
-
-    incr_cmd_level $chainref;
-    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-    add_jump $chainref, $target, 0, "-d \$address ";
-    decr_cmd_level $chainref;
-    add_commands $chainref, 'done';
-
-    1;
-
-    ?end perl;
+?end perl;
 ?endif
--- a/Shorewall/Actions/action.FIN
+++ b/Shorewall/Actions/action.FIN
@@ -1,33 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.FIN
-#
-# FIN Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# FIN[([<action>])]
-#
-# Default action is ACCEPT
-#
-###############################################################################
-
-DEFAULTS ACCEPT,-
-
-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH
--- a/Shorewall/Actions/action.GlusterFS
+++ b/Shorewall/Actions/action.GlusterFS
@@ -13,9 +13,9 @@
 DEFAULTS 2,0

 ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
-    ?error Invalid value (@1) for the GlusterFS Bricks argument
+    ?error Invalid value for Bricks (@1)
 ?elsif @2 !~ /^[01]$/
-    ?error Invalid value (@2) for the GlusterFS IB argument
+    ?error Invalid value for IB (@2)
 ?endif

 #ACTION		SOURCE		DEST		PROTO	DPORT
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -107,11 +107,6 @@ if ( $command & $REAP_OPT ) {

 $duration .= '--rttl ' if $command & $TTL_OPT;

-if ( ( $targets{$action} || 0 ) & NATRULE ) {
-    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
-    $action = 'ACCEPT';
-}
-
 if ( $command & $RESET_CMD ) {
    require_capability 'MARK_ANYWHERE', '"reset"', 's';

--- a/Shorewall/Actions/action.Limit
+++ b/Shorewall/Actions/action.Limit
@@ -22,49 +22,6 @@
 #
 # Limit(<recent-set>,<num-connections>,<timeout>)
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -,-,-
-
-?begin perl
-
-use strict;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my $chainref        = get_action_chain;
-my @param           = get_action_params(3);
-my ( $level, $tag ) = get_action_logging;
-
-@param = split( ',', $tag ), $tag = $param[0] unless supplied( join '', @param );
-
-fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
-
-my $set   = $param[0];
-
-for ( @param[1,2] ) {
-    fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
-}
-
-my $count = $param[1] + 1;
-
-require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
-
-warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
-
-add_irule $chainref, recent => "--name $set --set";
-
-if ( $level ne '' ) {
-    my $xchainref = new_chain 'filter' , "$chainref->{name}%";
-    log_irule_limit( $level, $xchainref, '', 'DROP', [], $tag, 'add' , '' );
-    add_ijump $xchainref, j => 'DROP';
-    add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
-} else {
-    add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
-}
-
-add_ijump $chainref, j => 'ACCEPT';
-
-1;
-
-?end perl
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -29,28 +29,22 @@
 DEFAULTS DROP,-

 ?if __ADDRTYPE
-    @1	-	-	-	;; -m addrtype --dst-type MULTICAST
+@1	-	-	-	;; -m addrtype --dst-type MULTICAST
 ?else
-    ?begin perl;
+?begin perl;

-    use strict;
-    use Shorewall::IPAddrs;
-    use Shorewall::Config;
-    use Shorewall::Chains;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;

-    my ( $action, $audit ) = get_action_params( 2 );
-    my $chainref           = get_action_chain;
-    my ( $level, $tag )    = get_action_logging;
+my ( $action )         = get_action_params( 1 );
+my $chainref           = get_action_chain;
+my ( $level, $tag )    = get_action_logging;

-    fatal_error "Invalid parameter to action Multicast" if supplied $audit && $audit ne 'audit';
+log_rule_limit $level, $chainref, 'Multicast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';

-    my $target = require_audit ( $action , $audit );
-    my $dest   = ( $family == F_IPV4 ) ? join( ' ', '-d', IPv4_MULTICAST . ' ' ) : join( ' ', '-d', IPv6_MULTICAST . ' ' );
+1;

-    log_rule_limit( $level, $chainref, 'Multicast' , $action, '', $tag, 'add', $dest ) if $level ne '';
-    add_jump $chainref, $target, 0, $dest;
-
-    1;
-
-    ?end perl;
+?end perl;
 ?endif
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
@@ -41,11 +41,6 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;

-if ( ( $targets{$action} || 0 ) & NATRULE ) {
-    perl_action_helper( "${action}-", "" );
-    $action = 'ACCEPT';
-}
-
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
@@ -37,11 +37,6 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;

-if ( ( $targets{$action} || 0 ) & NATRULE ) {
-    perl_action_helper( "${action}-", "" );
-    $action = 'ACCEPT';
-}
-
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {
--- a/Shorewall/Actions/action.allowBcast
+++ b/Shorewall/Actions/action.allowBcast
@@ -22,17 +22,6 @@
 #
 # allowBcast[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Broadcast(A_ACCEPT)
-    ?else
-	?error "Invalid argument (@1) to allowBcast"
-    ?endif
-?else
-    Broadcast(ACCEPT)
-?endif
--- a/Shorewall/Actions/action.allowMcast
+++ b/Shorewall/Actions/action.allowMcast
@@ -22,17 +22,6 @@
 #
 # allowMcast[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Multicast(A_ACCEPT)
-    ?else
-	?error "Invalid argument (@1) to allowMcast"
-    ?endif
-?else
-    Multicast(ACCEPT)
-?endif
--- a/Shorewall/Actions/action.allowinUPnP
+++ b/Shorewall/Actions/action.allowinUPnP
@@ -22,19 +22,6 @@
 #
 # allowinUPnP[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	A_ACCEPT - - 17 1900
-	A_ACCEPT - -  6 49152
-    ?else
-	?error "Invalid argument (@1) to allowinUPnP"
-    ?endif
-?else
-    ACCEPT - - 17 1900
-    ACCEPT - -	6 49152
-?endif
--- a/Shorewall/Actions/action.dropBcast
+++ b/Shorewall/Actions/action.dropBcast
@@ -22,18 +22,6 @@
 #
 # dropBcast[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Broadcast(A_DROP)
-    ?else
-	?error "Invalid argument (@1) to dropBcast"
-    ?endif
-?else
-    Broadcast(DROP)
-?endif
-
--- a/Shorewall/Actions/action.dropBcasts
+++ b/Shorewall/Actions/action.dropBcasts
@@ -1,39 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropBcasts
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropBcasts[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Broadcast(A_DROP)
-    ?else
-	?error "Invalid argument (@1) to dropBcasts"
-    ?endif
-?else
-    Broadcast(DROP)
-?endif
-
--- a/Shorewall/Actions/action.dropMcast
+++ b/Shorewall/Actions/action.dropMcast
@@ -22,17 +22,6 @@
 #
 # dropMcast[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Multicast(A_DROP)
-    ?else
-	?error "Invalid argument (@1) to dropMcast"
-    ?endif
-?else
-    Multicast(DROP)
-?endif
--- a/Shorewall/Actions/action.dropNotSyn
+++ b/Shorewall/Actions/action.dropNotSyn
@@ -22,17 +22,6 @@
 #
 # dropNotSyn[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	A_DROP {proto=6:!syn}
-    ?else
-	?error "Invalid argument (@1) to dropNotSyn"
-    ?endif
-?else
-    DROP {proto=6:!syn}
-?endif
--- a/Shorewall/Actions/action.forwardUPnP
+++ b/Shorewall/Actions/action.forwardUPnP
@@ -22,22 +22,6 @@
 #
 # forwardUPnP
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?begin perl
-
-use strict;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my $chainref = get_action_chain;
-
-set_optflags( $chainref, DONT_OPTIMIZE );
-
-add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
-
-1;
-
-?end perl
--- a/Shorewall/Actions/action.rejNotSyn
+++ b/Shorewall/Actions/action.rejNotSyn
@@ -22,18 +22,6 @@
 #
 # rejNotSyn[([audit])]
 #
+# This is a built-in action.
+#
 ###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	A_REJECT {proto=6:!syn}
-    ?else
-	?error "Invalid argument (@1) to rejNotSyn"
-    ?endif
-?else
-    REJECT(tcp-reset) {proto=6:!syn}
-?endif
-
--- a/Shorewall/Macros/macro.RDP
+++ b/Shorewall/Macros/macro.RDP
@@ -6,5 +6,4 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

-PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389
--- a/Shorewall/Makefile-lite
+++ b/Shorewall/Makefile-lite
@@ -0,0 +1,82 @@
+#     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+################################################################################
+# Place this file in each export directory. Modify each copy to set HOST
+# to the name of the remote firewall corresponding to the directory.
+#
+#	To make the 'firewall' script, type "make".
+#
+#	Once the script is compiling correctly, you can install it by
+#	typing "make install".
+#
+################################################################################
+#                             V A R I A B L E S
+#
+# Files in the export directory on which the firewall script does not depend
+#
+IGNOREFILES =  firewall% Makefile% trace% %~
+#
+# Remote Firewall system
+#
+HOST = gateway
+#
+# Save some typing
+#
+LITEDIR = /var/lib/shorewall-lite
+#
+# Set this if the remote system has a non-standard modules directory
+#
+MODULESDIR=
+#
+# Default target is the firewall script
+#
+################################################################################
+#                                T A R G E T S
+#
+all: firewall
+#
+# Only generate the capabilities file if it doesn't already exist
+#
+capabilities:
+	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
+	scp root@$(HOST):$(LITEDIR)/capabilities .
+#
+# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
+# 'filter-out' will be presented with the list of files in this directory rather than "*"
+#
+firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
+	shorewall compile -e . firewall
+#
+# Only reload on demand.
+#
+install: firewall
+	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
+	ssh root@$(HOST) "/sbin/shorewall-lite restart"
+#
+# Save running configuration
+#
+save:
+	ssh root@$(HOST) "/sbin/shorewall-lite save"
+#
+# Remove generated files
+#
+clean:
+	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -195,7 +195,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';

-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT_SECTION;
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;

    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
    my $prerule = '';
@@ -266,7 +266,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    if ( $source eq 'any' || $source eq 'all' ) {
        $source = ALLIP;
    } else {
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT_SECTION || ! $asection );
+	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
    }

    if ( have_bridges && ! $asection ) {
@@ -519,9 +519,9 @@ sub setup_accounting() {

 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 ( keys %accountingjumps ) {
+		    for my $chain1 ( sort  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -32,7 +32,6 @@ require Exporter;
 use Scalar::Util 'reftype';
 use Digest::SHA qw(sha1_hex);
 use File::Basename;
-use Socket;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
@@ -138,12 +137,6 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE

-				       validate_port
-				       validate_portpair
-				       validate_portpair1
-				       validate_port_list
-				       expand_port_range
-
 				       PREROUTING
 				       INPUT
 				       FORWARD
@@ -412,14 +405,14 @@ our $VERSION = 'MODULEVERSION';
 #   Provider Chains for provider <p>
 #      Load Balance    - ~<p>
 #
-#   Zone-pair chains for rules chain <z1-z2>
+#   Zone-pair chains for rules chain <z12z2>
 #
-#      Syn Flood       - @<z1-z2>
-#      Blacklist       - <z1-z2>~
-#      Established     - ^<z1-z2>
-#      Related         - +<z1-z2>
-#      Invalid         - _<z1-z2>
-#      Untracked       - &<z1-z2>
+#      Syn Flood       - @<z12z2>
+#      Blacklist       - <z12z2>~
+#      Established     - ^<z12z2>
+#      Related         - +<z12z2>
+#      Invalid         - _<z12z2>
+#      Untracked       - &<z12z2>
 #
 our %chain_table;
 our $raw_table;
@@ -441,7 +434,7 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       REDIRECT     =>     0x20,       #'REDIRECT'
 	       ACTION       =>     0x40,       #An action (may be built-in)
 	       MACRO        =>     0x80,       #A Macro
-	       LOGRULE      =>    0x100,       #'LOG','ULOG','NFLOG'
+	       LOGRULE      =>    0x100,       #'LOG','NFLOG'
 	       NFQ          =>    0x200,       #'NFQUEUE'
 	       CHAIN        =>    0x400,       #Manual Chain
 	       SET          =>    0x800,       #SET
@@ -516,7 +509,6 @@ our $idiotcount1;
 our $hashlimitset;
 our $global_variables;
 our %address_variables;
-our %port_variables;
 our $ipset_rules;

 #
@@ -792,7 +784,6 @@ sub initialize( $$$ ) {
    %interfaceacasts    = ();
    %interfacegateways  = ();
    %address_variables  = ();
-    %port_variables     = ();

    $global_variables   = 0;
    $idiotcount         = 0;
@@ -828,211 +819,6 @@ sub initialize( $$$ ) {
    #
 }

-sub record_runtime_port( $ ) {
-    my ( $variable ) = @_;
-
-    if ( $variable =~ /^{([a-zA-Z_]\w*)}$/ ) {
-	fatal_error "Variable %variable is already used as an address variable" if $address_variables{$1};
-	$port_variables{$1} = 1;
-    } else {
-	fatal_error( "Invalid port variable (%$variable)" );
-    }
-
-    "\$$variable";
-}
-
-################################################################################
-# Functions moved from IPAddrs.pm in 5.1.5				       #
-################################################################################
-
-sub validate_port( $$ ) {
-    my ($proto, $port) = @_;
-
-    my $value;
-
-    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
-	$value = numeric_value $port;
-
-	if ( defined $value ) {
-	    if ( $value && $value <= 65535 ) {
-		return $value;
-	    } else {
-		$value = undef;
-	    }
-	}
-    } elsif ( $port =~ /^%(.*)/ ) {
-	$value = record_runtime_port( $1 );
-    } else {
-	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
-	$value = getservbyname( $port, $proto );
-    }
-
-    return $value if defined $value;
-
-    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
-
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
-}
-
-sub validate_portpair( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-    my $pair = $portpair;
-    #
-    # Accept '-' as a port-range separator
-    #
-    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
-
-    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
-
-    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
-
-    my @ports = split /:/, $pair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-
-	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
-	    fatal_error "Invalid port range ($_[1])" unless $ports[0] < $ports[1];
-	}
-    } else {
-	$what = 'port';
-    }
-
-    fatal_error "Using a $what ( $_[1] ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP     ||
-			       $protonum == UDP     ||
-			       $protonum == UDPLITE ||
-			       $protonum == SCTP    ||
-			       $protonum == DCCP );
-    join ':', @ports;
-
-}
-
-sub validate_portpair1( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
-
-    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
-
-    my @ports = split /-/, $portpair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-
-	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
-	    fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
-	}
-    } else {
-	$what = 'port';
-	fatal_error 'Invalid port number (0)' unless $portpair;
-    }
-
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP  ||
-			       $protonum == UDP  ||
-			       $protonum == SCTP ||
-			       $protonum == DCCP );
-    join '-', @ports;
-
-}
-
-sub validate_port_list( $$ ) {
-    my $result = '';
-    my ( $proto, $list ) = @_;
-    my @list   = split_list( $list, 'port' );
-
-    if ( @list > 1 && $list =~ /[:-]/ ) {
-	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
-    }
-
-    $proto = proto_name $proto;
-
-    for ( @list ) {
-	my $value = validate_portpair( $proto , $_ );
-	$result = $result ? join ',', $result, $value : $value;
-    }
-
-    $result;
-}
-
-#
-# Expands a port range into a minimal list of ( port, mask ) pairs.
-# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
-#
-# Example:
-#
-#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
-#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
-#
-sub expand_port_range( $$ ) {
-    my ( $proto, $range ) = @_;
-
-    if ( $range =~ /^(.*):(.*)$/ ) {
-	my ( $first, $last ) = ( $1, $2);
-	my @result;
-
-	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
-	#
-	# Supply missing first/last port number
-	#
-	$first = 0     if $first eq '';
-	$last  = 65535 if $last eq '';
-	#
-	# Validate the ports
-	#
-	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
-
-	$last++; #Increment last address for limit testing.
-	#
-	# Break the range into groups:
-	#
-	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
-	#      - Otherwise, find the largest power of two P that divides the first address such that
-	#        the remaining range has less than or equal to P ports. The next group is
-	#        ( <first> , ~( P-1 ) ).
-	#
-	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
-	    my $mask = 0xffff;         #Mask for current ports in group.
-	    my $y    = 2;              #Next power of two to test
-	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
-
-	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
-		$mask <<= 1;
-		$z  = $y;
-		$y <<= 1;
-	    }
-	    #
-	    #
-	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
-	    $first += $z;
-	}
-
-	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
-
-	@result;
-
-    } else {
-	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
-    }
-}
-
-################################################################################
-# End functions moved from IPAddrs.pm in 5.1.5				       #
-################################################################################
-
 #
 # Functions to manipulate cmdlevel
 #
@@ -1295,11 +1081,11 @@ sub format_option( $$ ) {

    assert( ! reftype $value );

-    my $rule;
+    my $rule = '';

    $value =~ s/\s*$//;

-    $rule = join( ' ' , ' -m', $option, $value );
+    $rule .= join( ' ' , ' -m', $option, $value );

    $rule;
 }
@@ -1345,6 +1131,8 @@ sub format_rule( $$;$ ) {
 	    } else {
 		$rule .= join( '' , ' --', $_, ' ', $value );
 	    }
+
+	    next;
 	} elsif ( $type == EXPENSIVE ) {
 	    #
 	    # Only emit expensive matches now if there are '-m nfacct' or '-m recent' matches in the rule
@@ -1403,15 +1191,13 @@ sub compatible( $$ ) {
    }
    #
    # Don't combine chains where each specifies
-    #    -m policy and the policies are different
+    #    -m policy
    # or when one specifies
    #    -m multiport
    # and the other specifies
    #    --dport or --sport or -m multiport
    #
-    my ( $p1, $p2 );
-
-    return ! ( ( ( $p1 = $ref1->{policy} ) && ( $p2 = $ref2->{policy} ) && $p1 ne $p2 ) ||
+    return ! ( $ref1->{policy} && $ref2->{policy} ||
 	       ( ( $ref1->{multiport} && ( $ref2->{dport} || $ref2->{sport} || $ref2->{multiport} ) ) ||
 		 ( $ref2->{multiport} && ( $ref1->{dport} || $ref1->{sport} ) ) ) );
 }
@@ -1437,7 +1223,7 @@ sub merge_rules( $$$ ) {
 	}
    }

-    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) {
+    for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }

@@ -1453,7 +1239,7 @@ sub merge_rules( $$$ ) {

    set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};

-    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) {
+    for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }

@@ -1929,7 +1715,7 @@ sub delete_reference( $$ ) {

    assert( $toref );

-    delete $toref->{references}{$fromref->{name}} if --$toref->{references}{$fromref->{name}} <= 0;
+    delete $toref->{references}{$fromref->{name}} unless --$toref->{references}{$fromref->{name}} > 0;
 }

 #
@@ -2067,7 +1853,7 @@ sub adjust_reference_counts( $$$ ) {
    my ($toref, $name1, $name2) = @_;

    if ( $toref ) {
-	delete $toref->{references}{$name1} if --$toref->{references}{$name1} <= 0;
+	delete $toref->{references}{$name1} unless --$toref->{references}{$name1} > 0;
 	$toref->{references}{$name2}++;
    }
 }
@@ -3275,10 +3061,8 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
-	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS   ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
    }

@@ -3675,7 +3459,7 @@ sub optimize_level4( $$ ) {
 				#
 				delete_chain_and_references( $chainref );
 				$progress = 1;
-			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
+			    } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain from
 				# now on.
@@ -3902,21 +3686,12 @@ sub optimize_level8( $$$ ) {
 		    }

 		    $combined{ $chainref1->{name} } = $chainref->{name};
-		    #
-		    # While rare, it is possible for a policy chain to be combined with a non-policy chain. So we need to preserve
-		    # the policy attributes in the combined chain
-		    #
-		    if ( $chainref->{policychain} ) {
-			@{$chainref1}{qw(policychain policy)} = @{$chainref}{qw(policychain policy)} unless $chainref1->{policychain};
-		    } elsif ( $chainref1->{policychain} ) {
-			@{$chainref}{qw(policychain policy)} = @{$chainref1}{qw(policychain policy)} unless $chainref->{policychain};
-		    }
 		}
 	    }
 	}

 	if ( $progress ) {
-	    my @rename = keys %rename;
+	    my @rename = sort keys %rename;
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
@@ -4781,8 +4556,7 @@ sub do_proto( $$$;$ )

    if ( $proto ne '' ) {

-	my $synonly  = ( $proto =~ s/:(!)?syn$//i );
-	my $notsyn   = $1;
+	my $synonly  = ( $proto =~ s/:syn$//i );
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;

@@ -4800,7 +4574,7 @@ sub do_proto( $$$;$ )
 		$output  = "${invert}-p ${proto} ";
 	    } else {
 		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
-		$output = $notsyn ? "-p $proto ! --syn " : "-p $proto --syn ";
+		$output = "-p $proto --syn ";
 	    }

 	    fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
@@ -4837,7 +4611,7 @@ sub do_proto( $$$;$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
+				$ports   = validate_portpair $pname , $ports;
 				$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
 			    }
 			}
@@ -5044,7 +4818,7 @@ sub do_iproto( $$$ )
 				$multiport = 1;
 			    }  else {
 				fatal_error "Missing DEST PORT" unless supplied $ports;
-				$ports   = validate_portpair $pname , $ports unless $ports =~ /^\$/;
+				$ports   = validate_portpair $pname , $ports;

 				if ( $srcndst ) {
 				    push @output, multiport => "${invert}--ports ${ports}";
@@ -5983,7 +5757,6 @@ sub record_runtime_address( $$;$$ ) {

    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
-	fatal_error "Variable %variable is already used as a port variable" if $port_variables{$1};
 	$address_variables{$1} = $addrtype;
 	return '$' . "$1 ";
    }
@@ -6329,7 +6102,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
    }

-    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
+    $net = validate_net $net, 1;
    $net eq ALLIP ? '' : "-d $net ";
 }

@@ -6410,7 +6183,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
    }

-    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
+    $net = validate_net $net, 1;
    $net eq ALLIP ? () : ( d =>  $net );
 }

@@ -7069,8 +6842,6 @@ sub interface_gateway( $ ) {
 sub get_interface_gateway ( $;$$ ) {
    my ( $logical, $protect, $provider ) = @_;

-    $provider = '' unless defined $provider;
-
    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
    my $gateway  = get_interface_option( $interface, 'gateway' );
@@ -7084,9 +6855,9 @@ sub get_interface_gateway ( $;$$ ) {
    }

    if ( interface_is_optional $logical ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider));
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface));
    } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface $provider)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
 [ -n "\$$variable" ] || startup_error "Unable to detect the gateway through interface $interface");
    }

@@ -7209,13 +6980,13 @@ sub set_global_variables( $$ ) {
    if ( $conditional ) {
 	my ( $interface, @interfaces );

-	@interfaces = keys %interfaceaddr;
+	@interfaces = sort keys %interfaceaddr;

 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}

-	@interfaces = keys %interfacegateways;
+	@interfaces = sort keys %interfacegateways;

 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
@@ -7225,36 +6996,36 @@ sub set_global_variables( $$ ) {
 	    emit( qq(fi\n) );
 	}

-	@interfaces = keys %interfacemacs;
+	@interfaces = sort keys %interfacemacs;

 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
    } else {
-	emit $_     for values %interfaceaddr;
-	emit "$_\n" for values %interfacegateways;
-	emit $_     for values %interfacemacs;
+	emit $_     for sort values %interfaceaddr;
+	emit "$_\n" for sort values %interfacegateways;
+	emit $_     for sort values %interfacemacs;
    }

    if ( $setall ) {
-	emit $_ for values %interfaceaddrs;
-	emit $_ for values %interfacenets;
+	emit $_ for sort values %interfaceaddrs;
+	emit $_ for sort values %interfacenets;

 	unless ( have_capability( 'ADDRTYPE' ) ) {

 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for values %interfacebcasts;
+		emit $_ for sort values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for values %interfaceacasts;
+		emit $_ for sort values %interfaceacasts;
 	    }
 	}
    }
 }

 sub verify_address_variables() {
-    for my $variable ( keys %address_variables ) {
+    for my $variable ( sort keys %address_variables ) {
 	my $type = $address_variables{$variable};
 	my $address = "\$$variable";

@@ -7273,19 +7044,6 @@ sub verify_address_variables() {
 	      qq(    startup_error "Invalid value ($address) for address variable $variable"),
 	      qq(fi\n) );
    }
-
-    for my $variable( keys %port_variables ) {
-	my $port = "\$$variable";
-	my $type = $port_variables{$variable};
-
-	emit( qq(if [ -z "$port" ]; then) ,
-	      qq(    $variable=255) ,
-	      qq(elif qt \$g_tool -A INPUT -p 6 --dport $port; then) ,
-	      qq(    qt \$g_tool -D INPUT -p 6 --dport $variable) ,
-	      qq(else) ,
-	      qq(    startup_error "Invalid valid ($port) for port variable $variable") ,
-	      qq(fi\n) );
-    }
 }

 #
@@ -7535,11 +7293,6 @@ sub isolate_dest_interface( $$$$ ) {

 	    $rule .= "-d $variable ";
 	}
-    } elsif ( $dest =~ /^\$/ ) {
-	#
-	# Runtime address variable
-	#
-	$dnets  = $dest;
    } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
@@ -8189,7 +7942,7 @@ sub add_interface_options( $ ) {
 	#
 	# Generate a digest for each chain
 	#
-	for my $chainref ( values %input_chains, values %forward_chains ) {
+	for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
 	    my $digest = '';

 	    assert( $chainref );
@@ -8208,7 +7961,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = sort keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;

 	    if ( @input_interfaces > 1 ) {
@@ -8294,7 +8047,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = keys %{zone_interfaces( $zone2 )};
+		my @interfaces = sort keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;

 		for my $interface ( @interfaces ) {
@@ -8463,7 +8216,6 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
-	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
 	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);

@@ -8479,7 +8231,6 @@ sub save_docker_rules($) {
 	  q(    rm -f ${VARDIR}/.nat_OUTPUT),
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
-	  q(    rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
@@ -8702,7 +8453,7 @@ sub create_save_ipsets() {
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );

-	    my @sets = keys %ipsets;
+	    my @sets = sort keys %ipsets;

 	    emit( '' ,
 		  '    rm -f $file' ,
@@ -8878,7 +8629,7 @@ sub create_load_ipsets() {
 #
 sub create_nfobjects() {
    
-    my @objects = ( keys %nfobjects );
+    my @objects = ( sort keys %nfobjects );

    if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -8893,7 +8644,7 @@ sub create_nfobjects() {
 	}
    }

-    for ( keys %nfobjects ) {
+    for ( sort keys %nfobjects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -8922,15 +8673,9 @@ sub create_netfilter_load( $ ) {
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';

    emit( '',
-	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then' );
-
-    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
-	emit( '    option="--counters --wait "' . $config{MUTEX_TIMEOUT} );
-    } else {
-	emit( '    option="--counters"' );
-    }
-
-    emit( '',
+	  'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
+	  '    option="--counters"',
+	  '',
 	  '    progress_message "Reusing existing ruleset..."',
 	  '',
 	  'else'
@@ -8938,11 +8683,7 @@ sub create_netfilter_load( $ ) {

    push_indent;

-    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
-	emit 'option="--wait "' . $config{MUTEX_TIMEOUT};
-    } else {
-	emit 'option=';
-    }
+    emit 'option=';

    save_progress_message "Preparing $utility input...";

@@ -8991,10 +8732,6 @@ sub create_netfilter_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
-		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode;
-			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
-			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9099,11 +8836,6 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
-		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
-			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
-			print "\n";
-			enter_cat_mode1;
 		    } else {		    
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
@@ -9341,10 +9073,6 @@ sub create_stop_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
-		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
-			enter_cmd_mode;
-			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
-			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9370,11 +9098,7 @@ sub create_stop_load( $ ) {

    enter_cmd_mode;

-    if ( have_capability( 'RESTORE_WAIT_OPTION' ) ) {
-	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' --wait ' . $config{MUTEX_TIMEOUT} . '"' );
-    } else {
-	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
-    }
+    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );

    emit( '',
 	  'progress_message2 "Running $command..."',
@@ -9396,7 +9120,7 @@ sub initialize_switches() {
    if ( keys %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
-	for my $switch ( keys %switches ) {
+	for my $switch ( sort keys %switches ) {
 	    my $setting = $switches{$switch};
 	    my $file = "/proc/net/nf_condition/$switch";
 	    emit "[ -f $file ] && echo $setting->{setting} > $file";
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -93,10 +93,11 @@ sub generate_script_1( $ ) {
 	    my $date = compiletime;

 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+
+	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
 	}

-	copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
-	copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
    }

    my $lib = find_file 'lib.private';
@@ -109,7 +110,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF

-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -209,8 +210,6 @@ sub generate_script_2() {
    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
-    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
-    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );

    emit 'TEMPFILE=';

@@ -268,8 +267,7 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
 	emit( '' );
    }

@@ -692,7 +690,6 @@ sub compiler {
    set_timestamp( $timestamp );
    set_debug( $debug , $confess );
    #
-    #                                      S H O R E W A L L R C ,
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
    get_configuration( $export , $update , $annotate , $inline );
@@ -797,10 +794,13 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
    }

+    disable_script;
    #
    #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
+    enable_script;
+    #
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
@@ -945,7 +945,7 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	copy $globals{SHAREDIRPL} . 'prog.footer';
+	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;

 	disable_script;
 	#
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -36,13 +36,11 @@ use strict;
 use warnings;
 use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
-use File::Glob ':globally';
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 use Scalar::Util 'reftype';
 use FindBin;
 use Digest::SHA qw(sha1_hex);
-use Errno qw(:POSIX);

 our @ISA = qw(Exporter);
 #
@@ -88,9 +86,6 @@ our @EXPORT = qw(
 		 kernel_version

                 compiletime
-				       
-		 F_IPV4
-		 F_IPV6
                );

 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -201,6 +196,9 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

                                       PARMSMODIFIED
                                       USEDCALLER
+				       
+		                       F_IPV4
+		                       F_IPV6

 				       TCP
 				       UDP
@@ -317,7 +315,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -415,9 +413,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                 WAIT_OPTION     => 'iptables --wait option',
                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                 NETMAP_TARGET   => 'NETMAP Target',
-                 NFLOG_SIZE      => '--nflog-size support',
-		 RESTORE_WAIT_OPTION
-				 => 'iptables-restore --wait option',
+
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -492,55 +488,53 @@ our %helpers_aliases;
 our %helpers_enabled;

 our %config_files = ( #accounting      => 1,
-		      actions	       => 1,
-		      blacklist	       => 1,
-		      clear	       => 1,
-		      conntrack	       => 1,
-		      ecn	       => 1,
-		      findgw	       => 1,
-		      hosts	       => 1,
-		      init	       => 1,
-		      initdone	       => 1,
+		      actions          => 1,
+		      blacklist        => 1,
+		      clear            => 1,
+		      conntrack        => 1,
+		      ecn              => 1,
+		      findgw           => 1,
+		      hosts            => 1,
+		      init             => 1,
+		      initdone         => 1,
 		      interfaces       => 1,
-		      isusable	       => 1,
-		      maclist	       => 1,
-		      mangle	       => 1,
-		      masq	       => 1,
-		      nat	       => 1,
-		      netmap	       => 1,
-		      params	       => 1,
-		      policy	       => 1,
-		      providers	       => 1,
-		      proxyarp	       => 1,
-		      refresh	       => 1,
-		      refreshed	       => 1,
-		      restored	       => 1,
-		      rawnat	       => 1,
+		      isusable         => 1,
+		      maclist          => 1,
+		      masq             => 1,
+		      nat              => 1,
+		      netmap           => 1,
+		      params           => 1,
+		      policy           => 1,
+		      providers        => 1,
+		      proxyarp         => 1,
+		      refresh          => 1,
+		      refreshed        => 1,
+		      restored         => 1,
+		      rawnat           => 1,
 		      route_rules      => 1,
-		      routes	       => 1,
+		      routes           => 1,
 		      routestopped     => 1,
-		      rtrules	       => 1,
-		      rules	       => 1,
-		      scfilter	       => 1,
-		      secmarks	       => 1,
-		      snat	       => 1,
-		      start	       => 1,
-		      started	       => 1,
-		      stop	       => 1,
-		      stopped	       => 1,
+		      rtrules          => 1,
+		      rules            => 1,
+		      scfilter         => 1,
+		      secmarks         => 1,
+		      start            => 1,
+		      started          => 1,
+		      stop             => 1,
+		      stopped          => 1,
 		      stoppedrules     => 1,
-		      tcclasses	       => 1,
-		      tcclear	       => 1,
-		      tcdevices	       => 1,
-		      tcfilters	       => 1,
+		      tcclasses        => 1,
+		      tcclear          => 1,
+		      tcdevices        => 1,
+		      tcfilters        => 1,
 		      tcinterfaces     => 1,
-		      tcpri	       => 1,
-		      tcrules	       => 1,
-		      tos	       => 1,
-		      tunnels	       => 1,
-		      zones	       => 1 );
+		      tcpri            => 1,
+		      tcrules          => 1,
+		      tos              => 1,
+		      tunnels          => 1,
+		      zones            => 1 );
 #
-# Options that involve the AUDIT target
+# Options that involve the the AUDIT target
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
@@ -650,7 +644,6 @@ our %eliminated = ( LOGRATE          => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
-                    MODULE_SUFFIX    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -755,8 +748,8 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.8-Beta1",
-		    CAPVERSION              => 50106 ,
+		    VERSION                 => "5.1.1-RC1",
+		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -851,6 +844,7 @@ sub initialize( $;$$) {
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
+	  MODULE_SUFFIX => undef,
 	  DISABLE_IPV6 => undef,
 	  DYNAMIC_ZONES => undef,
 	  PKTTYPE=> undef,
@@ -913,8 +907,6 @@ sub initialize( $;$$) {
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
-	  PERL_HASH_SEED => undef ,
-	  USE_NFLOG_SIZE => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1010,7 +1002,7 @@ sub initialize( $;$$) {
 	       CONNLIMIT_MATCH => undef,
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
-	       LOG_TARGET => undef,
+	       LOG_TARGET => 1,         # Assume that we have it.
 	       ULOG_TARGET => undef,
 	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
@@ -1048,8 +1040,6 @@ sub initialize( $;$$) {
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
-	       NFLOG_SIZE => undef,
-	       RESTORE_WAIT_OPTION => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1102,7 +1092,7 @@ sub initialize( $;$$) {

    %compiler_params = ();

-    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '', callfile => '', callline => ''  );
+    %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
    $parmsmodified = 0;
    $usedcaller    = 0;
    %ipsets = ();
@@ -1175,7 +1165,7 @@ sub initialize( $;$$) {
    #
    # Process the global shorewallrc file
    #
-    #   Note: The build script calls this function passing only the protocol family
+    #   Note: The build file executes this function passing only the protocol family
    #
    process_shorewallrc( $shorewallrc,
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
@@ -1226,9 +1216,10 @@ sub compiletime() {
 # Create 'currentlineinfo'
 #
 sub currentlineinfo() {
-    if ( $currentfilename ) {
-	my $linenumber = $currentlinenumber || 1;
-	my $lineinfo   = " $currentfilename ";
+    my $linenumber = $currentlinenumber || 1;
+
+    if ( $currentfile ) {
+	my $lineinfo = " $currentfilename ";
 	
 	if ( $linenumber eq 'EOF' ) {
 	    $lineinfo .= '(EOF)'
@@ -1994,7 +1985,6 @@ sub find_file($)
    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
-	$!{ENOENT} || fatal_error "Unable to access $file: " . $!; 
    }

    "$config_path[0]$filename";
@@ -2187,7 +2177,7 @@ sub split_list3( $$ ) {
 	    $element = join ',', $element , $_;
 	}
    }
-
+    
    unless ( $opencount == 0 ) {
 	fatal_error "Invalid $type ($list)";
    }
@@ -2242,7 +2232,7 @@ sub split_list4( $ ) {
 sub split_columns( $ ) {
    my ($list) = @_;

-    return split ' ', $list unless $list =~ /[()]/;
+    return split ' ', $list unless $list =~ /\(/;

    my @list1 = split ' ', $list;
    my @list2;
@@ -2283,7 +2273,9 @@ sub split_columns( $ ) {
 	}
    }

-    fatal_error "Mismatched parentheses ($list)" unless $opencount == 0;
+    unless ( $opencount == 0 ) {
+	fatal_error "Mismatched parentheses ($list)";
+    }

    @list2;
 }
@@ -2296,7 +2288,7 @@ sub clear_comment();
 #    ensure that it has an appropriate number of columns.
 #    supply '-' in omitted trailing columns.
 #    Handles all of the supported forms of column/pair specification
-#    Handles segragating raw iptables input in rules
+#    Handles segragating raw iptables input in INLINE rules
 #
 sub split_line2( $$;$$$ ) {
    my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
@@ -2349,7 +2341,7 @@ sub split_line2( $$;$$$ ) {

 	    $inline_matches = $pairs;

-	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
+	    if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
 		#
 		# Pairs are enclosed in curly brackets.
 		#
@@ -2365,7 +2357,7 @@ sub split_line2( $$;$$$ ) {
 	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
 		$inline_matches = $pairs;

-		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
+		if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
 		    #
 		    # Pairs are enclosed in curly brackets.
 		    #
@@ -2379,7 +2371,7 @@ sub split_line2( $$;$$$ ) {
 	} elsif ( $checkinline ) {
 	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
 	}
-    } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
+    } elsif ( $currline =~ /^(\s*|.*[^&@%]){(.*)}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
 	#
@@ -2445,12 +2437,12 @@ sub split_line2( $$;$$$ ) {
 		}
 	    } else {
 		fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
+		$column = $columnsref->{$column};
+		fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
 		$value = $1 if $value =~ /^"([^"]+)"$/;
 		$value =~ s/\\"/"/g;
-		fatal_error "Non-ASCII gunk in the value of the $column column" if $value =~ /[^\s[:print:]]/;
-		my $colnum = $columnsref->{$column};
-		warning_message qq(Replacing "$line[$colnum]" with "$value" in the ) . uc( $column ) . ' column' if $line[$colnum] ne '-';
-		$line[$colnum] = $value;
+		fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+		$line[$column] = $value;
 	    }
 	}
    }
@@ -2577,7 +2569,7 @@ sub open_file( $;$$$$ ) {
 	$max_format       = supplied $mf ? $mf : 1;
 	$comments_allowed = supplied $ca ? $ca : 0;
 	$nocomment        = $nc;
-	do_open_file $fname;
+	do_open_file $fname;;
    } else {
 	$ifstack = @ifstack;
 	'';
@@ -2790,7 +2782,7 @@ sub evaluate_expression( $$$$ ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
-	    $usedcaller = USEDCALLER if $var =~ /^(?:caller|callfile|callline)$/;
+	    $usedcaller = USEDCALLER if $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest , $just_expand );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
@@ -2826,6 +2818,7 @@ sub evaluate_expression( $$$$ ) {
 	#
 	# Not a simple one-term expression -- compile it
 	#
+
 	declare_passed unless $evals++;

 	$val = eval qq(package Shorewall::User;
@@ -2842,7 +2835,6 @@ sub evaluate_expression( $$$$ ) {
    $val;
 }

-sub pop_open();
 #
 # Set callback
 #
@@ -2850,40 +2842,6 @@ sub directive_callback( $ ) {
    $directive_callback = shift;
 }

-sub directive_message( \&$$$$ ) {
-    my ( $functptr, $verbose, $expression, $filename, $linenumber ) = @_;
-
-    unless ( $omitting ) {
-	if ( $actparams{0} ) {
-	    #
-	    # When issuing a message from an action, report the action invocation
-	    # site rather than the action file and line number.
-	    #
-	    # Avoid double-reporting by temporarily removing the invocation site
-	    # from the open stack.
-	    #
-	    my $saveopens = pop @openstack;
-
-	    $functptr->( $verbose ,
-			 evaluate_expression( $expression ,
-					      $filename ,
-					      $linenumber ,
-					      1 ),
-			 $actparams{callfile} ,
-			 $actparams{callline} );
-	    push @openstack, $saveopens;
-	} else {
-	    $functptr->( $verbose ,
-			 evaluate_expression( $expression ,
-					      $filename ,
-					      $linenumber ,
-					      1 ),
-			 $filename ,
-			 $linenumber );
-	}
-    }
-}
-
 #
 # Each entry in @ifstack consists of a 4-tupple
 #
@@ -2897,8 +2855,7 @@ sub process_compiler_directive( $$$$ ) {

    print "CD===> $line\n" if $debug;

-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber )
-	unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;

    my ($keyword, $expression) = ( uc $1, $2 );

@@ -3000,16 +2957,15 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2 || 'chain';
 		      directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
 		      if ( exists $actparams{$var} ) {
-			  if ( $var =~ /^(?:loglevel|logtag|chain|disposition|caller|callfile|callline)$/ ) {
+			  if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
 			      $actparams{$var} = '';
 			  } else {
 			      delete $actparams{$var}
 			  }
-
-			  $parmsmodified = PARMSMODIFIED if @ifstack > $ifstack;
 		      } else {
 			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
+
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
@@ -3040,85 +2996,68 @@ sub process_compiler_directive( $$$$ ) {

 	  ERROR => sub() {
 	      unless ( $omitting ) {
-		  if ( $actparams{0} ) {
-		      close $currentfile;
-		      #
-		      # Avoid 'missing ?ENDIF' error in pop_open'
-		      #
-		      @ifstack = ();
-		      #
-		      # Avoid double-reporting the action invocation site
-		      #
-		      pop_open;
-
-		      directive_error( evaluate_expression( $expression ,
-							    $filename ,
-							    $linenumber ,
-							    1 ) ,
-				       $actparams{callfile} ,
-				       $actparams{callline} );
-		  } else {
-		      directive_error( evaluate_expression( $expression ,
-							    $filename ,
-							    $linenumber ,
-							    1 ) ,
-				       $filename ,
-				       $linenumber ) unless $omitting;
-		  }
+		  directive_error( evaluate_expression( $expression ,
+							$filename ,
+							$linenumber ,
+							1 ) ,
+				   $filename ,
+				   $linenumber ) unless $omitting;
 	      }
 	  } ,

 	  WARNING => sub() {
-	      directive_message( &directive_warning ,
-				 $config{VERBOSE_MESSAGES},
-				 $expression ,
-				 $filename ,
-				 $linenumber );
+	      unless ( $omitting ) {
+		  directive_warning( $config{VERBOSE_MESSAGES} ,
+				     evaluate_expression( $expression ,
+							  $filename ,
+							  $linenumber ,
+							  1 ),
+				     $filename ,
+				     $linenumber ) unless $omitting;
+	      }
 	  } ,

 	  INFO => sub() {
-	      directive_message( &directive_info,
-				 $config{VERBOSE_MESSAGES} ,
-				 $expression ,
-				 $filename ,
-				 $linenumber );
+	      unless ( $omitting ) {
+		  directive_info( $config{VERBOSE_MESSAGES} ,
+				  evaluate_expression( $expression ,
+						       $filename ,
+						       $linenumber ,
+						       1 ),
+				  $filename ,
+				  $linenumber ) unless $omitting;
+	      }
 	  } ,

 	  'WARNING!' => sub() {
-	      directive_message( &directive_warning ,
-				 ! $config{VERBOSE_MESSAGES} ,
-				 $expression ,
-				 $filename ,
-				 $linenumber );
+	      unless ( $omitting ) {
+		  directive_warning( ! $config{VERBOSE_MESSAGES} ,
+				     evaluate_expression( $expression ,
+							  $filename ,
+							  $linenumber ,
+							  1 ),
+				     $filename ,
+				     $linenumber ) unless $omitting;
+	      }
 	  } ,

 	  'INFO!' => sub() {
-	      directive_message( &directive_info ,
-				 ! $config{VERBOSE_MESSAGES} ,
-				 $expression ,
-				 $filename ,
-				 $linenumber );
+	      unless ( $omitting ) {
+		  directive_info( ! $config{VERBOSE_MESSAGES} ,
+				  evaluate_expression( $expression ,
+						       $filename ,
+						       $linenumber ,
+						       1 ),
+				  $filename ,
+				  $linenumber ) unless $omitting;
+	      }
 	  } ,

 	  REQUIRE => sub() {
 	      unless ( $omitting ) {
 		  fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
-		  fatal_error "Unknown capability ($expression)" unless ( my $capdesc = $capdesc{$expression} );
-		  unless ( have_capability( $expression ) ) {
-		      close $currentfile;
-		      #
-		      # Avoid 'missing ?ENDIF' error in pop_open'
-		      #
-		      @ifstack = ();
-		      #
-		      # Avoid double-reporting the action call site
-		      #
-		      pop_open;
-
-		      directive_error( "The $actparams{action} action requires the $capdesc capability",
-				       $actparams{callfile} ,
-				       $actparams{callline} );
-		  }
+		  fatal_error "Unknown capability ($expression)" unless exists $capabilities{$expression};
+		  require_capability( $expression, "The $actparams{action} action", 's' );
 	      }
 	  } ,

@@ -3620,8 +3559,6 @@ sub push_action_params( $$$$$$ ) {
    $actparams{loglevel}    = $loglevel;
    $actparams{logtag}      = $logtag;
    $actparams{caller}      = $caller;
-    $actparams{callfile}    = $currentfilename;
-    $actparams{callline}    = $currentlinenumber;
    $actparams{disposition} = '' if $chainref->{action};
    #
    # The Shorewall variable '@chain' has non-word characters other than hyphen removed
@@ -3752,7 +3689,6 @@ sub expand_variables( \$ ) {
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
-	    $val = $config{$var};
 	}

 	$val = '' unless defined $val;
@@ -4054,7 +3990,7 @@ sub make_mask( $ ) {
    0xffffffff >> ( 32 - $_[0] );
 }

-my @suffixes;
+my @suffixes = qw(group range threshold nlgroup cprange qthreshold);

 #
 # Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate"
@@ -4290,7 +4226,7 @@ sub which( $ ) {
 # Load the kernel modules defined in the 'modules' file.
 #
 sub load_kernel_modules( ) {
-    my $moduleloader = which( 'modprobe' ) || which( 'insmod' );
+    my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );

    my $modulesdir = $config{MODULESDIR};

@@ -4323,20 +4259,25 @@ sub load_kernel_modules( ) {

 	close LSMOD;

-      MODULE:
+	$config{MODULE_SUFFIX} = 'o gz xz ko o.gz o.xz ko.gz ko.xz' unless $config{MODULE_SUFFIX};
+
+	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
+
 	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
-		if ( $moduleloader =~ /modprobe$/ ) {
-		    system( "modprobe -q $module $arguments" );
-		    $loadedmodules{ $module } = 1;
-		} else {
-		    for my $directory ( @moduledirectories ) {
-			for my $modulefile ( <$directory/$module.*> ) {
-			    system ("insmod $modulefile $arguments" );
+		for my $directory ( @moduledirectories ) {
+		    for my $suffix ( @suffixes ) {
+			my $modulefile = "$directory/$module.$suffix";
+			if ( -f $modulefile ) {
+			    if ( $moduleloader eq 'insmod' ) {
+				system ("insmod $modulefile $arguments" );
+			    } else {
+				system( "modprobe $module $arguments" );
+			    }
+
 			    $loadedmodules{ $module } = 1;
-			    next MODULE;
 			}
 		    }
 		}
@@ -4821,10 +4762,6 @@ sub NFLog_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -j NFLOG" );
 }

-sub NFLog_Size() {
-    have_capability( 'NFLOG_TARGET' ) && qt1( "$iptables $iptablesw -A $sillyname -j NFLOG --nflog-size 64" );
-}
-
 sub Logmark_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -j LOGMARK" );
 }
@@ -4948,10 +4885,6 @@ sub Cpu_Fanout() {
    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }

-sub Restore_Wait_Option() {
-    length( `${iptables}-restore --wait < /dev/null 2>&1` ) == 0;
-}
-
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -5004,7 +4937,6 @@ our %detect_capability =
      LOG_TARGET => \&Log_Target,
      ULOG_TARGET => \&Ulog_Target,
      NFLOG_TARGET => \&NFLog_Target,
-      NFLOG_SIZE => \&NFLog_Size,
      MANGLE_ENABLED => \&Mangle_Enabled,
      MANGLE_FORWARD => \&Mangle_Forward,
      MARK => \&Mark,
@@ -5032,7 +4964,6 @@ our %detect_capability =
      REALM_MATCH => \&Realm_Match,
      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
-      RESTORE_WAIT_OPTION => \&Restore_Wait_Option,
      RPFILTER_MATCH => \&RPFilter_Match,
      SANE_HELPER => \&SANE_Helper,
      SANE0_HELPER => \&SANE0_Helper,
@@ -5199,9 +5130,6 @@ sub determine_capabilities() {
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
-	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
-	$capabilities{RESTORE_WAIT_OPTION}
-				       = detect_capability( 'RESTORE_WAIT_OPTION' );

 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5379,11 +5307,11 @@ sub update_config_file( $ ) {
 	update_default( 'BALANCE_PROVIDERS', 'Yes' );
    }

-    update_default( 'EXPORTMODULES',         'No' );
-    update_default( 'RESTART',               'reload' );
-    update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
-    update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
-    update_default( 'LOGLIMIT',              '' );
+    update_default( 'EXPORTMODULES',     'No' );
+    update_default( 'RESTART',           'reload' );
+    update_default( 'PAGER',             $shorewallrc1{DEFAULT_PAGER} );
+    update_default( 'LOGFORMAT',         'Shorewall:%s:%s:' );
+    update_default( 'LOGLIMIT',          '' );

    if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
@@ -5440,12 +5368,8 @@ sub update_config_file( $ ) {
 		    }

 		}
-		if ( supplied $val ) {
-		    #
-		    # Log LEVEL and DEFAULT settings often contain parens
-		    #
-		    $val = ($var =~ /(?:LEVEL|DEFAULT)$/) ? qq("$val") : conditional_quote $val;
-		}
+
+		$val = conditional_quote $val;

 		$_ = "$var=$val\n";
 	    }
@@ -5508,7 +5432,6 @@ EOF
 sub process_shorewall_conf( $$ ) {
    my ( $update, $annotate ) = @_;
    my $file   = find_file "$product.conf";
-    my @vars;

    if ( -f $file ) {
 	$globals{CONFIGDIR} =  $configfile = $file;
@@ -5522,7 +5445,7 @@ sub process_shorewall_conf( $$ ) {
 	    # Don't expand shell variables or allow embedded scripting
 	    #
 	    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
-		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*)$/ ) {
+		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);

 		    if ( exists $config{$var} ) {
@@ -5541,12 +5464,6 @@ sub process_shorewall_conf( $$ ) {
 			next;
 		    }

-		    if ( $update ) {
-			push @vars, $var;
-		    } else {
-			expand_variables( $val ) unless $val =~ /^'.*'$/;
-		    }
-
 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );

 		    warning_message "Option $var=$val is deprecated"
@@ -5567,19 +5484,22 @@ sub process_shorewall_conf( $$ ) {
    #
    # Now update the config file if asked
    #
-    if ( $update ) {
-	update_config_file( $annotate ); 
-	#
-	# Config file update requires that the option values not have
-	# Shell variables expanded. We do that now.
-	#
-	# To handle options like LOG_LEVEL, we process the options
-	# in the order in which they appear in the .conf file.
-	#
-	for ( @vars ) {
-	    if ( supplied( my $val = $config{$_} ) ) {
-		expand_variables( $config{$_} ) unless $val =~ /^'.*'$/;
-	    }
+    update_config_file( $annotate ) if $update;
+    #
+    # Config file update requires that the option values not have
+    # Shell variables expanded. We do that now.
+    #
+    # We must first make LOG_LEVEL a variable because the order in which
+    # the values are processed below is not the order in which they appear
+    # in the config file.
+    #
+    my %log_level = ( LOG_LEVEL => $config{LOG_LEVEL} );
+
+    add_variables( %log_level );
+
+    for ( values  %config ) {
+	if ( supplied $_ ) {
+	    expand_variables( $_ ) unless /^'(.+)'$/;
 	}
    }
 }
@@ -6068,6 +5988,7 @@ sub get_configuration( $$$$ ) {
    #
    # get_capabilities requires that the true settings of these options be established
    #
+    default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';

    if ( ! $export && $> == 0 ) {
@@ -6253,7 +6174,7 @@ sub get_configuration( $$$$ ) {
 	$config{LOG_VERBOSITY} = -1;
    }

-    default_yes_no 'ADD_IP_ALIASES'             , $family == F_IPV4 ? 'Yes' : '';
+    default_yes_no 'ADD_IP_ALIASES'             , 'Yes';
    default_yes_no 'ADD_SNAT_ALIASES'           , '';
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
@@ -6408,17 +6329,6 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'TRACK_PROVIDERS'            , '';
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
-    default_yes_no 'USE_NFLOG_SIZE'             , '';
-
-    if ( $config{USE_NFLOG_SIZE} ) {
-	if ( have_capability( 'NFLOG_SIZE' ) ) {
-	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
-	} else {
-	    fatal_error "USE_NFLOG_SIZE=Yes, but the --nflog-size capabiity is not present";
-	}
-    } else {
-	@suffixes = qw(group range threshold nlgroup cprange qthreshold);
-    }

    unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6839,12 +6749,6 @@ sub get_configuration( $$$$ ) {
 	}
    }

-    if ( supplied( $val = $config{MUTEX_TIMEOUT} ) ) {
-	fatal_error "Invalid value ($val) for MUTEX_TIMEOUT" unless $val && $val =~ /^\d+$/;
-    } else {
-	$config{MUTEX_TIMEOUT} = 60;
-    }
-
    add_variables %config;

    while ( my ($var, $val ) = each %renamed ) {
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -63,6 +63,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  validate_host
 		  validate_range
 		  ip_range_explicit
+		  expand_port_range
 		  allipv4
 		  allipv6
 		  allip
@@ -73,6 +74,10 @@ our @EXPORT = ( qw( ALLIPv4
 		  resolve_proto
 		  resolve_dnsname
 		  proto_name
+		  validate_port
+		  validate_portpair
+		  validate_portpair1
+		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
 		 ) );
@@ -384,8 +389,6 @@ sub resolve_proto( $ ) {
    my $proto = $_[0];
    my $number;

-    $proto =~ s/:.*//;
-
    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
@@ -406,6 +409,114 @@ sub proto_name( $ ) {
    $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
 }

+sub validate_port( $$ ) {
+    my ($proto, $port) = @_;
+
+    my $value;
+
+    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+	$port = numeric_value $port;
+	return $port if defined $port && $port && $port <= 65535;
+    } else {
+	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
+	$value = getservbyname( $port, $proto );
+    }
+
+    return $value if defined $value;
+
+    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
+
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+}
+
+sub validate_portpair( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
+
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+
+    my @ports = split /:/, $pair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP     ||
+			       $protonum == UDP     ||
+			       $protonum == UDPLITE ||
+			       $protonum == SCTP    ||
+			       $protonum == DCCP );
+    join ':', @ports;
+
+}
+
+sub validate_portpair1( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
+
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+
+    my @ports = split /-/, $portpair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP  ||
+			       $protonum == UDP  ||
+			       $protonum == SCTP ||
+			       $protonum == DCCP );
+    join '-', @ports;
+
+}
+
+sub validate_port_list( $$ ) {
+    my $result = '';
+    my ( $proto, $list ) = @_;
+    my @list   = split_list( $list, 'port' );
+
+    if ( @list > 1 && $list =~ /[:-]/ ) {
+	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
+    }
+
+    $proto = proto_name $proto;
+
+    for ( @list ) {
+	my $value = validate_portpair( $proto , $_ );
+	$result = $result ? join ',', $result, $value : $value;
+    }
+
+    $result;
+}
+
 my %icmp_types = ( any                          => 'any',
 		   'echo-reply'                 => 0,
 		   'destination-unreachable'    => 3,
@@ -459,6 +570,67 @@ sub validate_icmp( $ ) {
    fatal_error "Invalid ICMP Type ($type)"
 }

+#
+# Expands a port range into a minimal list of ( port, mask ) pairs.
+# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
+#
+# Example:
+#
+#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
+#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
+#
+sub expand_port_range( $$ ) {
+    my ( $proto, $range ) = @_;
+
+    if ( $range =~ /^(.*):(.*)$/ ) {
+	my ( $first, $last ) = ( $1, $2);
+	my @result;
+
+	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
+	#
+	# Supply missing first/last port number
+	#
+	$first = 0     if $first eq '';
+	$last  = 65535 if $last eq '';
+	#
+	# Validate the ports
+	#
+	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+
+	$last++; #Increment last address for limit testing.
+	#
+	# Break the range into groups:
+	#
+	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
+	#      - Otherwise, find the largest power of two P that divides the first address such that
+	#        the remaining range has less than or equal to P ports. The next group is
+	#        ( <first> , ~( P-1 ) ).
+	#
+	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
+	    my $mask = 0xffff;         #Mask for current ports in group.
+	    my $y    = 2;              #Next power of two to test
+	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
+
+	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
+		$mask <<= 1;
+		$z  = $y;
+		$y <<= 1;
+	    }
+	    #
+	    #
+	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
+	    $first += $z;
+	}
+
+	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
+
+	@result;
+
+    } else {
+	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
+    }
+}
+
 sub valid_6address( $ ) {
    my $address = $_[0];

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -127,7 +127,7 @@ sub setup_ecn()
 	}

 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );

 	    progress_message "$doing ECN control on @interfaces...";

@@ -667,7 +667,6 @@ sub create_docker_rules() {

    my $chainref = $filter_table->{FORWARD};

-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );

    if ( my $dockerref = known_interface('docker0') ) {
@@ -1214,53 +1213,55 @@ sub add_common_rules ( $ ) {
 	}
    }

-    my $announced = 0;
+    if ( $family == F_IPV4 ) {
+	my $announced = 0;

-    $list = find_interfaces_by_option 'upnp';
+	$list = find_interfaces_by_option 'upnp';

-    if ( @$list ) {
-	progress_message2 "$doing UPnP";
+	if ( @$list ) {
+	    progress_message2 "$doing UPnP";

-	$chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
+	    $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );

-	add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
+	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );

-	my $chainref1;
+	    my $chainref1;

-	if ( $config{MINIUPNPD} ) {
-	    $chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
-	    add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+	    if ( $config{MINIUPNPD} ) {
+		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+	    }
+
+	    $announced = 1;
+
+	    for $interface ( @$list ) {
+		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
+	    }
 	}

-	$announced = 1;
+	$list = find_interfaces_by_option 'upnpclient';

-	for $interface ( @$list ) {
-	    add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
-	    add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
-	}
-    }
+	if ( @$list ) {
+	    progress_message2 "$doing UPnP" unless $announced;

-    $list = find_interfaces_by_option 'upnpclient';
+	    for $interface ( @$list ) {
+		my $chainref = $filter_table->{input_option_chain $interface};
+		my $base     = uc var_base get_physical $interface;
+		my $optional = interface_is_optional( $interface );
+		my $variable = get_interface_gateway( $interface, ! $optional );
+		my $origin   = get_interface_origin( $interface );

-    if ( @$list ) {
-	progress_message2 "$doing UPnP" unless $announced;
-
-	for $interface ( @$list ) {
-	    my $chainref = $filter_table->{input_option_chain $interface};
-	    my $base     = uc var_base get_physical $interface;
-	    my $optional = interface_is_optional( $interface );
-	    my $variable = get_interface_gateway( $interface, ! $optional );
-	    my $origin   = get_interface_origin( $interface );
-
-	    if ( $optional ) {
-		add_commands( $chainref,
-			      qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
-		incr_cmd_level( $chainref );
-		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
-		decr_cmd_level( $chainref );
-		add_commands( $chainref, 'fi' );
-	    } else {
-		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		if ( $optional ) {
+		    add_commands( $chainref,
+				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
+		    incr_cmd_level( $chainref );
+		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		    decr_cmd_level( $chainref );
+		    add_commands( $chainref, 'fi' );
+		} else {
+		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		}
 	    }
 	}
    }
@@ -1296,7 +1297,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
    }

-    my @maclist_interfaces = ( keys %maclist_interfaces );
+    my @maclist_interfaces = ( sort keys %maclist_interfaces );

    if ( $phase == 1 ) {

@@ -1617,7 +1618,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;

@@ -1638,8 +1639,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};

-	    for my $typeref ( values %{$source_hosts_ref} ) {
-		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
+	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);

 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1661,7 +1662,7 @@ sub add_interface_jumps {
    our %input_jump_added;
    our %output_jump_added;
    our %forward_jump_added;
-    my @interfaces = grep $_ ne '%vserver%', @_;
+    my @interfaces = sort grep $_ ne '%vserver%', @_;
    my $dummy;
    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
    #
@@ -1775,7 +1776,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};

-	for my $interface ( keys %$source_ref ) {
+	for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -2287,9 +2288,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( keys %$source_hosts_ref ) {
+	for my $type ( sort keys %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( keys %$typeref ) {
+	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2374,9 +2375,9 @@ sub generate_matrix() {

 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT

-		for my $type ( keys %{$zone1ref->{hosts}} ) {
+		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( keys %$typeref ) {
+		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -941,17 +941,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-
-	    my @servers;
-
-	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
-		$server = record_runtime_address( $1, $2 );
-		$server =~ s/ $//;
-		@servers = ( $server );
-	    } else {
-		@servers = validate_address $server, 1;
-	    }
-
+	    my @servers = validate_address $server, 1;
 	    $server = join ',', @servers;
 	}

--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -64,8 +64,6 @@ our @load_interfaces;

 our $balancing;
 our $fallback;
-our $balanced_providers;
-our $fallback_providers;
 our $metrics;
 our $first_default_route;
 our $first_fallback_route;
@@ -101,8 +99,6 @@ sub initialize( $ ) {
    %provider_interfaces    = ();
    @load_interfaces        = ();
    $balancing              = 0;
-    $balanced_providers     = 0;
-    $fallback_providers     = 0;
    $fallback               = 0;
    $metrics                = 0;
    $first_default_route    = 1;
@@ -327,13 +323,7 @@ sub balance_default_route( $$$$ ) {
    emit '';

    if ( $first_default_route ) {
-	if ( $balanced_providers == 1 ) {
-	    if ( $gateway ) {
-		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
-	    } else {
-		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
-	    }
-	} elsif ( $gateway ) {
+	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
 	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
@@ -357,13 +347,7 @@ sub balance_fallback_route( $$$$ ) {
    emit '';

    if ( $first_fallback_route ) {
-	if ( $fallback_providers == 1 ) {
-	    if ( $gateway ) {
-		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
-	    } else {
-		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
-	    }
-	} elsif ( $gateway ) {
+	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
 	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
@@ -502,7 +486,7 @@ sub process_a_provider( $ ) {

    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, $number );
+	$gateway = get_interface_gateway( $interface, undef, 1 );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
@@ -609,12 +593,7 @@ sub process_a_provider( $ ) {
 	}
    }

-    if ( $balance ) {
-	fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $default;
-	$balanced_providers++;
-    } elsif ( $default ) {
-	$fallback_providers++;
-    }
+    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;

    if ( $load ) {
 	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
@@ -1088,10 +1067,7 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}

-	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
-	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
-	    );
-
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );

 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1236,14 +1212,12 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}

-	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
-	    );
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );

 	if ( $pseudo ) {
-	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
+	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
 	} else {
-	    emit( "progress_message2 \"Provider $table ($number) stopped\"" );
+	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
 	}

 	pop_indent;
@@ -1560,9 +1534,9 @@ sub finish_providers() {
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
 		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
-		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
-		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
 		    '    fi',
 		    '' );
 	}
@@ -1825,7 +1799,7 @@ sub map_provider_to_interface() {

    my $haveoptional;

-    for my $providerref ( values %providers ) {
+    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
 	if ( $providerref->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
@@ -1989,7 +1963,7 @@ sub compile_updown() {
    }

    my @nonshared = ( grep $providers{$_}->{optional},
-		      values %provider_interfaces );
+		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );

    if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2184,7 +2158,7 @@ sub handle_optional_interfaces( $ ) {
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
    # wildcard physical names are also included in the providers table.
    #
-    for my $providerref ( grep $_->{optional} , values %providers ) {
+    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
 	push @interfaces, $providerref->{interface};
 	$wildcards ||= $providerref->{wildcard};
    }
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -154,7 +154,7 @@ sub setup_proxy_arp() {

 	emit '';

-	for my $interface ( keys %reset ) {
+	for my $interface ( sort keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -163,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}

-	for my $interface ( keys %set ) {
+	for my $interface ( sort keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -144,6 +144,8 @@ our %macros;

 our $family;

+our @builtins;
+
 #
 # Commands that can be embedded in a basic rule and how many total tokens on the line (0 => unlimited).
 #
@@ -216,10 +218,6 @@ our %statetable;
 # Tracks which of the state match actions (action.Invalid, etc.) that is currently being expanded
 #
 our $statematch;
-#
-# Remembers NAT-oriented columns from top-level action invocations
-#
-our %nat_columns;

 #
 # Action/Inline options
@@ -354,7 +352,7 @@ sub initialize( $ ) {
    #
    $macro_nest_level  = 0;
    #
-    # All actions mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
+    # All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
    #
    %actions           = ();
    #
@@ -365,6 +363,7 @@ sub initialize( $ ) {
    @columns           = ( ( '-' ) x LAST_COLUMN, 0 );

    if ( $family == F_IPV4 ) {
+	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
 	%reject_options = ( 'icmp-net-unreachable'   => 1,
 			    'icmp-host-unreachable'  => 1,
 			    'icmp-port-unreachable'  => 1,
@@ -377,6 +376,7 @@ sub initialize( $ ) {
 	                  );
 			    
    } else {
+	@builtins = qw/dropBcast dropMcast allowBcast allowMcast dropNotSyn rejNotSyn/;
 	%reject_options = ( 'icmp6-no-route'         => 1,
 			    'no-route'               => 1,
 			    'icmp6-adm-prohibited'   => 1,
@@ -388,8 +388,6 @@ sub initialize( $ ) {
 	                  );
    }

-    %nat_columns = ( dest => '-', proto => '-', ports => '-' );
-
    ############################################################################
    # Initialize variables moved from the Tc module in Shorewall 5.0.7         #
    ############################################################################
@@ -397,7 +395,7 @@ sub initialize( $ ) {
    %tcdevices = ();
    %tcclasses = ();
    $sticky    = 0;
-    $divertref = 0;
+    $divertref = 0;    
 }

 #
@@ -623,7 +621,7 @@ sub handle_nfqueue( $$ ) {
 	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;

 	    if ( supplied $queue2 ) {
-		$fanout    = $queue2 =~ s/c$// ? ' --queue-cpu-fanout' : '';
+		$fanout    = ' --queue-cpu-fanout' if $queue2 =~ s/c$//;
 		$queuenum2 = numeric_value( $queue2 );

 		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
@@ -753,21 +751,22 @@ sub process_a_policy1($$$$$$$) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
+		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
+		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
+	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
+
    } else {
 	print_policy $client, $server, $originalpolicy, $chain;
    }
@@ -1658,19 +1657,6 @@ sub merge_inline_source_dest( $$ ) {
    $body || '';
 }

-#
-# This one is used by perl_action_helper()
-#
-sub merge_action_column( $$ ) {
-    my ( $body, $invocation ) = @_;
-
-    if ( supplied( $body ) && $body ne '-' ) {
-	$body;
-    } else {
-	$invocation;
-    }
-}
-
 sub merge_macro_column( $$ ) {
    my ( $body, $invocation ) = @_;

@@ -1724,6 +1710,191 @@ sub map_old_actions( $ ) {
    }
 }

+#
+# The following small functions generate rules for the builtin actions of the same name
+#
+sub dropBcast( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit ( 'DROP', $audit );
+
+    if ( have_capability( 'ADDRTYPE' ) ) {
+	if ( $level ne '' ) {
+	    log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
+	    if ( $family == F_IPV4 ) {
+		log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' );
+	    } else {
+		log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST );
+	    }
+	}
+
+	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
+    } else {
+	if ( $family == F_IPV4 ) {
+	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	} else {
+	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
+	}
+
+	incr_cmd_level $chainref;
+	log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne '';
+	add_ijump $chainref, j => $target, d => '$address';
+	decr_cmd_level $chainref;
+	add_commands $chainref, 'done';
+    }
+}
+
+sub dropMcast( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit ( 'DROP', $audit );
+
+    if ( $family == F_IPV4 ) {
+	log_irule_limit $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
+	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
+    } else {
+	log_irule_limit( $level, $chainref, 'dropMcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
+	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
+    }
+}
+    
+sub allowBcast( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit( 'ACCEPT', $audit );
+
+    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
+	if ( $level ne '' ) {
+	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
+	    log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' );
+	}
+
+	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
+    } else {
+	if ( $family == F_IPV4 ) {
+	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	} else {
+	    add_commands $chainref, 'for address in $ALL_MACASTS; do';
+	}
+
+	incr_cmd_level $chainref;
+	log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne '';
+	add_ijump $chainref, j => $target, d => '$address';
+	decr_cmd_level $chainref;
+	add_commands $chainref, 'done';
+    }
+}
+
+sub allowMcast( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit( 'ACCEPT', $audit );
+
+    if ( $family == F_IPV4 ) {
+	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
+	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
+    } else {
+	log_irule_limit( $level, $chainref, 'allowMcast' , 'ACCEPT', '', $tag, 'add',  '', d => IPv6_MULTICAST ) if $level ne '';
+	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
+    }
+}
+
+sub dropNotSyn ( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit( 'DROP', $audit );
+
+    log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
+    add_ijump $chainref , j => $target, p => '6 ! --syn';
+}
+
+sub rejNotSyn ( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    warning_message "rejNotSyn is deprecated in favor of NotSyn(REJECT)";
+
+    my $target = 'REJECT --reject-with tcp-reset';
+
+    if ( supplied $audit ) {
+	$target = require_audit( 'REJECT' , $audit );
+    }
+
+    log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
+    add_ijump $chainref , j => $target, p => '6 ! --syn';
+}
+
+sub forwardUPnP ( $$$$ ) {
+    my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE );
+
+    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
+}
+
+sub allowinUPnP ( $$$$ ) {
+    my ($chainref, $level, $tag, $audit) = @_;
+
+    my $target = require_audit( 'ACCEPT', $audit );
+
+    if ( $level ne '' ) {
+	log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' );
+	log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' );
+    }
+
+    add_ijump $chainref, j => $target, p => '17 --dport 1900';
+    add_ijump $chainref, j => $target, p => '6 --dport 49152';
+}
+
+sub Limit( $$$$ ) {
+    my ($chainref, $level, $tag, $param ) = @_;
+
+    my @param;
+
+    if ( $param ) {
+	@param = split /,/, $param;
+    } else {
+	@param = split /,/, $tag;
+	$tag = '';
+    }
+
+    fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
+
+    my $set   = $param[0];
+
+    for ( @param[1,2] ) {
+	fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
+    }
+
+    my $count = $param[1] + 1;
+
+    require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
+
+    warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
+
+    add_irule $chainref, recent => "--name $set --set";
+
+    if ( $level ne '' ) {
+	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
+	log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' );
+	add_ijump $xchainref, j => 'DROP';
+	add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
+    } else {
+	add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
+    }
+
+    add_ijump $chainref, j => 'ACCEPT';
+}
+
+my %builtinops = ( 'dropBcast'      => \&dropBcast,
+		   'dropMcast'      => \&dropMcast,
+		   'allowBcast'     => \&allowBcast,
+		   'allowMcast'     => \&allowMcast,
+		   'dropNotSyn'     => \&dropNotSyn,
+		   'rejNotSyn'      => \&rejNotSyn,
+		   'allowinUPnP'    => \&allowinUPnP,
+		   'forwardUPnP'    => \&forwardUPnP,
+		   'Limit'          => \&Limit,
+		 );
+
+
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
@@ -1745,6 +1916,12 @@ sub process_action(\$\$$) {
    my $actionref = $actions{$action};
    my $matches   = fetch_inline_matches;

+    if ( $type & BUILTIN ) {
+	$level = '' if $level =~ /none!?/;
+	$builtinops{$action}->( $chainref, $level, $tag, $param );
+	return 0;
+    }
+
    if ( $type & MANGLE_TABLE ) {
 	fatal_error "Action $action may only be used in the mangle file" unless $chainref->{table} eq 'mangle';
    } else {
@@ -2017,6 +2194,7 @@ sub process_action(\$\$$) {
 #
 # This function is called prior to processing of the policy file. It:
 #
+# - Adds the builtin actions to the target table
 # - Reads actions.std and actions (in that order) and for each entry:
 #   o Adds the action to the target table
 #   o Verifies that the corresponding action file exists
@@ -2025,6 +2203,10 @@ sub process_action(\$\$$) {
 sub process_actions() {

    progress_message2 "Locating Action Files...";
+    #
+    # Add built-in actions to the target table and create those actions
+    #
+    $targets{$_} = new_action( $_ , ACTION + BUILTIN, NOINLINE_OPT, '' , '' ) for @builtins;

    for my $file ( qw/actions.std actions/ ) {
 	open_file( $file, 2 );
@@ -2529,8 +2711,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $exceptionrule = '';
    my $usergenerated;
    my $prerule = '';
-    my %save_nat_columns = %nat_columns;
-    my $generated = 0;
    #
    # Subroutine for handling MARK and CONNMARK.
    #
@@ -2612,30 +2792,32 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {

 	$current_param = $param unless $param eq '' || $param eq 'PARAM';

-	$generated = process_macro( $basictarget,
-				    $chainref,
-				    $rule . $raw_matches,
-				    $matches1,
-				    $target,
-				    $current_param,
-				    $source,
-				    $dest,
-				    $proto,
-				    $ports,
-				    $sports,
-				    $origdest,
-				    $ratelimit,
-				    $user,
-				    $mark,
-				    $connlimit,
-				    $time,
-				    $headers,
-				    $condition,
-				    $helper,
-				    $wildcard );
+	my $generated = process_macro( $basictarget,
+				       $chainref,
+				       $rule . $raw_matches,
+				       $matches1,
+				       $target,
+				       $current_param,
+				       $source,
+				       $dest,
+				       $proto,
+				       $ports,
+				       $sports,
+				       $origdest,
+				       $ratelimit,
+				       $user,
+				       $mark,
+				       $connlimit,
+				       $time,
+				       $headers,
+				       $condition,
+				       $helper,
+				       $wildcard );

 	$macro_nest_level--;
-	goto EXIT;
+
+	return $generated;
+
    } elsif ( $actiontype & NFQ ) {
 	$action = handle_nfqueue( $param,
 				  1 # Allow 'bypass'
@@ -2707,7 +2889,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {

 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
-
 		  if ( $dest eq '-' ) {
 		      if ( $family == F_IPV4 ) {
 			  $dest = ( $inchain ) ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
@@ -2836,7 +3017,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    }
 	}
    }
-
    #
    # Isolate and validate source and destination zones
    #
@@ -2930,7 +3110,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	if ( $destref->{type} & BPORT ) {
 	    unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
-		goto EXIT if $wildcard;
+		return 0 if $wildcard;
 		fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 	    }
 	}
@@ -2945,7 +3125,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	my $policy = $chainref->{policy};

 	if ( $policy eq 'NONE' ) {
-	    goto EXIT if $wildcard;
+	    return 0 if $wildcard;
 	    fatal_error "Rules may not override a NONE policy";
 	}
 	#
@@ -2954,9 +3134,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	if ( $optimize == 1 && $section == NEW_SECTION ) {
 	    my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 	    if ( $loglevel ne '' ) {
-		goto EXIT if $target eq "${policy}:${loglevel}";
+		return 0 if $target eq "${policy}:${loglevel}";
 	    } else {
-		goto EXIT if $basictarget eq $policy;
+		return 0 if $basictarget eq $policy;
 	    }
 	}
 	#
@@ -3001,21 +3181,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $actionchain; # Name of the action chain

    if ( $actiontype & ACTION ) {
-	#
-	# Save NAT-oriented column contents
-	#
-	@nat_columns{'dest', 'proto', 'ports' } = ( $dest,
-						    $proto eq '-' ? $nat_columns{proto} : $proto,
-						    $ports eq '-' ? $nat_columns{ports} : $ports );
-	#
-	# Push the current column array onto the column stack
-	#
-        my @savecolumns = @columns;
-	#
-	# And store the (modified) columns into the columns array for use by perl_action[_tcp]_helper. We
-	# only need the NAT-oriented columns
-	#
-	@columns = ( undef , undef, $dest, $proto, $ports);
 	#
 	# Handle 'section' option
 	#
@@ -3059,8 +3224,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	}

 	$action = $basictarget; # Remove params, if any, from $action.
-
-	@columns = @savecolumns;
    } elsif ( $actiontype & INLINE ) {
 	#
 	# process_inline() will call process_rule() recursively for each rule in the action body
@@ -3077,34 +3240,34 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {

 	$actionresult = 0;

-	$generated = process_inline( $basictarget,
-				     $chainref,
-				     $prerule . $rule,
-				     $matches1 . $raw_matches,
-				     $loglevel,
-				     $target,
-				     $param,
-				     $source,
-				     $dest,
-				     $proto,
-				     $ports,
-				     $sports,
-				     $origdest,
-				     $ratelimit,
-				     $user,
-				     $mark,
-				     $connlimit,
-				     $time,
-				     $headers,
-				     $condition,
-				     $helper,
-				     $wildcard ) || $actionresult;
+	my $generated = process_inline( $basictarget,
+					$chainref,
+					$prerule . $rule,
+					$matches1 . $raw_matches,
+					$loglevel,
+					$target,
+					$param,
+					$source,
+					$dest,
+					$proto,
+					$ports,
+					$sports,
+					$origdest,
+					$ratelimit,
+					$user,
+					$mark,
+					$connlimit,
+					$time,
+					$headers,
+					$condition,
+					$helper,
+					$wildcard ) || $actionresult;

 	( $actionresult, @columns ) = @$savecolumns;;

 	$macro_nest_level--;

-	goto EXIT;
+	return $generated;
    }
    #
    # Generate Fixed part of the rule
@@ -3290,14 +3453,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }

-    $generated = 1;
-
-  EXIT:
-    {
-      %nat_columns = %save_nat_columns;
-    }
-
-    return $generated;
+    return 1;
 }


@@ -3451,60 +3607,27 @@ sub perl_action_helper($$;$$) {
 				 '',                              # CurrentParam
 				 @columns );
    } else {
-	if ( ( $targets{$target} || 0 ) & NATRULE ) {
-	    $result = process_rule( $chainref,
-				    $matches,
-				    $matches1,
-				    merge_target( $actions{$action}, $target ),
-				    '',                               # Current Param
-				    '-',                              # Source
-				    merge_action_column(              # Dest
-					$columns[2],			      
-					$nat_columns{dest}
-				    ),
-				    merge_action_column(              #Proto
-					$columns[3],
-					$nat_columns{proto}
-				    ),
-				    merge_action_column(              #Ports
-					$columns[4],
-					$nat_columns{ports}),
-				    '-',                              # Source Port(s)
-				    '-',                              # Original Dest
-				    '-',                              # Rate Limit
-				    '-',                              # User
-				    '-',                              # Mark
-				    '-',                              # Connlimit
-				    '-',                              # Time
-				    '-',                              # Headers,
-				    '-',                              # condition,
-				    '-',                              # helper,
-				    0,                                # Wildcard
-		);
-	} else {
-	    $result = process_rule( $chainref,
-				    $matches,
-				    $matches1,
-				    merge_target( $actions{$action}, $target ),
-				    '',                               # Current Param
-				    '-',                              # Source
-				    '-',                              # Dest
-				    '-',                              # Proto
-				    '-',                              # Port(s)
-				    '-',                              # Source Port(s)
-				    '-',                              # Original Dest
-				    '-',                              # Rate Limit
-				    '-',                              # User
-				    '-',                              # Mark
-				    '-',                              # Connlimit
-				    '-',                              # Time
-				    '-',                              # Headers,
-				    '-',                              # condition,
-				    '-',                              # helper,
-				    0,                                # Wildcard
-		);
-	}
-
+	$result = process_rule( $chainref,
+				$matches,
+				$matches1,
+				merge_target( $actions{$action}, $target ),
+				'',                               # Current Param
+				'-',                              # Source
+				'-',                              # Dest
+				'-',                              # Proto
+				'-',                              # Port(s)
+				'-',                              # Source Port(s)
+				'-',                              # Original Dest
+				'-',                              # Rate Limit
+				'-',                              # User
+				'-',                              # Mark
+				'-',                              # Connlimit
+				'-',                              # Time
+				'-',                              # Headers,
+				'-',                              # condition,
+				'-',                              # helper,
+				0,                                # Wildcard
+			      );
 	allow_optimize( $chainref );
    }
    #
@@ -3570,8 +3693,7 @@ sub perl_action_tcp_helper($$) {
 				    '-',                              # condition,
 				    '-',                              # helper,
 				    0,                                # Wildcard
-		                  );
-
+				  );
 	    allow_optimize( $chainref );
 	}
 	#
@@ -4142,10 +4264,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		expand_rule( $chainref,
 			     $restriction,
 			     $prerule ,
-			     do_proto( $proto, $ports, $sports ) .
 			     $match .
 			     do_user( $user ) .
-			     do_test( $testval, $mask ) .
+			     do_test( $testval, $globals{TC_MASK} ) .
+			     do_test( $testval, $globals{TC_MASK} ) .
 			     do_length( $length ) .
 			     do_tos( $tos ) .
 			     do_connbytes( $connbytes ) .
@@ -4153,7 +4275,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 			     do_headers( $headers ) .
 			     do_probability( $probability ) .
 			     do_dscp( $dscp ) .
-			     do_time( $time ) .
 			     do_condition( $condition, $chainref->{name} ) .
 			     state_match( $state ) .
 			     $raw_matches ,
@@ -5366,7 +5487,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $interfaces = $1;
 	} elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) {
 	    my ( $one, $two ) = ( $1, $2 );
-	    if ( $2 =~ /\./ || $2 =~ /^[+%!]/ ) {
+	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
 		$interfaces = $one;
 		$destnets = $two;
 	    } else {
@@ -5722,23 +5843,15 @@ sub process_snat( )
 sub setup_snat( $ ) # Convert masq->snat if true
 {
    my $fn;
-    my $have_masq;

-    if ( $_[0] ) {
-	convert_masq();
-    } elsif ( $fn = open_file( 'masq', 1, 1 ) ) {
+    convert_masq() if $_[0];
+
+    if ( $fn = open_file( 'masq', 1, 1 ) ) {
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
-	process_one_masq(0), $have_masq = 1 while read_a_line( NORMAL_READ );
-    }
-
-    unless ( $have_masq ) {
-	#
-	# Masq file empty or didn't exist
-	#
-	if ( $fn = open_file( 'snat', 1, 1 ) ) {
-	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
-	    process_snat while read_a_line( NORMAL_READ );
-	}
+	process_one_masq(0) while read_a_line( NORMAL_READ );
+    } elsif ( $fn = open_file( 'snat', 1, 1 ) ) {
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
+	process_snat while read_a_line( NORMAL_READ );
    }
 }

--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {

 	    while ( @sportlist ) {
 		my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
-		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
+		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
 		$rule .= ' or' if @sportlist;
 	    }

@@ -1924,7 +1924,7 @@ sub process_traffic_shaping() {

 			my ( $options, $redopts ) = ( '', $tcref->{redopts} );

-			for my $option ( keys %validredoptions ) {
+			for my $option ( sort keys %validredoptions ) {
 			    my $type = $validredoptions{$option};

 			    if ( my $value = $redopts->{$option} ) {
@@ -1943,7 +1943,7 @@ sub process_traffic_shaping() {

 			my ( $options, $codelopts ) = ( '', $tcref->{codelopts} );

-			for my $option ( keys %validcodeloptions ) {
+			for my $option ( sort keys %validcodeloptions ) {
 			    my $type = $validcodeloptions{$option};

 			    if ( my $value = $codelopts->{$option} ) {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -92,7 +92,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interfaces_by_option
 		    find_interfaces_by_option1
 		    get_interface_option
-		    get_interface_origin
+                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    interface_zone
@@ -108,37 +108,55 @@ our @EXPORT = ( qw( NOTHING

 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
+
+#
+# IPSEC Option types
+#
+use constant { NOTHING    => 'NOTHING',
+	       NUMERIC    => '0x[\da-fA-F]+|\d+',
+	       NETWORK    => '\d+.\d+.\d+.\d+(\/\d+)?',
+	       IPSECPROTO => 'ah|esp|ipcomp',
+	       IPSECMODE  => 'tunnel|transport'
+	       };
+
+#
+# Option columns
+#
+use constant { IN_OUT     => 1,
+	       IN         => 2,
+	       OUT        => 3 };
+
 #
 # Zone Table.
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
 #     %zones{<zone1> => {name =>       <name>,
-#			 type =>       <zone type>	 FIREWALL, IP, IPSEC, BPORT;
-#			 complex =>    0|1
-#			 super	 =>    0|1
-#			 options =>    { in_out	 => < policy match string >
-#					 in	 => < policy match string >
-#					 out	 => < policy match string >
-#				       }
-#			 parents =>    [ <parents> ]	  Parents, Children and interfaces are listed by name
-#			 children =>   [ <children> ]
-#			 interfaces => { <interfaces1> => 1, ... }
-#			 bridge =>     <bridge>
-#			 hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
-#								   options => { <option1> => <value1>
-#										...
-#									      }
-#								   hosts   => [ <net1> , <net2> , ... ]
-#								   exclusions => [ <net1>, <net2>, ... ]
-#								   origin   => <where defined>
-#								 }
-#						 <interface2> => ...
-#					       }
-#					     ]
-#			}
-#	      <zone2> => ...
-#	    }
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#                        complex =>    0|1
+#                        super   =>    0|1
+#                        options =>    { in_out  => < policy match string >
+#                                        in      => < policy match string >
+#                                        out     => < policy match string >
+#                                      }
+#                        parents =>    [ <parents> ]      Parents, Children and interfaces are listed by name
+#                        children =>   [ <children> ]
+#                        interfaces => { <interfaces1> => 1, ... }
+#                        bridge =>     <bridge>
+#                        hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
+#                                                                  options => { <option1> => <value1>
+#                                                                               ...
+#                                                                             }
+#                                                                  hosts   => [ <net1> , <net2> , ... ]
+#                                                                  exclusions => [ <net1>, <net2>, ... ]
+#                                                                  origin   => <where defined>
+#                                                                }
+#                                                <interface2> => ...
+#                                              }
+#                                            ]
+#                       }
+#             <zone2> => ...
+#           }
 #
 #     $firewall_zone names the firewall zone.
 #
@@ -160,27 +178,27 @@ our %reservedName = ( all => 1,
 #
 #     @interfaces lists the interface names in the order that they appear in the interfaces file.
 #
-#     %interfaces { <interface1> => { name	  => <name of interface>
-#				      root	  => <name without trailing '+'>
-#				      options	  => { port => undef|1
-#						     { <option1> } => <val1> ,		#See %validinterfaceoptions
-#						       ...
-#						     }
-#				      zone	  => <zone name>
-#				      multizone	  => undef|1   #More than one zone interfaces through this interface
-#				      nets	  => <number of nets in interface/hosts records referring to this interface>
-#				      bridge	  => <bridge name> # Same as ->{name} if not a bridge port.
-#				      ports	  => <number of port on this bridge>
-#				      ipsec	  => undef|1 # Has an ipsec host group
-#				      broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
-#				      number	  => <ordinal position in the interfaces file>
-#				      physical	  => <physical interface name>
-#				      base	  => <shell variable base representing this interface>
-#				      wildcard	  => undef|1 # Wildcard Name
-#				      zones	  => { zone1 => 1, ... }
-#				      origin	  => <where defined>
-#				    }
-#		  }
+#     %interfaces { <interface1> => { name        => <name of interface>
+#                                     root        => <name without trailing '+'>
+#                                     options     => { port => undef|1
+#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
+#                                                      ...
+#                                                    }
+#                                     zone        => <zone name>
+#                                     multizone   => undef|1   #More than one zone interfaces through this interface
+#                                     nets        => <number of nets in interface/hosts records referring to this interface>
+#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
+#                                     ports       => <number of port on this bridge>
+#                                     ipsec       => undef|1 # Has an ipsec host group
+#                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#                                     number      => <ordinal position in the interfaces file>
+#                                     physical    => <physical interface name>
+#                                     base        => <shell variable base representing this interface>
+#                                     wildcard    => undef|1 # Wildcard Name
+#                                     zones       => { zone1 => 1, ... }
+#                                     origin      => <where defined>
+#                                   }
+#                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
@@ -203,26 +221,6 @@ our $zonemarkincr;
 our $zonemarklimit;
 our $loopback_interface;

-#
-# IPSEC Option types
-#
-use constant { NOTHING    => 'NOTHING',
-	       NUMERIC    => '0x[\da-fA-F]+|\d+',
-	       IPSECPROTO => 'ah|esp|ipcomp',
-	       IPSECMODE  => 'tunnel|transport'
-	     };
-
-sub NETWORK() {
-    $family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?';
-}
-
-#
-# Option columns
-#
-use constant { IN_OUT     => 1,
-	       IN         => 2,
-	       OUT        => 3 };
-
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -278,7 +276,19 @@ our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore =

 our %validhostoptions;

-our %validzoneoptions;
+our %validzoneoptions = ( mss            => NUMERIC,
+			  nomark         => NOTHING,
+			  blacklist      => NOTHING,
+			  dynamic_shared => NOTHING,
+			  strict         => NOTHING,
+			  next           => NOTHING,
+			  reqid          => NUMERIC,
+			  spi            => NUMERIC,
+			  proto          => IPSECPROTO,
+			  mode           => IPSECMODE,
+			 "tunnel-src"   => NETWORK,
+			 "tunnel-dst"   => NETWORK,
+		       );

 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
@@ -320,20 +330,6 @@ sub initialize( $$ ) {
    $minroot = 0;
    $loopback_interface = '';

-    %validzoneoptions = ( mss            => NUMERIC,
-			  nomark         => NOTHING,
-			  blacklist      => NOTHING,
-			  dynamic_shared => NOTHING,
-			  strict         => NOTHING,
-			  next           => NOTHING,
-			  reqid          => NUMERIC,
-			  spi            => NUMERIC,
-			  proto          => IPSECPROTO,
-			  mode           => IPSECMODE,
-			 "tunnel-src"   => NETWORK,
-			 "tunnel-dst"   => NETWORK,
-		       );
-
    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
 				  arp_ignore  => ENUM_IF_OPTION,
@@ -411,8 +407,6 @@ sub initialize( $$ ) {
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				    unmanaged   => SIMPLE_IF_OPTION,
-				    upnp        => SIMPLE_IF_OPTION,
-				    upnpclient  => SIMPLE_IF_OPTION,
 				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
@@ -701,40 +695,6 @@ sub haveipseczones() {
    0;
 }

-#
-# Returns 1 if the two interfaces passed are related
-#
-sub interface_match( $$ ) {
-    my ( $piface, $ciface ) = @_;
-
-    return 1 if $piface eq $ciface;
-
-    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
-
-    return 1 if $piface eq $cifaceref->{bridge};
-    return 1 if $ciface eq $pifaceref->{bridge};
-
-    if ( $minroot ) {
-	if ( $piface =~ /\+$/ ) {
-	    my $root    = $pifaceref->{root};
-	    my $rlength = length( $root );
-	    while ( length( $ciface ) >= $rlength ) {
-		return 1 if $ciface eq $root;
-		chop $ciface;
-	    }
-	} elsif ( $ciface =~ /\+$/ ) {
-	    my $root    = $cifaceref->{root};
-	    my $rlength = length( $root );
-	    while ( length( $piface ) >= $rlength ) {
-		return 1 if $piface eq $root;
-		chop $piface;
-	    }
-	}
-    }
-
-    0;
-}
-
 #
 # Report about zones.
 #
@@ -753,10 +713,10 @@ sub zone_report()
 	my $printed = 0;

 	if ( $hostref ) {
-	    for my $type ( keys %$hostref ) {
+	    for my $type ( sort keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};

-		for my $interface ( keys %$interfaceref ) {
+		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};

@@ -772,7 +732,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
+				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -781,17 +741,6 @@ sub zone_report()
 	    }
 	}

-      PARENT:
-	for my $p ( @{$zoneref->{parents}} ) {
-	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
-		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
-		    next PARENT if interface_match( $pi, $ci );
-		}
-	    }
-
-	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
-	}
-
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -817,10 +766,10 @@ sub dump_zone_contents() {
 	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};

 	if ( $hostref ) {
-	    for my $type ( keys %$hostref ) {
+	    for my $type ( sort keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};

-		for my $interface ( keys %$interfaceref ) {
+		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};

@@ -1364,7 +1313,7 @@ sub process_interface( $$ ) {
 		    assert(0);
 		}
 	    } elsif ( $type == STRING_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless supplied $value;
+		fatal_error "The '$option' option requires a value" unless defined $value;

 		if ( $option eq 'physical' ) {
 		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
@@ -1620,7 +1569,9 @@ sub known_interface($)
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface >= $minroot ) {
+	while ( length $iface > $minroot ) {
+	    chop $iface;
+
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1642,8 +1593,6 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
-
-	    chop $iface;
 	}
    }

@@ -2270,9 +2219,9 @@ sub find_hosts_by_option( $ ) {
    }

    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sort keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec  = $host->{ipsec};
@@ -2300,9 +2249,9 @@ sub find_zone_hosts_by_option( $$ ) {
    my @hosts;

    unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sort keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -43,8 +43,6 @@
 #         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
-#    If the <filename> is omitted, then a 'check' operation is performed.
-#
 use strict;
 use FindBin;
 use lib "$FindBin::Bin";
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1,4 +1,4 @@
-#   (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -32,7 +32,7 @@
 #	    down			Stop an optional interface
 #	    enable			Enable an optional interface
 #	    help			Show command syntax
-#	    reenable			Disable then enable an optional
+#	    reenable			Disable then nable an optional
 #					interface
 #	    refresh			Refresh the firewall
 #	    reload			Reload the firewall
@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {

    if [ -n "$g_purge" ]; then
-	if [ -n "$(mywhich conntrack)" ]; then
+	if [ -n $(mywhich conntrack) ]; then
            conntrack -F
 	else
            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -899,7 +899,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface $2 = table number
+detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
@@ -912,8 +912,6 @@ detect_gateway() # $1 = interface $2 = table number
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
-
-    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -78,13 +78,11 @@ reload_command() {
    detect_configuration
    define_firewall
    status=$?
-
-    if [ $status -eq 0 ]; then
-	[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-	progress_message3 "done."
-    else
-	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+    if [ -n "$SUBSYSLOCK" ]; then
+ 	[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
    fi
+
+    [ $status -eq 0 ] && progress_message3 "done."
 }

 ################################################################################
@@ -129,7 +127,6 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
-g_dockeringress=
 g_dockernetwork=
 g_forcereload=

@@ -421,12 +418,9 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
-	    COMMAND=disable
 	    detect_configuration $1
-	    disable_provider $1 Yes
-	    COMMAND=enable
-	    detect_configuration $1
-	    enable_provider  $1 Yes
+	    COMMAND=enable  disable_provider $1 Yes
+	    COMMAND=disable enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -109,12 +109,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
 BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -205,6 +205,8 @@ MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No

+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -215,8 +217,6 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

-PERL_HASH_SEED=0
-
 REJECT_ACTION=

 REQUIRE_INTERFACE=Yes
@@ -247,8 +247,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -120,12 +120,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
 BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -216,6 +216,8 @@ MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No

+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -226,8 +228,6 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

-PERL_HASH_SEED=0
-
 REJECT_ACTION=

 REQUIRE_INTERFACE=No
@@ -258,8 +258,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -117,12 +117,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
 BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -213,6 +213,8 @@ MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No

+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -223,8 +225,6 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

-PERL_HASH_SEED=0
-
 REJECT_ACTION=

 REQUIRE_INTERFACE=No
@@ -255,8 +255,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -120,12 +120,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
 BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -216,6 +216,8 @@ MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No

+MODULE_SUFFIX="ko ko.xz"
+
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -226,8 +228,6 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

-PERL_HASH_SEED=0
-
 REJECT_ACTION=

 REQUIRE_INTERFACE=No
@@ -258,8 +258,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		eth0
+			92.168.0.0/16		eth0
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -6,44 +6,45 @@
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
+# Builtin Actions are:
+#
+?if 0
+allowBcast			# Silently Allow Broadcast
+allowMcast			# Silently Allow Multicast
+dropBcast			# Silently Drop Broadcast
+dropMcast			# Silently Drop Multicast
+dropNotSyn			# Silently Drop Non-syn TCP packets
+rejNotSyn			# Silently Reject Non-syn TCP packets
+allowinUPnP			# Allow UPnP inbound (to firewall) traffic
+forwardUPnP			# Allow traffic that upnpd has redirected from 'upnp' interfaces.
+Limit				# Limit the rate of connections from each individual IP address
+?endif
 ###############################################################################
 #ACTION
-A_AllowICMPs inline		# Audited version of AllowICMPs
 A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
 A_Reject			# Audited Default action for REJECT policy
-AllowICMPs   inline		# Allow Required ICMP packets
-allowBcast   inline		# Silently Allow Broadcast
-allowinUPnP  inline		# Allow UPnP inbound (to firewall) traffic
+AllowICMPs   inline             # Allow Required ICMP packets
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
-allowMcast   inline		# Silently Allow Multicast
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy (deprecated)
-dropBcast    inline		# Silently Drop Broadcast
-dropBcasts    inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
-dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
 DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
-FIN	     inline,audit	# Handles ACK,FIN,PSH packets
-forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
-Limit	     noinline		# Limit the rate of connections from each individual IP address
 Multicast    noinline,audit	# Handles Multicast
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
-rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
 Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
--- a/Shorewall/configfiles/disabled
+++ b/Shorewall/configfiles/disabled
@@ -1,12 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/disabled
-#
-# Add commands below that you want executed when an optional
-# interface is successfully disabled using the 'disable' command
-#
-# When the commands are invoked:
-#
-#  $1 contains the physical name of the interface
-#  $2 contains the logical name of the interface
-#  $3 contains the name of the provider associated with the interface,
-      if any
--- a/Shorewall/configfiles/enabled
+++ b/Shorewall/configfiles/enabled
@@ -1,12 +0,0 @@
-#
-# Shorewall -- /etc/shorewall/enabled
-#
-# Add commands below that you want executed when an optional
-# interface is successfully enabled using the 'enable' command
-#
-# When the commands are invoked:
-#
-#  $1 contains the physical name of the interface
-#  $2 contains the logical name of the interface
-#  $3 contains the name of the provider associated with the interface,
-      if any
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -63,7 +63,7 @@ RPFILTER_LOG_LEVEL="$LOG_LEVEL"

 SFILTER_LOG_LEVEL="$LOG_LEVEL"

-SMURF_LOG_LEVEL="$LOG_LEVEL"
+SMURF_LOG_LEVEL=$LOG_LEVEL

 STARTUP_LOG=/var/log/shorewall-init.log

@@ -109,12 +109,12 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
+ACCEPT_DEFAULT=none
 BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP),AllowICMPs"

 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
@@ -205,6 +205,8 @@ MARK_IN_FORWARD_CHAIN=No

 MINIUPNPD=No

+MODULE_SUFFIX=ko
+
 MULTICAST=No

 MUTEX_TIMEOUT=60
@@ -215,8 +217,6 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

-PERL_HASH_SEED=0
-
 REJECT_ACTION=

 REQUIRE_INTERFACE=No
@@ -247,8 +247,6 @@ TRACK_RULES=No

 USE_DEFAULT_RT=Yes

-USE_NFLOG_SIZE=No
-
 USE_PHYSICAL_NAMES=No

 USE_RT_NAMES=No
--- a/Shorewall/default.debian.sysvinit
+++ b/Shorewall/default.debian.sysvinit
@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following variable to 1 in order to allow Shorewall to start
+# set the following varible to 1 in order to allow Shorewall to start

 startup=0

@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=

 #
-# Global start/restart/reload/stop options
+# Global start/restart options
 #
 OPTIONS=""

@@ -28,17 +28,12 @@ STARTOPTIONS=""
 #
 # Restart options
 #
-RESTARTOPTIONS=""
-
-#
-# Reload options
-#
 RELOADOPTIONS=""

 #
-# Stop options
+# Restart options
 #
-STOPOPTIONS=""
+RESTARTOPTIONS=""

 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
--- a/Shorewall/default.debian.systemd
+++ b/Shorewall/default.debian.systemd
@@ -1,26 +0,0 @@
-#
-# Global start/restart/reload/stop options
-#
-OPTIONS=""
-
-#
-# Start options
-#
-STARTOPTIONS=""
-
-#
-# Restart options
-#
-RESTARTOPTIONS=""
-
-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
-# EOF
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,22 +22,55 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

-VERSION=xxx # The Build script inserts the actual version
+VERSION=4.5.5       #The Build script inserts the actual version

+#
+# Change to the directory containing this script
+#
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -s"
-    echo "  -a"
-    echo "  -p"
-    echo "  -n"
+    echo "usage: $ME [ <configuration-file> ]"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -s"
+    echo "       $ME -a"
+    echo "       $ME -n"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
 run_install()
 {
    if ! install $*; then
@@ -47,14 +80,27 @@ run_install()
    fi
 }

+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure $PRODUCT to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

-#
-# Change to the directory containing this script
-#
+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 cd "$(dirname $0)"

 if [ -f shorewall.service ]; then
@@ -65,11 +111,6 @@ else
    Product=Shorewall6
 fi

-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -131,14 +172,11 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. ~/.shorewallrc || exit 1
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -148,11 +186,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -267,7 +305,8 @@ case "$HOST" in
    linux)
 	;;
    *)
-	fatal_error "Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
 	;;
 esac

@@ -278,7 +317,8 @@ if [ $PRODUCT = shorewall ]; then
 	#
 	if [ "$DIGEST" != SHA ]; then
 	    if [ "$BUILD" = "$HOST" ] && ! eval perl -e \'use Digest::$DIGEST\;\' 2> /dev/null ; then
-		fatal_error "Perl compilation with Digest::$DIGEST failed"
+		echo "ERROR: Perl compilation with Digest::$DIGEST failed" >&2
+		exit 1;
 	    fi

 	    cp -af Perl/Shorewall/Chains.pm Perl/Shorewall/Chains.pm.bak
@@ -301,7 +341,8 @@ if [ $PRODUCT = shorewall ]; then
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Config.pm
 		DIGEST=SHA1
 	    else
-		fatal_error "Shorewall $VERSION requires either Digest::SHA or Digest::SHA1"
+		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
+		exit 1
 	    fi
 	fi
    fi
@@ -329,10 +370,11 @@ if [ $BUILD != cygwin ]; then
    fi
 fi

-run_install -d $OWNERSHIP -m 0755 ${DESTDIR}${SBINDIR}
-[ -n "${INITFILE}" ] && run_install -d $OWNERSHIP -m 0755 ${DESTDIR}${INITDIR}
+install -d $OWNERSHIP -m 755 ${DESTDIR}${SBINDIR}
+[ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 if [ -z "$DESTDIR" -a $PRODUCT != shorewall ]; then
-    [ -x ${LIBEXECDIR}/shorewall/compiler.pl ] || fatal_error "Shorewall >= 4.5.0 is not installed"
+    [ -x ${LIBEXECDIR}/shorewall/compiler.pl ] || \
+	{ echo "   ERROR: Shorewall >= 4.5.0 is not installed" >&2; exit 1; }
 fi

 echo "Installing $Product Version $VERSION"
@@ -346,7 +388,7 @@ else
    first_install="Yes"
 fi

-if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/shorewall/coreversion ]; then
+if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreversion ]; then
    echo "Shorewall $VERSION requires Shorewall Core which does not appear to be installed"
    exit 1
 fi
@@ -368,16 +410,22 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${PERLLIBDIR}/Shorewall 0755
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles 0755
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated 0755
-make_parent_directory ${DESTDIR}${VARDIR} 0755
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
+mkdir -p ${DESTDIR}${VARDIR}

-chmod 0755 ${DESTDIR}${SHAREDIR}/$PRODUCT
+chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated

-[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
+if [ -n "$DESTDIR" ]; then
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+fi

 #
 # Install the .service file
@@ -387,9 +435,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 0644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -442,14 +490,6 @@ if [ -z "$first_install" ]; then
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_REJECT
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Drop
 	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.Reject
-	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_Drop
-	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_Reject
-	delete_file ${DESTDIR}${SHAREDIR}/shorewall/action.A_AllowICMPs
-    else
-	delete_file ${DESTDIR}${SHAREDIR}/shorewall6/action.A_AllowICMPs
-	delete_file ${DESTDIR}${SHAREDIR}/shorewall6/action.AllowICMPs
-	delete_file ${DESTDIR}${SHAREDIR}/shorewall6/action.Broadcast
-	delete_file ${DESTDIR}${SHAREDIR}/shorewall6/action.Multicast
    fi
 fi

@@ -492,11 +532,8 @@ fi
 #
 # Install the config file
 #
-run_install $OWNERSHIP -m 0644 $PRODUCT.conf            ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
-
-if [ $PRODUCT = shorewall ]; then
-    run_install $OWNERSHIP -m 0644 shorewall.conf.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
-fi
+run_install $OWNERSHIP -m 0644 $PRODUCT.conf           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 $PRODUCT.conf.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/

 if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
    run_install $OWNERSHIP -m 0600 ${PRODUCT}.conf${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
@@ -616,14 +653,8 @@ run_install $OWNERSHIP -m 0644 params.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/c
 if [ -f ${DESTDIR}${CONFDIR}/$PRODUCT/params ]; then
    chmod 0644 ${DESTDIR}${CONFDIR}/$PRODUCT/params
 else
-    case "$SPARSE" in
-	[Vv]ery)
-	;;
-	*)
-	    run_install $OWNERSHIP -m 0600 params${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/params
-	    echo "Parameter file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/params"
-	    ;;
-    esac
+    run_install $OWNERSHIP -m 0600 params${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/params
+    echo "Parameter file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/params"
 fi

 if [ $PRODUCT = shorewall ]; then
@@ -699,16 +730,10 @@ fi
 run_install $OWNERSHIP -m 0644 conntrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
 run_install $OWNERSHIP -m 0644 conntrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles

-case "$SPARSE" in
-    [Vv]ery)
-    ;;
-    *)
-	if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
-	    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
-	    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
-	fi
-	;;
-esac
+if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
+    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
+    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
+fi

 #
 # Install the Mangle file
@@ -1069,14 +1094,8 @@ cd ..
 #
 for f in lib.* Perl/lib.*; do
    if [ -f $f ]; then
-        case $f in
-            *installer)
-                ;;
-            *)
-                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$(basename $f) 0644
-                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-                ;;
-        esac
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$(basename $f) 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
    fi
 done

@@ -1086,7 +1105,7 @@ if [ $PRODUCT = shorewall6 ]; then
    #
    ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
    #
-    # And create a symbolic link for the CLI
+    # And create a sybolic link for the CLI
    #
    ln -sf shorewall ${DESTDIR}${SBINDIR}/shorewall6
 fi
@@ -1095,7 +1114,8 @@ if [ -d Perl ]; then
    #
    # ${SHAREDIR}/$PRODUCT/$Product if needed
    #
-    make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT/$Product 0755
+    mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/$Product
+    chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/$Product
    #
    # Install the Compiler
    #
@@ -1144,7 +1164,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -1162,41 +1182,15 @@ if [ -n "$MANDIR" ]; then

 cd manpages

-if [ $PRODUCT = shorewall ]; then
-    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/

-    for f in *.5; do
-	gzip -9c $f > $f.gz
-	run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
-    done
-fi
+for f in *.5; do
+    gzip -9c $f > $f.gz
+    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
+    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
+done

-if [ $PRODUCT = shorewall6 ]; then
-    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
-
-    rm -f ${DESTDIR}${MANDIR}/man5/shorewall6*
-
-    for f in \
-	shorewall-accounting.5  shorewall-ipsets.5   shorewall-providers.5     shorewall-tcclasses.5     \
-	shorewall-actions.5     shorewall-maclist.5                            shorewall-tcdevices.5     \
-	                        shorewall-mangle.5   shorewall-proxyndp.5      shorewall-tcfilters.5     \
-	shorewall-blacklist.5   shorewall-masq.5     shorewall-routes.5        shorewall-tcinterfaces.5  \
-	shorewall-blrules.5     shorewall-modules.5  shorewall-routestopped.5  shorewall-tcpri.5         \
-	shorewall-conntrack.5   shorewall-nat.5      shorewall-rtrules.5       shorewall-tcrules.5       \
-                                shorewall-nesting.5  shorewall-rules.5         shorewall-tos.5           \
-	shorewall-exclusion.5   shorewall-netmap.5   shorewall-secmarks.5      shorewall-tunnels.5       \
-	shorewall-hosts.5       shorewall-params.5   shorewall-snat.5          shorewall-vardir.5        \
-	shorewall-interfaces.5  shorewall-policy.5   shorewall-stoppedrules.5  shorewall-zones.5
-    do
-	f6=shorewall6-${f#*-}
-	echo ".so man5/$f" > ${DESTDIR}${MANDIR}/man5/$f6
-    done
-
-    echo ".so man5/shorewall.conf.5" > ${DESTDIR}${MANDIR}/man5/shorewall6.conf.5
-fi
-
-[ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/

 for f in *.8; do
    gzip -9c $f > $f.gz
@@ -1219,7 +1213,8 @@ fi
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
    if [ ${DESTDIR} ]; then
-	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	chmod 755 ${DESTDIR}${SYSCONFDIR}
    fi

    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
@@ -1277,6 +1272,6 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 fi

 #
-# Report Success
+#  Report Success
 #
 echo "$Product Version $VERSION Installed"
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -341,18 +341,6 @@ get_config() {
 	setup_dbl
    fi

-    if [ -z "$PERL_HASH_SEED" ]; then
-	PERL_HASH_SEED=0
-    else
-	case $PERL_HASH_SEED in
-	    [0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]|random)
-	        ;;
-	    *)
-		fatal_error "Invalid setting ($PERL_HASH_SEED) for PERL_HASH_SEED"
-		;;
-	esac
-    fi
-
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@@ -496,18 +484,6 @@ compiler() {
    #
    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=

-    case $PERL_HASH_SEED in
-	random)
-	    unset PERL_HASH_SEED
-	    unset PERL_PERTURB_KEYS
-	    ;;
-	*)
-	    export PERL_HASH_SEED
-	    PERL_PERTURB_KEYS=0
-	    export PERL_PERTURB_KEYS
-	    ;;
-    esac
-
    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	eval $PERL $debugflags $pc $options $@ $g_pager
    else
@@ -534,6 +510,28 @@ start_command() {
    local rc
    rc=0

+    do_it() {
+	if [ -n "$AUTOMAKE" ]; then
+	    [ -n "$nolock" ] || mutex_on
+	    run_it ${VARDIR}/firewall $g_debugging start
+	    rc=$?
+	    [ -n "$nolock" ] || mutex_off
+	else
+	    g_file="${VARDIR}/.start"
+	    if compiler $g_debugging $nolock compile "$g_file"; then
+		[ -n "$nolock" ] || mutex_on
+		run_it ${VARDIR}/.start $g_debugging start
+		rc=$?
+		[ -n "$nolock" ] || mutex_off
+	    else
+		rc=$?
+		mylogger kern.err "ERROR:$g_product start failed"
+	    fi
+	fi
+
+	exit $rc
+    }
+
    if product_is_started; then
 	error_message "Shorewall is already running"
 	exit 0
@@ -625,25 +623,7 @@ start_command() {
 	fi
    fi

-    if [ -n "$AUTOMAKE" ]; then
-	[ -n "$nolock" ] || mutex_on
-	run_it ${VARDIR}/firewall $g_debugging start
-	rc=$?
-	[ -n "$nolock" ] || mutex_off
-    else
-	g_file="${VARDIR}/.start"
-	if compiler $g_debugging $nolock compile "$g_file"; then
-	    [ -n "$nolock" ] || mutex_on
-	    run_it ${VARDIR}/.start $g_debugging start
-	    rc=$?
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    rc=$?
-	    mylogger kern.err "ERROR:$g_product start failed"
-	fi
-    fi
-
-    exit $rc
+    do_it
 }

 #
@@ -1556,10 +1536,10 @@ remote_reload_command() # $* = original arguments less the command.

 	progress_message "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
-	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
+	    if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
 	    fi
-	elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
+	elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
 	    fatal_error "Capturing capabilities on system $system failed"
 	fi
    fi
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/accounting</command>
+      <command>/etc/shorewall/accounting</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -783,8 +783,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/accounting</para>
-
-    <para>/etc/shorewall6/accounting</para>
  </refsect1>

  <refsect1>
@@ -800,6 +798,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/actions</command>
+      <command>/etc/shorewall/actions</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -148,9 +148,9 @@
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
-                url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
-                rather than <ulink
-                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
+                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
+                than <ulink
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>

@@ -160,11 +160,11 @@
              <listitem>
                <para>Added in Shorewall 5.0.13. Specifies that this action is
                to be used in <ulink
-                url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink>
-                rather than <ulink
-                url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.
-                The <option>mangle</option> and <option>nat</option> options
-                are mutually exclusive.</para>
+                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
+                than <ulink
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
+                <option>mangle</option> and <option>nat</option> options are
+                mutually exclusive.</para>
              </listitem>
            </varlistentry>

@@ -206,7 +206,7 @@
                <para>Given that neither the <filename>snat</filename> nor the
                <filename>mangle</filename> file is sectioned, this parameter
                has no effect when <option>mangle</option> or
-                <option>nat</option> is specified.</para>
+                <option>nat</option> is specified. </para>
              </listitem>
            </varlistentry>

@@ -239,8 +239,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/actions</para>
-
-    <para>/etc/shorewall6/actions</para>
  </refsect1>

  <refsect1>
@@ -249,6 +247,14 @@
    <para><ulink
    url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-arprules.xml
+++ b/Shorewall/manpages/shorewall-arprules.xml
@@ -25,8 +25,6 @@
  <refsect1>
    <title>Description</title>

-    <para>IPv4 only.</para>
-
    <para>This file was added in Shorewall 4.5.12 and is used to describe
    low-level rules managed by arptables (8). These rules only affect Address
    Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and
@@ -379,10 +377,4 @@ SNAT:10.1.10.11        -                       eth1:10.1.10.0/24   1</programlis

    <para>/etc/shorewall/arprules</para>
  </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para>shorewall(8)</para>
-  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/blrules</command>
+      <command>/etc/shorewall/blrules</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -27,9 +27,12 @@

    <para>This file is used to perform blacklisting and whitelisting.</para>

-    <para>Rules in this file are applied depending on the setting of BLACKLIST
-    in <ulink
-    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+    <para>Rules in this file are applied depending on the setting of
+    BLACKLISTNEWONLY in <ulink
+    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If
+    BLACKLISTNEWONLY=No, then they are applied regardless of the connection
+    tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
+    connections in the NEW and INVALID states.</para>

    <para>The format of rules in this file is the same as the format of rules
    in <ulink url="/manpages/shorewall-rules.html">shorewall-rules
@@ -115,10 +118,10 @@
            </varlistentry>

            <varlistentry>
-              <term>A_DROP</term>
+              <term>A_DROP and A_DROP!</term>

              <listitem>
-                <para>Audited version of DROP. Requires AUDIT_TARGET support
+                <para>Audited versions of DROP. Requires AUDIT_TARGET support
                in the kernel and ip6tables.</para>
              </listitem>
            </varlistentry>
@@ -167,7 +170,7 @@
              <listitem>
                <para>queues matching packets to a back end logging daemon via
                a netlink socket then continues to the next rule. See <ulink
-                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
              </listitem>
            </varlistentry>

@@ -273,11 +276,11 @@
  </refsect1>

  <refsect1>
-    <title>Examples</title>
+    <title>Example</title>

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>

        <listitem>
          <para>Drop Teredo packets from the net.</para>
@@ -287,28 +290,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2:</term>
-
-        <listitem>
-          <para>Don't subject packets from 2001:DB8::/64 to the remaining
-          rules in the file.</para>
-
-          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>Drop Teredo packets from the net.</para>
-
-          <programlisting>DROP          net:[2001::/32]            all</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 2:</term>
+        <term>Example 2:</term>

        <listitem>
          <para>Don't subject packets from 2001:DB8::/64 to the remaining
@@ -324,8 +306,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/blrules</para>
-
-    <para>/etc/shorewall6/blrules</para>
  </refsect1>

  <refsect1>
@@ -337,6 +317,12 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/conntrack</command>
+      <command>/etc/shorewall/conntrack</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -35,7 +35,7 @@
    <emphasis role="bold">conntrack</emphasis>.</para>

    <para>The file supports three different column layouts: FORMAT 1, FORMAT
-    2, and FORMAT 3 with FORMAT 1 being the default. The three differ as
+    2, and FORMAT 3, FORMAT 1 being the default. The three differ as
    follows:</para>

    <itemizedlist>
@@ -311,9 +311,9 @@
            <listitem>
              <para><option>ULOG</option></para>

-              <para>IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to
-              a backend logging daemon using the ULOG netfilter target with
-              the specified <replaceable>ulog-parameters</replaceable>.</para>
+              <para>Added in Shoreawll 4.6.0. Queues the packet to a backend
+              logging daemon using the ULOG netfilter target with the
+              specified <replaceable>ulog-parameters</replaceable>.</para>
            </listitem>
          </itemizedlist>

@@ -689,57 +689,31 @@
  <refsect1>
    <title>EXAMPLE</title>

-    <para>IPv4 Example 1:</para>
+    <para>Example 1:</para>

    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>

-    <para>IPv4 Example 2 (Shorewall 4.5.10 or later):</para>
+    <para>Example 2 (Shorewall 4.5.10 or later):</para>

    <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>

-    <programlisting>?FORMAT 2
+    <programlisting>FORMAT 2
 #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP                          all-:1.2.3.4       -
 DROP                          all                1.2.3.4</programlisting>

-    <para>or<programlisting>?FORMAT 3
+    <para>or<programlisting>FORMAT 3
 #ACTION                       SOURCE             DEST               PROTO           DPORT             SPORT               USER
 DROP:P                        1.2.3.4            -
 DROP:PO                       -                  1.2.3.4
 </programlisting></para>
-
-    <para>IPv6 Example 1:</para>
-
-    <para>Use the FTP helper for TCP port 21 connections from the firewall
-    itself.</para>
-
-    <programlisting>FORMAT 2
-#ACTION                       SOURCE            DEST               PROTO            DPORT             SPORT               USER
-CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
-
-    <para>IPv6 Example 2 (Shorewall 4.5.10 or later):</para>
-
-    <para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
-
-    <programlisting>FORMAT 2
-#ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
-DROP                          all-:2001:1.2.3::4 -
-DROP                          all                2001:1.2.3::4
-</programlisting>
-
-    <para>or<programlisting>FORMAT 3
-#ACTION                       SOURCE             DEST               PROTO            DPORT             SPORT               USER
-DROP:P                        2001:1.2.3::4      -
-DROP:PO                       -                  2001:1.2.3::4</programlisting></para>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall/conntrack</para>
-
-    <para>/etc/shorewall6/conntrack</para>
  </refsect1>

  <refsect1>
@@ -748,6 +722,14 @@ DROP:PO                       -                  2001:1.2.3::4</programlisting><
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-ecn.xml
+++ b/Shorewall/manpages/shorewall-ecn.xml
@@ -25,12 +25,8 @@
  <refsect1>
    <title>Description</title>

-    <para>IPv4 only.</para>
-
    <para>Use this file to list the destinations for which you want to disable
-    ECN (Explicit Congestion Notification). Use of this file is deprecated in
-    favor of ECN rules in <ulink
-    url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(8).</para>
+    ECN (Explicit Congestion Notification).</para>

    <para>The columns in the file are as follows.</para>

@@ -69,6 +65,14 @@
  <refsect1>
    <title>See ALSO</title>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-exclusion.xml
+++ b/Shorewall/manpages/shorewall-exclusion.xml
@@ -49,10 +49,9 @@

    <para>Beginning in Shorewall 4.4.13, the second form of exclusion is
    allowed after <emphasis role="bold">all</emphasis> and <emphasis
-    role="bold">any</emphasis> in the SOURCE and DEST columns of <ulink
-    url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5). It allows
-    you to omit arbitrary zones from the list generated by those key
-    words.</para>
+    role="bold">any</emphasis> in the SOURCE and DEST columns of
+    /etc/shorewall/rules. It allows you to omit arbitrary zones from the list
+    generated by those key words.</para>

    <warning>
      <para>If you omit a sub-zone and there is an explicit or explicit
@@ -118,7 +117,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1 - All IPv4 addresses except 192.168.3.4</term>
+        <term>Example 1 - All IPv4 addresses except 192.168.3.4</term>

        <listitem>
          <para>!192.168.3.4</para>
@@ -126,8 +125,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2 - All IPv4 addresses except the network
-        192.168.1.0/24 and the host 10.2.3.4</term>
+        <term>Example 2 - All IPv4 addresses except the network 192.168.1.0/24
+        and the host 10.2.3.4</term>

        <listitem>
          <para>!192.168.1.0/24,10.1.3.4</para>
@@ -135,7 +134,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 3 - All IPv4 addresses except the range
+        <term>Example 3 - All IPv4 addresses except the range
        192.168.1.3-192.168.1.12 and the network 10.0.0.0/8</term>

        <listitem>
@@ -144,8 +143,8 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 4 - The network 192.168.1.0/24 except hosts
-        192.168.1.3 and 192.168.1.9</term>
+        <term>Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
+        and 192.168.1.9</term>

        <listitem>
          <para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>
@@ -177,6 +176,14 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
  <refsect1>
    <title>See ALSO</title>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/hosts</command>
+      <command>/etc/shorewall/hosts</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -270,8 +270,6 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    <title>FILES</title>

    <para>/etc/shorewall/hosts</para>
-
-    <para>/etc/shorewall6/hosts</para>
  </refsect1>

  <refsect1>
@@ -280,6 +278,14 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-init.xml
+++ b/Shorewall/manpages/shorewall-init.xml
@@ -165,6 +165,14 @@
  <refsect1>
    <title>See ALSO</title>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/interfaces</command>
+      <command>/etc/shorewall/interfaces</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -104,7 +104,9 @@ loc     eth2            -</programlisting>
          <para>You may use wildcards here by specifying a prefix followed by
          the plus sign ("+"). For example, if you want to make an entry that
          applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
-          ppp1, ppp2, …</para>
+          ppp1, ppp2, … Please note that the '+' means '<emphasis
+          role="bold">one</emphasis> or more additional characters' so 'ppp'
+          does not match 'ppp+'.</para>

          <para>When using Shorewall versions before 4.1.4, care must be
          exercised when using wildcards where there is another zone that uses
@@ -197,12 +199,11 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>

              <listitem>
-                <para>IPv4 only. If specified, this interface will only
-                respond to ARP who-has requests for IP addresses configured on
-                the interface. If not specified, the interface can respond to
-                ARP who-has requests for IP addresses on any of the firewall's
-                interface. The interface must be up when Shorewall is
-                started.</para>
+                <para>If specified, this interface will only respond to ARP
+                who-has requests for IP addresses configured on the interface.
+                If not specified, the interface can respond to ARP who-has
+                requests for IP addresses on any of the firewall's interface.
+                The interface must be up when Shorewall is started.</para>

                <para>Only those interfaces with the
                <option>arp_filter</option> option will have their setting
@@ -224,8 +225,8 @@ loc     eth2            -</programlisting>
              role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>

              <listitem>
-                <para>IPv4 only. If specified, this interface will respond to
-                arp requests based on the value of <emphasis>number</emphasis>
+                <para>If specified, this interface will respond to arp
+                requests based on the value of <emphasis>number</emphasis>
                (defaults to 1).</para>

                <para>1 - reply only if the target IP address is local address
@@ -256,7 +257,7 @@ loc     eth2            -</programlisting>
                <warning>
                  <para>Do not specify <emphasis
                  role="bold">arp_ignore</emphasis> for any interface involved
-                  in <ulink url="/ProxyARP.htm">Proxy ARP</ulink>.</para>
+                  in <ulink url="../ProxyARP.htm">Proxy ARP</ulink>.</para>
                </warning>
              </listitem>
            </varlistentry>
@@ -322,7 +323,7 @@ loc     eth2            -</programlisting>
                and/or destination address is to be compared against the
                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
                <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
+                url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
                The default is determine by the setting of
                DYNAMIC_BLACKLIST:</para>

@@ -410,13 +411,13 @@ loc     eth2            -</programlisting>

                  <listitem>
                    <para>the interface is a <ulink
-                    url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
-                    server on one port and DHCP clients on another
+                    url="../SimpleBridge.html">simple bridge</ulink> with a
+                    DHCP server on one port and DHCP clients on another
                    port.</para>

                    <note>
                      <para>If you use <ulink
-                      url="/bridge-Shorewall-perl.html">Shorewall-perl for
+                      url="../bridge-Shorewall-perl.html">Shorewall-perl for
                      firewall/bridging</ulink>, then you need to include
                      DHCP-specific rules in <ulink
                      url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
@@ -466,15 +467,15 @@ loc     eth2            -</programlisting>
              role="bold">logmartians[={0|1}]</emphasis></term>

              <listitem>
-                <para>IPv4 only. Turn on kernel martian logging (logging of
-                packets with impossible source addresses. It is strongly
-                suggested that if you set <emphasis
-                role="bold">routefilter</emphasis> on an interface that you
-                also set <emphasis role="bold">logmartians</emphasis>. Even if
-                you do not specify the <option>routefilter</option> option, it
-                is a good idea to specify <option>logmartians</option> because
-                your distribution may have enabled route filtering without you
-                knowing it.</para>
+                <para>Turn on kernel martian logging (logging of packets with
+                impossible source addresses. It is strongly suggested that if
+                you set <emphasis role="bold">routefilter</emphasis> on an
+                interface that you also set <emphasis
+                role="bold">logmartians</emphasis>. Even if you do not specify
+                the <option>routefilter</option> option, it is a good idea to
+                specify <option>logmartians</option> because your distribution
+                may have enabled route filtering without you knowing
+                it.</para>

                <para>Only those interfaces with the
                <option>logmartians</option> option will have their setting
@@ -575,8 +576,8 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">nosmurfs</emphasis></term>

              <listitem>
-                <para>IPv4 only. Filter packets for smurfs (packets with a
-                broadcast address as the source).</para>
+                <para>Filter packets for smurfs (packets with a broadcast
+                address as the source).</para>

                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
@@ -595,9 +596,9 @@ loc     eth2            -</programlisting>
                <itemizedlist>
                  <listitem>
                    <para>a <filename
-                    class="directory">/proc/sys/net/ipv[46]/conf/</filename>
+                    class="directory">/proc/sys/net/ipv4/conf/</filename>
                    entry for the interface cannot be modified (including for
-                    proxy ARP or proxy NDP).</para>
+                    proxy ARP).</para>
                  </listitem>

                  <listitem>
@@ -637,7 +638,7 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>

              <listitem>
-                <para>IPv4 only. Sets
+                <para>Sets
                /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
                Do NOT use this option if you are employing Proxy ARP through
                entries in <ulink
@@ -658,24 +659,6 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
-
-              <listitem>
-                <para>IPv6 only. Sets
-                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
-
-                <para><emphasis role="bold">Note</emphasis>: This option does
-                not work with a wild-card <replaceable>interface</replaceable>
-                name (e.g., eth0.+) in the INTERFACE column.</para>
-
-                <para>Only those interfaces with the <option>proxyndp</option>
-                option will have their setting changed; the value assigned to
-                the setting will be the value specified (if any) or 1 if no
-                value is given.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">required</emphasis></term>

@@ -717,8 +700,8 @@ loc     eth2            -</programlisting>
              role="bold">routefilter[={0|1|2}]</emphasis></term>

              <listitem>
-                <para>IPv4 only. Turn on kernel route filtering for this
-                interface (anti-spoofing measure).</para>
+                <para>Turn on kernel route filtering for this interface
+                (anti-spoofing measure).</para>

                <para>Only those interfaces with the
                <option>routefilter</option> option will have their setting
@@ -902,14 +885,11 @@ loc     eth2            -</programlisting>
                      <member><emphasis
                      role="bold">routefilter</emphasis></member>

-                      <member><emphasis
-                      role="bold">proxyarp</emphasis></member>
-
-                      <member><emphasis
-                      role="bold">proxyudp</emphasis></member>
-
                      <member><emphasis
                      role="bold">sourceroute</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">proxyndp</emphasis></member>
                    </simplelist>
                  </listitem>
                </itemizedlist>
@@ -922,9 +902,7 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Incoming requests from this interface may be remapped
                via UPNP (upnpd). See <ulink
-                url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.
-                Supported in IPv4 and in IPv6 in Shorewall 5.1.4 and
-                later.</para>
+                url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
              </listitem>
            </varlistentry>

@@ -938,8 +916,7 @@ loc     eth2            -</programlisting>
                causes Shorewall to detect the default gateway through the
                interface and to accept UDP packets from that gateway. Note
                that, like all aspects of UPnP, this is a security hole so use
-                this option at your own risk. Supported in IPv4 and in IPv6 in
-                Shorewall 5.1.4 and later.</para>
+                this option at your own risk.</para>
              </listitem>
            </varlistentry>

@@ -966,7 +943,7 @@ loc     eth2            -</programlisting>

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>

        <listitem>
          <para>Suppose you have eth0 connected to a DSL modem and eth1
@@ -979,7 +956,7 @@ loc     eth2            -</programlisting>

          <para>Your entries for this setup would look like:</para>

-          <programlisting>?FORMAT 1
+          <programlisting>FORMAT 1
 #ZONE   INTERFACE BROADCAST        OPTIONS
 net     eth0      206.191.149.223  dhcp
 loc     eth1      192.168.1.255
@@ -994,7 +971,7 @@ dmz     eth2      192.168.2.255</programlisting>
          <para>The same configuration without specifying broadcast addresses
          is:</para>

-          <programlisting>?FORMAT 2
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     eth0      dhcp
 loc     eth1      
@@ -1009,7 +986,7 @@ dmz     eth2</programlisting>
          <para>You have a simple dial-in system with no Ethernet
          connections.</para>

-          <programlisting>?FORMAT 2
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     ppp0      -</programlisting>
        </listitem>
@@ -1022,7 +999,7 @@ net     ppp0      -</programlisting>
          <para>You have a bridge with no IP address and you want to allow
          traffic through the bridge.</para>

-          <programlisting>?FORMAT 2
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 -       br0       bridge</programlisting>
        </listitem>
@@ -1034,8 +1011,6 @@ net     ppp0      -</programlisting>
    <title>FILES</title>

    <para>/etc/shorewall/interfaces</para>
-
-    <para>/etc/shorewall6/interfaces</para>
  </refsect1>

  <refsect1>
@@ -1044,6 +1019,13 @@ net     ppp0      -</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
+    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@@ -103,7 +103,7 @@

    <important>
      <para>These additional match options are not available in <ulink
-      url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>.</para>
+      url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>.</para>
    </important>

    <para>Available options are:</para>
@@ -251,44 +251,34 @@

    <para>/etc/shorewall/accounting</para>

-    <para>/etc/shorewall6/accounting</para>
-
    <para>/etc/shorewall/blrules</para>

-    <para>/etc/shorewall6/blrules</para>
-
    <para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis>
    Multiple matches enclosed in +[...] may not be used in this file.</para>

-    <para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis>
-    Multiple matches enclosed in +[...] may not be used in this file.</para>
-
    <para>/etc/shorewall/maclist -- <emphasis role="bold">Note:</emphasis>
    Multiple matches enclosed in +[...] may not be used in this file.</para>

-    <para>/etc/shorewall6/maclist -- <emphasis role="bold">Note:</emphasis>
-    Multiple matches enclosed in +[...] may not be used in this file.</para>
+    <para>/etc/shorewall/masq</para>

    <para>/etc/shorewall/rules</para>

-    <para>/etc/shorewall6/rules</para>
-
    <para>/etc/shorewall/secmarks</para>

-    <para>/etc/shorewall6/secmarks</para>
-
    <para>/etc/shorewall/mangle</para>
-
-    <para>/etc/shorewall6/mangle</para>
-
-    <para>/etc/shorewall/snat</para>
-
-    <para>/etc/shorewall6/snat</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-maclist.xml
+++ b/Shorewall/manpages/shorewall-maclist.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/maclist</command>
+      <command>/etc/shorewall/maclist</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -97,8 +97,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/maclist</para>
-
-    <para>/etc/shorewall6/maclist</para>
  </refsect1>

  <refsect1>
@@ -110,6 +108,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -18,17 +18,31 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/mangle</command>
+      <command>/etc/shorewall/mangle</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

-    <para>This file was introduced in Shorewall 4.6.0 and replaces <ulink
+    <para>This file was introduced in Shorewall 4.6.0 and is intended to
+    replace <ulink
    url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
    file is only processed by the compiler if:</para>

+    <orderedlist numeration="loweralpha">
+      <listitem>
+        <para>No file named 'tcrules' exists on the current CONFIG_PATH (see
+        <ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>);
+        or</para>
+      </listitem>
+
+      <listitem>
+        <para>The first file named 'tcrules' found on the CONFIG_PATH contains
+        no non-commentary entries.</para>
+      </listitem>
+    </orderedlist>
+
    <para>Entries in this file cause packets to be marked as a means of
    classifying them for traffic control or policy routing.</para>

@@ -103,7 +117,9 @@
          SOURCE is $FW, the generated rule is always placed in the OUTPUT
          chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
          Additionally, a <replaceable>chain-designator</replaceable> may not
-          be specified in an action body.</para>
+          be specified in an action body unless the action is declared as
+          <option>inline</option> in <ulink
+          url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>

          <para>Where a command takes parameters, those parameters are
          enclosed in parentheses ("(....)") and separated by commas.</para>
@@ -283,7 +299,7 @@
                configuration described at <ulink
                url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
                place this entry in <ulink
-                url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>
+                url="manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>

                <programlisting>#NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
 TProxy   1        -       -          lo        -               tproxy</programlisting>
@@ -349,9 +365,8 @@ DIVERTHA        -               -               tcp</programlisting>

              <listitem>
                <para>Added in Shorewall 5.0.6 as an alternative to entries in
-                <ulink
-                url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>.
-                If a PROTO is specified, it must be 'tcp' (6). If no PROTO is
+                <ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
+                PROTO is specified, it must be 'tcp' (6). If no PROTO is
                supplied, TCP is assumed. This action causes all ECN bits in
                the TCP header to be cleared.</para>
              </listitem>
@@ -773,7 +788,7 @@ Normal-Service       =&gt; 0x00</programlisting>
              <listitem>
                <para>where <replaceable>interface</replaceable> is the
                logical name of an interface defined in <ulink
-                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
                Matches packets entering the firewall from the named
                interface. May not be used in CLASSIFY rules or in rules using
                the :T chain qualifier.</para>
@@ -849,7 +864,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                on the firewall and whose source IP address matches one of the
                listed addresses and does not match any address listed in the
                <replaceable>exclusion</replaceable>. May not be used with a
-                chain qualifier (:P, :F, etc.) in the ACTION column.</para>
+                chain qualifier (:P, :F, etc.) in the ACTION column. </para>
              </listitem>
            </varlistentry>

@@ -896,12 +911,11 @@ Normal-Service       =&gt; 0x00</programlisting>
              <listitem>
                <para>where <replaceable>interface</replaceable> is the
                logical name of an interface defined in <ulink
-                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
                Matches packets leaving the firewall through the named
                interface. May not be used in the PREROUTING chain (:P in the
                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
-                in <ulink
-                url="/manpages/shorewall.conf">shorewall.conf</ulink>
+                in <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
@@ -938,7 +952,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                when both the outgoing interface and destination IP address
                match. May not be used in the PREROUTING chain (:P in the mark
                column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
-                <ulink url="/manpages/shorewall.conf">shorewall.conf</ulink>
+                <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
@@ -953,7 +967,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                <replaceable>exclusion</replaceable>. May not be used in the
                PREROUTING chain (:P in the mark column or no chain qualifier
                and MARK_IN_FORWARD_CHAIN=No in <ulink
-                url="/manpages/shorewall.conf">shorewall.conf</ulink>
+                url="manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
@@ -1014,16 +1028,15 @@ Normal-Service       =&gt; 0x00</programlisting>
      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">{tcp:[!]syn</emphasis>|<emphasis
+        role="bold">{tcp:syn</emphasis>|<emphasis
        role="bold">ipp2p</emphasis>|<emphasis
        role="bold">ipp2p:udp</emphasis>|<emphasis
        role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
        role="bold">all}[,...]}</emphasis></term>

        <listitem>
-          <para>See <ulink
-          url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
-          details.</para>
+          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
+          ipp2p match support in your kernel and iptables.</para>

          <para>Beginning with Shorewall 4.5.12, this column can accept a
          comma-separated list of protocols.</para>
@@ -1529,7 +1542,7 @@ Normal-Service       =&gt; 0x00</programlisting>

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>

        <listitem>
          <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
@@ -1558,7 +1571,7 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>

        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -1570,41 +1583,12 @@ Normal-Service       =&gt; 0x00</programlisting>
       #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
       CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW

-/etc/shorewall/snat:
+/etc/shorewall/masq:

-       #ACTION          SOURCE              DEST     ...
-       SNAT(1.1.1.1)    eth0:192.168.1.0/24 - { mark=1:C }
-       SNAT(1.1.1.3)    eth0:192.168.1.0/24 - { mark=2:C }
-       SNAT(1.1.1.4)    eth0:192.168.1.0/24 - { mark=3:C }</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
-          to peer traffic with packet mark 4.</para>
-
-          <para>This is a little more complex than otherwise expected. Since
-          the ipp2p module is unable to determine all packets in a connection
-          are P2P packets, we mark the entire connection as P2P if any of the
-          packets are determined to match.</para>
-
-          <para>We assume packet/connection mark 0 means unclassified.</para>
-
-          <programlisting>       #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
-       MARK(1):T  ::/0      ::/0         icmp    echo-request
-       MARK(1):T  ::/0      ::/0         icmp    echo-reply
-       RESTORE:T  ::/0      ::/0         all     -             -       -       0
-       CONTINUE:T ::/0      ::/0         all     -             -       -       !0
-       MARK(4):T  ::/0      ::/0         ipp2p:all
-       SAVE:T     ::/0      ::/0         all     -             -       -       !0</programlisting>
-
-          <para>If a packet hasn't been classified (packet mark is 0), copy
-          the connection mark to the packet mark. If the packet mark is set,
-          we're done. If the packet is P2P, set the packet mark to 4. If the
-          packet mark has been set, save it to the connection mark.</para>
+       #INTERFACE SOURCE         ADDRESS     ...
+       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
+       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
+       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -1614,8 +1598,6 @@ Normal-Service       =&gt; 0x00</programlisting>
    <title>FILES</title>

    <para>/etc/shorewall/mangle</para>
-
-    <para>/etc/shorewall6/mangle</para>
  </refsect1>

  <refsect1>
@@ -1633,6 +1615,14 @@ Normal-Service       =&gt; 0x00</programlisting>
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/masq</command>
+      <command>/etc/shorewall/masq</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -579,7 +579,7 @@

    <variablelist>
      <varlistentry>
-        <term>IPv4 Example 1:</term>
+        <term>Example 1:</term>

        <listitem>
          <para>You have a simple masquerading setup where eth0 connects to a
@@ -594,7 +594,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 2:</term>
+        <term>Example 2:</term>

        <listitem>
          <para>You add a router to your local network to connect subnet
@@ -607,7 +607,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 3:</term>
+        <term>Example 3:</term>

        <listitem>
          <para>You have an IPSEC tunnel through ipsec0 and you want to
@@ -620,7 +620,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 4:</term>
+        <term>Example 4:</term>

        <listitem>
          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@@ -634,7 +634,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 5:</term>
+        <term>Example 5:</term>

        <listitem>
          <para>You want all outgoing SMTP traffic entering the firewall from
@@ -654,7 +654,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 6:</term>
+        <term>Example 6:</term>

        <listitem>
          <para>Connections leaving on eth0 and destined to any host defined
@@ -667,7 +667,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 7:</term>
+        <term>Example 7:</term>

        <listitem>
          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@@ -689,7 +689,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IPv4 Example 8:</term>
+        <term>Example 8:</term>

        <listitem>
          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
@@ -716,49 +716,6 @@
 </programlisting>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 1:</term>
-
-        <listitem>
-          <para>You have a simple 'masquerading' setup where eth0 connects to
-          a DSL or cable modem and eth1 connects to your local network with
-          subnet 2001:470:b:787::0/64</para>
-
-          <para>Your entry in the file will be:</para>
-
-          <programlisting>        #INTERFACE   SOURCE                  ADDRESS
-        eth0         2001:470:b:787::0/64    -</programlisting>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IPv6 Example 2:</term>
-
-        <listitem>
-          <para>Your sit1 interface has two public IP addresses:
-          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
-          iptables statistics match to masquerade outgoing connections evenly
-          between these two addresses.</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          ::/0           2001:470:a:227::2 
-</programlisting>
-
-          <para>If INLINE_MATCHES=Yes in <ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
-          then these rules may be specified as follows:</para>
-
-          <programlisting>/etc/shorewall/masq:
-
-       #INTERFACE    SOURCE         ADDRESS 
-       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
-       sit1          ::/0           2001:470:a:227::2</programlisting>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

@@ -766,8 +723,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/masq</para>
-
-    <para>/etc/shorewall6/masq</para>
  </refsect1>

  <refsect1>
@@ -776,6 +731,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-modules.xml
+++ b/Shorewall/manpages/shorewall-modules.xml
@@ -18,11 +18,11 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/usr/share/shorewall[6]/modules</command>
+      <command>/usr/share/shorewall/modules</command>
    </cmdsynopsis>

    <cmdsynopsis>
-      <command>/usr/share/shorewall[6]/helpers</command>
+      <command>/usr/share/shorewall/helpers</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -51,7 +51,7 @@

    <para>The <replaceable>modulename</replaceable> names a kernel module
    (without suffix). Shorewall will search for modules based on your
-    MODULESDIR setting in <ulink
+    MODULESDIR and MODULE_SUFFIX settings in <ulink
    url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(8). The
    <replaceable>moduleoption</replaceable>s are passed to modprobe (if
    installed) or to insmod.</para>
@@ -82,19 +82,19 @@
    <para>/etc/shorewall/modules</para>

    <para>/etc/shorewall/helpers</para>
-
-    <para>/usr/share/shorewall6/modules</para>
-
-    <para>/usr/share/shorewall6/helpers</para>
-
-    <para>/etc/shorewall6/modules</para>
-
-    <para>/etc/shorewall6/helpers</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-nat.xml
+++ b/Shorewall/manpages/shorewall-nat.xml
@@ -34,8 +34,6 @@
      url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also,
      in many cases, Proxy ARP (<ulink
      url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
-      or Proxy-NDP(<ulink
-      url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
      is a better solution that one-to-one NAT.</para>
    </warning>

@@ -201,7 +199,7 @@ all		all		REJECT		info

      <listitem>
        <para>Set IMPLICIT_CONTINUE=Yes in <ulink
-        url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
      </listitem>
    </orderedlist>
  </refsect1>
@@ -210,8 +208,6 @@ all		all		REJECT		info
    <title>FILES</title>

    <para>/etc/shorewall/nat</para>
-
-    <para>/etc/shorewall6/nat</para>
  </refsect1>

  <refsect1>
@@ -223,6 +219,14 @@ all		all		REJECT		info
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-nesting.xml
+++ b/Shorewall/manpages/shorewall-nesting.xml
@@ -200,16 +200,6 @@
    <para>/etc/shorewall/policy</para>

    <para>/etc/shorewall/rules</para>
-
-    <para>/etc/shorewall6/zones</para>
-
-    <para>/etc/shorewall6/interfaces</para>
-
-    <para>/etc/shorewall6/hosts</para>
-
-    <para>/etc/shorewall6/policy</para>
-
-    <para>/etc/shorewall6/rules</para>
  </refsect1>

  <refsect1>
--- a/Shorewall/manpages/shorewall-netmap.xml
+++ b/Shorewall/manpages/shorewall-netmap.xml
@@ -18,7 +18,7 @@

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall[6]/netmap</command>
+      <command>/etc/shorewall/netmap</command>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -44,6 +44,8 @@
        role="bold">SNAT}</emphasis></term>

        <listitem>
+          <para>Must be DNAT or SNAT</para>
+
          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
          its destination address rewritten to the corresponding address in
          NET2.</para>
@@ -167,8 +169,6 @@
    <title>FILES</title>

    <para>/etc/shorewall/netmap</para>
-
-    <para>/etc/shorewall6/netmap</para>
  </refsect1>

  <refsect1>
@@ -180,6 +180,14 @@
    <para><ulink
    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>shorewall(8)</para>
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	11286ea343	Correct $LOG_LEVEL expansion Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-10 10:23:17 -08:00
Tom Eastep	f7393314bd	Revert "Remove 'Multicast' from IPv6 actions.std" This reverts commit `ddf4cf4fa7`.	2017-03-10 09:09:31 -08:00
Tom Eastep	dab2e6bb51	Revert "Remove Multicast from IPv6 Policy Actions" This reverts commit `c7a3104bdb`.	2017-03-10 09:09:23 -08:00
Tom Eastep	57d5e397b2	Revert "Correct CONFIG_PATH in IPv6 Universal sample" This reverts commit `98f80d6c4a`.	2017-03-10 09:09:12 -08:00
Tom Eastep	ddf4cf4fa7	Remove 'Multicast' from IPv6 actions.std Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-10 07:30:20 -08:00
Tom Eastep	98f80d6c4a	Correct CONFIG_PATH in IPv6 Universal sample Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-09 14:37:45 -08:00
Tom Eastep	e17f22e85d	Remove Multicast from the shorewall6.conf samples Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-09 14:37:33 -08:00
Tom Eastep	c7a3104bdb	Remove Multicast from IPv6 Policy Actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-09 14:37:20 -08:00
Tom Eastep	8683b80ad0	'reload' documentation corrections - Add command synopsis to the manpage - Correct command synopsis in help output Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-09 14:37:04 -08:00
Tom Eastep	0239796d6f	quote $LOG_LEVEL in shorewall[6].conf files - Delete AllowICMPs from IPv4 policy action settings Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-09 14:36:27 -08:00
Tom Eastep	e4bf2b99bf	Add AllowICMPs to the REJECT_DEFAULT setting. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-08 09:47:40 -08:00
Tom Eastep	a98c1d5b35	Correct convertion of tcrules->mangle when a writable mangle exists Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 15:23:58 -08:00
Tom Eastep	928f54d37c	Correct logging in inline policy actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 13:37:59 -08:00
Tom Eastep	073235aa48	Correct typo in action.AllowICMPs Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 13:03:49 -08:00
Tom Eastep	519fef5e87	Clear the firewall on Debian systemd 'stop' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 11:53:47 -08:00
Tom Eastep	944651e46d	Correct compiler directives WRT omitting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 11:51:40 -08:00
Tom Eastep	bdf0950317	Correct the handling of tcp-reset Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 11:44:45 -08:00
Tom Eastep	2fb1f9db01	Change AllowICMPs to an inline action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 11:41:05 -08:00
Tom Eastep	c3661ad476	Change macro.ICMPs to an inline action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-07 11:30:38 -08:00
Tom Eastep	a4dcc3f555	Restore logging to the BLACKLIST action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-03 10:19:07 -08:00