Add target files 5.2.4-base

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Update ipsets document
2020-03-24 10:05:34 -07:00 · 2020-03-21 14:37:59 -07:00 · 2020-03-16 11:34:35 -07:00 · 2020-03-15 11:04:20 -07:00 · 2020-03-15 09:02:46 -07:00 · 2020-03-10 14:18:52 -07:00
370 changed files with 4997 additions and 2518 deletions
--- a/Shorewall-core/INSTALL
+++ b/Shorewall-core/INSTALL
@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5

 ---------------------------------------------------------------------------

-Please see http://www.shorewall.net/Install.htm for installation
+Please see http://www.shorewall.org/Install.htm for installation
 instructions.


--- a/Shorewall-core/Shorewall-core-targetname
+++ b/Shorewall-core/Shorewall-core-targetname
@@ -0,0 +1 @@
+5.2.4-Beta1
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -1,10 +1,10 @@
 #!/bin/bash
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
 #     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at http://www.shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -109,6 +109,9 @@ if [ -z "$vendor" ]; then
 	    opensuse)
 		vendor=suse
 		;;
+	    alt|basealt|altlinux)
+		vendor=alt
+		;;
 	    *)
 		vendor="$ID"
 		;;
@@ -132,6 +135,8 @@ if [ -z "$vendor" ]; then
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
 		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
+	    elif [ -f /etc/altlinux-release ] ; then
+		params[HOST]=alt
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at http://www.shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -74,6 +74,8 @@ unless ( defined $vendor ) {
 	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
 	    my $init = `ls -l /sbin/init`;
 	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
+	} elsif ( $id eq 'alt' || $id eq 'basealt' || $id eq 'altlinux' ) {
+	    $vendor = 'alt';
 	} else {
 	    $vendor = $id;
 	}
@@ -117,6 +119,9 @@ if ( defined $vendor ) {
 	} else {
 	    $rcfilename = 'shorewallrc.debian.sysvinit';
 	}
+    } elsif ( -f '/etc/altlinux-release' ){
+	$vendor = 'alt';
+	$rcfilename = 'shorewallrc.alt';
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -172,6 +172,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -180,6 +183,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
@@ -238,7 +243,7 @@ case "$HOST" in
    apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt|alt)
 	;;
    *)
 	fatal_error "Unknown HOST \"$HOST\""
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -1201,11 +1201,17 @@ show_saves_command() {
    echo

    for f in ${VARDIR}/*-iptables; do
-	fn=$(basename $f)
-	fn=${fn%-iptables}
-	mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
-	[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
-	echo "   $mtime ${fn%-iptables}"
+	case $f in
+	    *\**)
+	        ;;
+	    *)
+		fn=$(basename $f)
+		fn=${fn%-iptables}
+		mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
+		[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
+		echo "   $mtime ${fn%-iptables}"
+		;;
+	esac
    done

    echo
@@ -2760,7 +2766,7 @@ determine_capabilities() {
 	g_tool=$(mywhich $tool)

 	if [ -z "$g_tool" ]; then
-	    fatal-error "No executable $tool binary can be found on your PATH"
+	    fatal_error "No executable $tool binary can be found on your PATH"
 	fi
    fi

@@ -3769,7 +3775,7 @@ ipcalc_command() {
    elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
-    elif [ $# -eq 0 ]; then
+    elif [ $# -eq 1 ]; then
 	missing_argument
    else
 	too_many_arguments $4
@@ -3815,7 +3821,7 @@ iprange_command() {
 }

 ipdecimal_command() {
-    if [ $# eq 1 ]; then
+    if [ $# -eq 1 ]; then
 	missing_argument
    else
 	[ $# -eq 2 ] || too_many_arguments $3
@@ -3858,7 +3864,7 @@ noiptrace_command() {
 verify_firewall_script() {
    if [ ! -f $g_firewall ]; then
 	echo "   ERROR: $g_product is not properly installed" >&2
-	if [ -L $g_firewall ]; then
+	if [ -h $g_firewall ]; then
 	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
@@ -4114,9 +4120,9 @@ start_command() {

 	if [ -x $g_firewall ]; then
 	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
-		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
+		run_it ${VARDIR}/${RESTOREFILE} restore
 	    else
-		run_it $g_firewall $g_debugging start
+		run_it $g_firewall start
 	    fi
 	    rc=$?
 	else
@@ -4250,7 +4256,7 @@ restart_command() {
    [ -n "$g_nolock" ] || mutex_on

    if [ -x $g_firewall ]; then
-	run_it $g_firewall $g_debugging $COMMAND
+	run_it $g_firewall $COMMAND
 	rc=$?
    else
 	error_message "$g_firewall is missing or is not executable"
@@ -4264,7 +4270,7 @@ restart_command() {

 run_command() {
    if [ -x $g_firewall ] ; then
-	run_it $g_firewall $g_debugging $@
+	run_it $g_firewall $@
    else
 	fatal_error "$g_firewall does not exist or is not executable"
    fi
@@ -4281,7 +4287,13 @@ ecko() {
 #
 usage() # $1 = exit status
 {
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "Usage: $(basename $0) [ -T ] [ -D ] [ -N ] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "   -T : Direct the generated script to produce a shell trace to standard error"
+    echo "   -D : Debug iptables commands"
+    echo "   -N : Don't take the master shorewall lock"
+    echo "   -q : Standard Shorewall verbosity control"
+    echo "   -v : Standard Shorewall verbosity control"
+    echo "   -t : Timestamp all messages"
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
@@ -4311,7 +4323,6 @@ usage() # $1 = exit status
 	echo "   iptrace <ip6tables match expression>"
    fi

-    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
@@ -4409,20 +4420,16 @@ usage() # $1 = exit status
 # here if that lib is loaded below.
 #
 shorewall_cli() {
-    g_debugging=
-
-    if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
-	g_debugging=$1
-	shift
-    fi
-
    g_nolock=
-
+    #
+    # We'll keep this around for a while so we don't break people's started scripts
+    #
    if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
 	g_nolock=nolock
 	shift
    fi

+    g_debugging=
    g_noroutes=
    g_purge=
    g_ipt_options="-nv"
@@ -4450,6 +4457,7 @@ shorewall_cli() {
    g_blacklistipset=
    g_disconnect=
    g_havemutex=
+    g_trace=

    VERBOSE=
    VERBOSITY=1
@@ -4581,6 +4589,17 @@ shorewall_cli() {
 			    finished=1
 			    option=
 			    ;;
+			T*)
+			    g_debugging=trace
+			    option=${option#T}
+			    ;;
+			D*)
+			    g_debugging=debug
+			    option=${option#D}
+			    ;;
+			N*)
+			    g_nolock=nolock
+			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -4633,7 +4652,7 @@ shorewall_cli() {
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
-	    run_it $g_firewall $g_debugging $COMMAND
+	    run_it $g_firewall $COMMAND
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
@@ -4642,7 +4661,7 @@ shorewall_cli() {
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
-	    run_it $g_firewall $g_debugging reset $@
+	    run_it $g_firewall reset $@
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
@@ -4655,7 +4674,7 @@ shorewall_cli() {
 	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it $g_firewall $g_debugging $@
+		run_it $g_firewall $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
@@ -4810,7 +4829,7 @@ shorewall_cli() {
 		    # It isn't a function visible to this script -- try
 		    # the compiled firewall
 		    #
-		    run_it $g_firewall $g_debugging call $@
+		    run_it $g_firewall call $@
 		fi
 	    else
 		missing_argument
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,9 +1,9 @@
 #
 # Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
-#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -92,18 +92,20 @@ startup_error() # $* = Error Message
 #
 run_it() {
    local script
-    local options
+    local options='-'

    export VARDIR

    script=$1
    shift

-    if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	options="$1 -"
-	shift;
+
+    if [ "$g_debugging" = debug ]; then
+	options='-D'
+    elif [ "$g_debugging" = trace ]; then
+	options='-T'
    else
-	options='-'
+	options='-';
    fi

    [ -n "$g_noroutes" ]   && options=${options}n
@@ -411,7 +413,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
    done

-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file helpers)

    if [ -f $modules -a -n "$moduledirectories" ]; then
 	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
@@ -419,7 +421,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
 	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir
 	    cp -f $modules ${VARDIR}/.modules
 	fi
    elif [ $savemoduleinfo = Yes ]; then
@@ -501,7 +503,7 @@ ip_network() {

 #
 # The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+# the popular light-weight Bourne shell derivatives do not support XOR ("^").
 #
 ip_broadcast() {
    local x
@@ -736,8 +738,8 @@ truncate() # $1 = length

 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
+# /sbin/shorewall program while holding mutual exclusion, you should pass -N as
+# the first argument. Example "shorewall -N refresh"
 #
 # This function uses the lockfile utility from procmail if it exists.
 # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
@@ -751,6 +753,8 @@ mutex_on()
    lockf=${LOCKFILE:=${VARDIR}/lock}
    local lockpid
    local lockd
+    local lockbin
+    local openwrt

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

@@ -760,29 +764,33 @@ mutex_on()

 	[ -d "$lockd" ] || mkdir -p "$lockd"

+	lockbin=$(mywhich lock)
+	[ -n "$lockbin" -a -h "$lockbin" ] && openwrt=Yes
+
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
 	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ $lockpid -eq $$ ]; then
-                return 0
-	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    elif [ -z "$openwrt" ]; then
+		if [ $lockpid -eq $$ ]; then
+                    fatal_error "Mutex_on confusion"
+		elif ! qt ps --pid ${lockpid}; then
+		    rm -f ${lockf}
+		    error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+		fi
 	    fi
 	fi

-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	if [ -n "$openwrt" ]; then
+	    lock ${lockf} || fatal_error "Can't lock ${lockf}"
+	    g_havemutex="lock -u ${lockf}"
+	elif qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} || fatal_error "Can't lock ${lockf}"
 	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
-	elif qt mywhich lock; then
-	    lock ${lockf}
-	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
-	    chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -60,7 +60,7 @@ mywhich() {
 remove_file() # $1 = file to remove
 {
    if [ -n "$1" ] ; then
-        if [ -f $1 -o -L $1 ] ; then
+        if [ -f $1 -o -h $1 ] ; then
            rm -f $1
            echo "$1 Removed"
        fi
@@ -84,7 +84,7 @@ remove_file_with_wildcard() # $1 = file with wildcard to remove
            if [ -d $f ] ; then
                rm -rf $f
                echo "$f Removed"
-            elif [ -f $f -o -L $f ] ; then
+            elif [ -f $f -o -h $f ] ; then
                rm -f $f
                echo "$f Removed"
            fi
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -21,9 +21,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg rep="norepeat">options</arg>

      <arg choice="plain"><option>add {</option></arg>
@@ -39,9 +36,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>allow</option></arg>
@@ -52,9 +46,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>blacklist</option></arg>
@@ -67,9 +58,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>call</option></arg>
@@ -106,9 +94,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg
@@ -118,9 +103,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>close</option><arg choice="req">
@@ -159,9 +141,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg rep="norepeat">options</arg>

      <arg choice="plain"><option>delete {</option></arg>
@@ -177,9 +156,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>disable</option></arg>
@@ -191,9 +167,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>drop</option></arg>
@@ -204,8 +177,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>dump</option></arg>
@@ -222,9 +193,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>enable</option></arg>
@@ -236,9 +204,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>export</option></arg>
@@ -252,9 +217,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>forget</option></arg>
@@ -265,8 +227,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>help</option></arg>
@@ -275,8 +235,6 @@
    <cmdsynopsis>
      <command>shorewall[-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg
@@ -286,8 +244,6 @@
    <cmdsynopsis>
      <command>shorewall[-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>ipcalc</option></arg>
@@ -304,8 +260,6 @@
    <cmdsynopsis>
      <command>shorewall[-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>iprange</option></arg>
@@ -317,8 +271,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>iptrace</option></arg>
@@ -330,9 +282,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>logdrop</option></arg>
@@ -343,8 +292,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>logwatch</option></arg>
@@ -357,9 +304,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>logreject</option></arg>
@@ -370,8 +314,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>noiptrace</option></arg>
@@ -394,9 +336,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>reenable</option></arg>
@@ -408,9 +347,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>reject</option></arg>
@@ -421,9 +357,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>reload</option></arg>
@@ -448,10 +381,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
      <arg choice="plain"><option>remote-getcaps</option></arg>

      <arg><option>-s</option></arg>
@@ -472,8 +401,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>remote-getrc</option></arg>
@@ -496,8 +423,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>remote-start</option></arg>
@@ -520,8 +445,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>remote-reload</option></arg>
@@ -544,8 +467,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>remote-restart</option></arg>
@@ -568,9 +489,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg
@@ -581,9 +499,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>restart</option></arg>
@@ -608,9 +523,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg
@@ -622,9 +534,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>run</option></arg>
@@ -637,9 +546,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>safe-restart</option></arg>
@@ -656,8 +562,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>safe-start</option></arg>
@@ -674,9 +578,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg
@@ -688,9 +589,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>savesets</option></arg>
@@ -699,8 +597,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -713,8 +609,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -735,8 +629,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -761,8 +653,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -774,8 +664,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -787,8 +675,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -800,8 +686,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -814,8 +698,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -827,8 +709,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -841,8 +721,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -853,8 +731,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -867,8 +743,7 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>options</arg>

@@ -892,9 +767,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg
@@ -904,8 +776,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><arg
@@ -915,9 +785,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>try</option></arg>
@@ -930,8 +797,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>update</option></arg>
@@ -956,8 +821,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg
@@ -1025,16 +888,7 @@
  <refsect1>
    <title>Options</title>

-    <para>The <option>trace</option> and <option>debug</option> options are
-    used for debugging. See <ulink
-    url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
-
-    <para>The <option>nolock</option> option prevents the command from
-    attempting to acquire the Shorewall lockfile. It is useful if you need to
-    include <command>shorewall</command> commands in
-    <filename>/etc/shorewall/started</filename>.</para>
-
-    <para>Other <replaceable>options</replaceable> are:</para>
+    <para>The <replaceable>options</replaceable> are:</para>

    <variablelist>
      <varlistentry>
@@ -1141,7 +995,7 @@
          setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>

          <para>When no <replaceable>verbosity</replaceable> is specified,
          each instance of this option causes 1 to be added to the effective
@@ -1162,7 +1016,7 @@
          setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>

          <para>Each instance of this option causes 1 to be subtracted from
          the effective verbosity.</para>
@@ -1176,7 +1030,66 @@
          <para>Causes all progress messages to be timestamped.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>-T</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.4 to replace the earlier
+          <command>trace</command> keyword.. If the command invokes the
+          generated firewall script, the script's execution will be traced to
+          standard error.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.4 to replace the earlier debug keyword.
+          If the command invokes the generated firewall script, individual
+          invocations of the ip[6]tables utility will be used to configure the
+          ruleset rather than ip[6]tables-restore. This is useful for
+          diagnosing ip[6]tables-restore failures on a *COMMIT command.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
+
+    <note>
+      <para>Prior to Shorewall 5.2.4, the general syntax for a CLI command
+      was:</para>
+
+      <cmdsynopsis>
+        <arg><option>trace|debug</option></arg>
+
+        <arg><option>nolock</option></arg>
+
+        <arg><replaceable>options</replaceable></arg>
+
+        <arg choice="plain"><replaceable>command</replaceable></arg>
+
+        <arg><replaceable>command-options</replaceable></arg>
+
+        <arg><replaceable>command-arguments</replaceable></arg>
+      </cmdsynopsis>
+
+      <para>Examples:</para>
+
+      <programlisting>    shorewall debug -tv2 reload
+    shorewall trace check
+    shorewall nolock enable eth0</programlisting>
+
+      <para>In Shorewall 5.2.4 and later, those commands would be:</para>
+
+      <programlisting>    shorewall -Dtv2 reload
+    shorewall check -D
+    shorewall -N enable eth0</programlisting>
+
+      <para>While not shown in the command synopses at the top of this page,
+      the <option>nolock</option> keyword is still supported in Shorewall
+      5.2.4 and later, but is deprecated in favor of the -<option>N
+      </option>option.</para>
+    </note>
  </refsect1>

  <refsect1>
@@ -1199,7 +1112,7 @@
          defined in the <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))file.
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5))file.
          A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are host or network addresses.<caution>
              <para>The <command>add</command> command is not very robust. If
@@ -1214,11 +1127,12 @@
          <para>Beginning with Shorewall 4.5.9, the <emphasis
          role="bold">dynamic_shared</emphasis> zone option (<ulink
          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink
-          url="???">shorewall6-zones</ulink>(5)) allows a single ipset to
-          handle entries for multiple interfaces. When that option is
-          specified for a zone, the <command>add</command> command has the
-          alternative syntax in which the <replaceable>zone</replaceable> name
-          precedes the <replaceable>host-list</replaceable>.</para>
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
+          allows a single ipset to handle entries for multiple interfaces.
+          When that option is specified for a zone, the <command>add</command>
+          command has the alternative syntax in which the
+          <replaceable>zone</replaceable> name precedes the
+          <replaceable>host-list</replaceable>.</para>
        </listitem>
      </varlistentry>

@@ -1294,7 +1208,7 @@
        <term><emphasis role="bold">check</emphasis> [-<option>e</option>]
        [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
        [-<option>T</option>] [-<option>i</option>]
-        [<replaceable>directory</replaceable>]</term>
+        [-D][<replaceable>directory</replaceable>]</term>

        <listitem>
          <para>Not available with Shorewall[6]-lite.</para>
@@ -1332,7 +1246,11 @@
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
+
+          <para>The <emphasis role="bold">-D </emphasis>option was added in
+          Shoewall 5.2.4 and causes the compiler to write a large amount of
+          debugging information to standard output.</para>
        </listitem>
      </varlistentry>

@@ -1383,8 +1301,9 @@
      <varlistentry>
        <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
        [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
-        [-<option>T</option>] [-<option>i</option>] [<replaceable> directory
-        </replaceable>] [<replaceable> pathname</replaceable> ]</term>
+        [-<option>T</option>] [-<option>i</option>] [-D] [<replaceable>
+        directory </replaceable>] [<replaceable> pathname</replaceable>
+        ]</term>

        <listitem>
          <para>Not available with shorewall[6]-lite.</para>
@@ -1440,7 +1359,11 @@
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
+
+          <para>The <emphasis role="bold">-D </emphasis>option was added in
+          Shoewall 5.2.4 and causes the compiler to write a large amount of
+          debugging information to standard output.</para>
        </listitem>
      </varlistentry>

@@ -1458,7 +1381,7 @@
          defined in the <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are a host or network address.</para>

@@ -1466,7 +1389,7 @@
          role="bold">dynamic_shared</emphasis> zone option (<ulink
          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
          <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
          allows a single ipset to handle entries for multiple interfaces.
          When that option is specified for a zone, the
          <command>delete</command> command has the alternative syntax in
@@ -1493,7 +1416,7 @@
          command removes any routes added from <ulink
          url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
          (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))and
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))and
          any traffic shaping configuration for the interface.</para>
        </listitem>
      </varlistentry>
@@ -1554,7 +1477,7 @@
          adds any route specified in <ulink
          url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
          (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))
          and installs the interface's traffic shaping configuration, if
          any.</para>
        </listitem>
@@ -1599,7 +1522,7 @@
          given then the file specified by RESTOREFILE in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
          assumed.</para>
        </listitem>
      </varlistentry>
@@ -1684,7 +1607,7 @@
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
          This command requires that the firewall be in the started state and
          that DYNAMIC_BLACKLIST=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1700,16 +1623,16 @@
          <para>Monitors the log file specified by the LOGFILE option in
          <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
-          and produces an audible alarm when new Shorewall messages are
-          logged. The <emphasis role="bold">-m</emphasis> option causes the
-          MAC address of each packet source to be displayed if that
-          information is available. The
-          <replaceable>refresh-interval</replaceable> specifies the time in
-          seconds between screen refreshes. You can enter a negative number by
-          preceding the number with "--" (e.g., <command>shorewall logwatch --
-          -30</command>). In this case, when a packet count changes, you will
-          be prompted to hit any key to resume screen refreshes.</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) and
+          produces an audible alarm when new Shorewall messages are logged.
+          The <emphasis role="bold">-m</emphasis> option causes the MAC
+          address of each packet source to be displayed if that information is
+          available. The <replaceable>refresh-interval</replaceable> specifies
+          the time in seconds between screen refreshes. You can enter a
+          negative number by preceding the number with "--" (e.g.,
+          <command>shorewall logwatch -- -30</command>). In this case, when a
+          packet count changes, you will be prompted to hit any key to resume
+          screen refreshes.</para>
        </listitem>
      </varlistentry>

@@ -1723,7 +1646,7 @@
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
          This command requires that the firewall be in the started state and
          that DYNAMIC_BLACKLIST=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1824,7 +1747,8 @@
        <term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
-        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
+        [-<option>C</option>] [-D] [ <replaceable>directory</replaceable>
+        ]</term>

        <listitem>
          <para>This command was re-implemented in Shorewall 5.0.0. The
@@ -1878,17 +1802,21 @@
                INLINE_MATCHES is set to Yes in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))..</para>
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))..</para>

                <para>The <option>-C</option> option was added in Shorewall
                4.6.5 and is only meaningful when AUTOMAKE=Yes in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                If an existing firewall script is used and if that script was
                the one that generated the current running configuration, then
                the running netfilter configuration will be reloaded as is so
                as to preserve the iptables packet and byte counters.</para>
+
+                <para>The <emphasis role="bold">-D </emphasis>option was added
+                in Shoewall 5.2.4 and causes the compiler to write a large
+                amount of debugging information to standard output.</para>
              </listitem>
            </varlistentry>

@@ -2006,7 +1934,7 @@
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5) (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>) is
          assumed. In that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
@@ -2071,8 +1999,9 @@
          Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
+          (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
          assumed. In that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
@@ -2104,7 +2033,7 @@
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>

@@ -2144,8 +2073,9 @@
          Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
+          (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
          assumed. In that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
@@ -2177,7 +2107,11 @@
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <emphasis role="bold">-D </emphasis>option was added in
+          Shoewall 5.2.4 and causes the compiler to write a large amount of
+          debugging information to standard output.</para>
        </listitem>
      </varlistentry>

@@ -2204,7 +2138,8 @@
        <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
-        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
+        [-<option>C</option>] [-D] [ <replaceable>directory</replaceable>
+        ]</term>

        <listitem>
          <para>Beginning with Shorewall 5.0.0, this command performs a true
@@ -2264,6 +2199,10 @@
                the one that generated the current running configuration, then
                the running netfilter configuration will be reloaded as is so
                as to preserve the iptables packet and byte counters.</para>
+
+                <para>The <emphasis role="bold">-D </emphasis>option was added
+                in Shoewall 5.2.4 and causes the compiler to write a large
+                amount of debugging information to standard output.</para>
              </listitem>
            </varlistentry>

@@ -2304,7 +2243,7 @@
          restored from the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>

          <caution>
            <para>If your iptables ruleset depends on variables that are
@@ -2460,7 +2399,7 @@
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>

          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the iptables packet and byte counters to be saved along with
@@ -2477,7 +2416,7 @@
          the SAVE_IPSETS option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
          This command may be used to proactively save your ipset contents in
          the event that a system failure occurs prior to issuing a
          <command>stop</command> command.</para>
@@ -2645,7 +2584,7 @@
                accounting counters (<ulink
                url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>
                (5), <ulink
-                url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).</para>
+                url="/manpages/shorewall-accounting.html">shorewall6-accounting</ulink>(5)).</para>
              </listitem>
            </varlistentry>

@@ -2669,7 +2608,7 @@
                file specified by the LOGFILE option in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                The <emphasis role="bold">-m</emphasis> option causes the MAC
                address of each packet source to be displayed if that
                information is available.</para>
@@ -2831,8 +2770,8 @@
        <term><emphasis role="bold">start </emphasis><emphasis role="bold">
        </emphasis>[-<option>n</option>] [-<option>p</option>]
        [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
-        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
-        <replaceable>directory</replaceable> ]</term>
+        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [-D]
+        [ <replaceable>directory</replaceable> ]</term>

        <listitem>
          <para><variablelist>
@@ -2851,7 +2790,7 @@
                  in <ulink
                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                  (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
                  will be restored if that saved configuration exists and has
                  been modified more recently than the files in
                  /etc/shorewall. When <emphasis role="bold">-f</emphasis> is
@@ -2862,7 +2801,7 @@
                  option was added to <ulink
                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                  (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                  When LEGACY_FASTSTART=No, the modification times of files in
                  /etc/shorewall are compared with that of
                  /var/lib/shorewall/firewall (the compiled script that last
@@ -2881,7 +2820,7 @@
                  overriding the AUTOMAKE setting in <ulink
                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                  (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                  When both <option>-f</option> and <option>-c</option>are
                  present, the result is determined by the option that appears
                  last.</para>
@@ -2897,7 +2836,7 @@
                  INLINE_MATCHES is set to Yes in <ulink
                  url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
                  (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>

                  <para>The <option>-C</option> option was added in Shorewall
                  4.6.5 and is only meaningful when the <option>-f</option>
@@ -2906,6 +2845,11 @@
                  option was also specified in the <emphasis
                  role="bold">save</emphasis> command, then the packet and
                  byte counters will be restored.</para>
+
+                  <para>The <emphasis role="bold">-D </emphasis>option was
+                  added in Shoewall 5.2.4 and causes the compiler to write a
+                  large amount of debugging information to standard
+                  output.</para>
                </listitem>
              </varlistentry>

@@ -3216,30 +3160,38 @@
  <refsect1>
    <title>FILES</title>

-    <para>/etc/shorewall/</para>
+    <para>/etc/shorewall/*</para>

-    <para>/etc/shorewall6/</para>
+    <para>/etc/shorewall6/*</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

-    <para><ulink
-    url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
+    <simplelist>
+      <member><ulink
+      url="/starting_and_stopping_shorewall.htm">http://www.shorewall.org/starting_and_stopping_shorewall.htm</ulink>
+      - Describes operational aspects of Shorewall.</member>

-    <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
-    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
-    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
-    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
-    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
-    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
-    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
-    shorewall-zones(5)</para>
+      <member><ulink url="shorewall-files.html">shorewall-files(5)</ulink> -
+      Describes the various configuration files along with features and
+      conventions common to those files.</member>
+
+      <member><ulink url="shorewall-names.html">shorewall-names(5)</ulink> -
+      Describes naming of objects within a Shorewall configuration.</member>
+
+      <member><ulink
+      url="shorewall-addresses.html">shorewall-addresses(5)</ulink> -
+      Describes how to specify addresses within a Shorewall
+      configuration.</member>
+
+      <member><ulink
+      url="shorewall-exclusion.html">shorewall-exclusion(5)</ulink> -
+      Describes how to exclude certain hosts and/or networks from matching a
+      rule.</member>
+
+      <member><ulink url="shorewall-nesting.html">shorewall-nesting(5)</ulink>
+      - Describes how to nest one Shorewall zone inside another.</member>
+    </simplelist>
  </refsect1>
 </refentry>
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -1,11 +1,11 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.1
+#     Shorewall Packet Filtering Firewall Control Program - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at http://www.shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-core/shorewallrc.alt
+++ b/Shorewall-core/shorewallrc.alt
@@ -0,0 +1,25 @@
+#
+# ALT/BaseALT/ALTLinux Shorewall 5.2 rc file
+#
+BUILD=                                  #Default is to detect the build system
+HOST=alt
+PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
+PERLLIBDIR=${SHAREDIR}/perl5            #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                            #Directory where subsystem configurations are installed
+SBINDIR=/sbin                           #Directory where system administration programs are installed
+MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
+INITDIR=${CONFDIR}/rc.d/init.d          #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
+INITSOURCE=init.alt.sh                  #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                              #If non-zero, annotated configuration files are installed
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
+SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less             #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.0 rc file
+# Apple OS X Shorewall 5.2 rc file
 #
 BUILD=apple
 HOST=apple
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.0 rc file
+# Arch Linux Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.0 rc file
+# Cygwin Shorewall 5.2 rc file
 #
 BUILD=cygwin
 HOST=cygwin
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.0 rc file
+# Default Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,5 +1,5 @@
 #
-# OpenWRT Shorewall 5.0 rc file
+# OpenWRT/LEDE Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.0 rc file
+# RedHat/FedoraShorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.0 rc file
+# Slackware Shorewall 5.2 rc file
 #
 BUILD=slackware
 HOST=slackware
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.0 rc file
+# SuSE Shorewall 5.2 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://www.shorewall.net
+#       Shorewall documentation is available at http://www.shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-core/wait4ifup
+++ b/Shorewall-core/wait4ifup
@@ -1,12 +1,12 @@
 #!/bin/sh
 #
-#     Shorewall interface helper utility - V4.2
+#     Shorewall interface helper utility - V5.2
 #
 #     (c) 2007,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file is installed in /usr/share/shorewall/wait4ifup
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at http://www.shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at http://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at http://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at http://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-init/init.alt.sh
+++ b/Shorewall-init/init.alt.sh
@@ -0,0 +1,150 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 09 91
+# description: Initialize the shorewall firewall at boot time
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop: $local_fs
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Initialize the shorewall firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+NAME="Shorewall-init firewall"
+PROG="shorewall-init"
+SHOREWALL="$SBINDIR/$PROG"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+LOCKFILE=/var/lock/subsys/shorewall-init
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+	. /etc/sysconfig/shorewall-init
+	if [ -z "$PRODUCTS" ]; then
+		echo "No PRODUCTS configured"
+		exit 6
+	fi
+else
+	echo "/etc/sysconfig/shorewall-init not found"
+	exit 6
+fi
+
+RETVAL=0
+
+# set the STATEDIR variable
+setstatedir() {
+	local statedir
+	if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+		statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+	fi
+
+	[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+
+	if [ -x ${STATEDIR}/firewall ]; then
+		return 0
+	elif [ $PRODUCT = shorewall ]; then
+		${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/shorewall -6 compile
+	else
+		return 1
+	fi
+}
+
+start() {
+	local PRODUCT
+	local STATEDIR
+
+	printf "Initializing \"Shorewall-based firewalls\": "
+
+	for PRODUCT in $PRODUCTS; do
+		if setstatedir; then
+			$STATEDIR/$PRODUCT/firewall ${OPTIONS} stop 2>&1 | "$LOGGER"
+			RETVAL=$?
+		else
+			RETVAL=6
+			break
+		fi
+	done
+
+	if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+		ipset -R < "$SAVE_IPSETS"
+	fi
+
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	local PRODUCT
+	local STATEDIR
+
+	printf "Clearing \"Shorewall-based firewalls\": "
+	for PRODUCT in $PRODUCTS; do
+		if setstatedir; then
+			${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | "$LOGGER"
+			RETVAL=$?
+		else
+			RETVAL=6
+			break
+		fi
+	done
+
+	if [ -n "$SAVE_IPSETS" ]; then
+		mkdir -p $(dirname "$SAVE_IPSETS")
+		if ipset -S > "${SAVE_IPSETS}.tmp"; then
+			grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+		else
+			rm -f "${SAVE_IPSETS}.tmp"
+		fi
+	fi
+
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart|reload|condrestart|condreload)
+	    # "Not implemented"
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    status "$PROG"
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -8,7 +8,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -1,5 +1,5 @@
 #!/bin/sh /etc/rc.common
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -7,7 +7,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -5,7 +5,7 @@
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -181,6 +181,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -191,6 +194,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/SuSE-release ]; then
@@ -253,6 +258,9 @@ case "$HOST" in
    openwrt)
 	echo "Installing Openwrt-specific configuration..."
 	;;
+    alt)
+	echo "Installing ALT-specific configuration...";
+	;;
    linux)
 	fatal_error "Shorewall-init is not supported on this system"
 	;;
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -1,12 +1,12 @@
 #!/bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called
 #	/etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #	This program is part of Shorewall.
 #
--- a/Shorewall-lite/Shorewall-lite-targetname
+++ b/Shorewall-lite/Shorewall-lite-targetname
@@ -0,0 +1 @@
+5.2.4-Beta1
--- a/Shorewall-lite/init.alt.sh
+++ b/Shorewall-lite/init.alt.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+#
+# Shorewall-Lite init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+#
+### BEGIN INIT INFO
+# Provides: shorewall-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: $time $named
+# Required-Stop:
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+NAME="Shorewall-Lite firewall"
+PROG="shorewall"
+SHOREWALL="$SBINDIR/$PROG -l"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+SourceIfNotEmpty $SYSCONFDIR/${PROG}-lite
+
+LOCKFILE="/var/lock/subsys/${PROG}-lite"
+RETVAL=0
+
+start() {
+	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+restart() {
+	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+reload() {
+	action $"Reloadinging $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+clear() {
+	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart)
+	    restart
+	    ;;
+	reload)
+	    reload
+	    ;;
+	clear)
+	    clear
+	    ;;
+	condrestart)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condreload)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    "$SHOREWALL" status
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -1,13 +1,13 @@
 #!/bin/sh /etc/rc.common
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -1,13 +1,13 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-lite/init.suse.sh
+++ b/Shorewall-lite/init.suse.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -8,7 +8,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -190,6 +190,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -198,6 +201,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f ${CONFDIR}/SuSE-release ]; then
@@ -266,6 +271,9 @@ case "$HOST" in
    openwrt)
 	echo "Installing OpenWRT-specific configuration..."
 	;;
+    alt)
+	echo "Installing ALT-specific configuration...";
+	;;
    linux)
 	;;
    *)
@@ -418,6 +426,11 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 if [ -f modules ]; then
    install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
    echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
+
+    for f in modules.*; do
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    done
 fi

 if [ -f helpers ]; then
@@ -425,11 +438,6 @@ if [ -f helpers ]; then
    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi

-for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-done
-
 #
 # Install the Man Pages
 #
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -3,7 +3,7 @@
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-lite/manpages/shorewall-lite.conf.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.conf.xml
@@ -183,7 +183,7 @@
    <title>See ALSO</title>

    <para><ulink
-    url="http://www.shorewall.net/Documentation_Index.html">http://www.shorewall.net/Documentation_Index.html</ulink></para>
+    url="http://www.shorewall.org/Documentation_Index.html">http://www.shorewall.org/Documentation_Index.html</ulink></para>

    <para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
--- a/Shorewall-lite/shorewall-lite.conf
+++ b/Shorewall-lite/shorewall-lite.conf
@@ -8,7 +8,7 @@
 #  "man shorewall-lite.conf"
 #
 #  Manpage also online at
-#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
+#  http://www.shorewall.org/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -151,7 +151,7 @@ fi

 remove_file ${SBINDIR}/$PRODUCT

-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
    if [ $HOST = openwrt ]; then
 	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
 	    /etc/init.d/$PRODUCT disable
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.FIN
+++ b/Shorewall/Actions/action.FIN
@@ -7,7 +7,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -27,7 +27,7 @@
 #                the IP address that are older than <duration> seconds.
 # Disposition  - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see http://www.shorewall.org/Events.html
 #
 ###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
@@ -114,8 +114,6 @@ if ( ( $targets{$action} || 0 ) & NATRULE ) {

 if ( $command & $RESET_CMD ) {
    require_capability 'MARK_ANYWHERE', '"reset"', 's';
-
-    print "Resetting....\n";
    
    my $mark = $globals{EVENT_MARK};
    #
@@ -135,7 +133,7 @@ if ( $command & $RESET_CMD ) {
    #
    # if the event is armed, remove it and perform the action
    #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
 } elsif ( $command & $UPDATE_CMD ) {
    perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
@@ -6,7 +6,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Limit
+++ b/Shorewall/Actions/action.Limit
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any rule generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see http://www.shorewall.org/Events.html
 #
 ###############################################################################
 #                        DO NOT REMOVE THE FOLLOWING LINE
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see http://www.shorewall.org/Events.html
 #

 DEFAULTS -,ACCEPT,src
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.allowBcast
+++ b/Shorewall/Actions/action.allowBcast
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.allowMcast
+++ b/Shorewall/Actions/action.allowMcast
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.allowinUPnP
+++ b/Shorewall/Actions/action.allowinUPnP
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.dropBcast
+++ b/Shorewall/Actions/action.dropBcast
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.dropBcasts
+++ b/Shorewall/Actions/action.dropBcasts
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.dropMcast
+++ b/Shorewall/Actions/action.dropMcast
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.dropNotSyn
+++ b/Shorewall/Actions/action.dropNotSyn
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.forwardUPnP
+++ b/Shorewall/Actions/action.forwardUPnP
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.mangletemplate
+++ b/Shorewall/Actions/action.mangletemplate
@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see http://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/mangle.
--- a/Shorewall/Actions/action.rejNotSyn
+++ b/Shorewall/Actions/action.rejNotSyn
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.template
+++ b/Shorewall/Actions/action.template
@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see http://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/rules.
--- a/Shorewall/Contrib/swping
+++ b/Shorewall/Contrib/swping
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #
@@ -21,7 +21,7 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#  For information about this script, see  http://www.shorewall.net/MultiISP.html#swping.
+#  For information about this script, see  http://www.shorewall.org/MultiISP.html#swping.
 #
 ###########################################################################################
 #
--- a/Shorewall/Contrib/swping.init
+++ b/Shorewall/Contrib/swping.init
@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/INSTALL
+++ b/Shorewall/INSTALL
@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5

 ---------------------------------------------------------------------------

-Please see http://www.shorewall.net/Install.htm for installation
+Please see http://www.shorewall.org/Install.htm for installation
 instructions.


--- a/Shorewall/Macros/IPFS-swarm
+++ b/Shorewall/Macros/IPFS-swarm
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
+#
+# This macro handles IPFS data traffic (the connection to IPFS swarm).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     4001
--- a/Shorewall/Macros/macro.Bitcoin
+++ b/Shorewall/Macros/macro.Bitcoin
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Bitcoin
+#
+# Macro for handling Bitcoin P2P traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8333
--- a/Shorewall/Macros/macro.BitcoinRPC
+++ b/Shorewall/Macros/macro.BitcoinRPC
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRPC
+#
+# Macro for handling Bitcoin RPC traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8332
--- a/Shorewall/Macros/macro.BitcoinRegtest
+++ b/Shorewall/Macros/macro.BitcoinRegtest
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRegtest
+#
+# Macro for handling Bitcoin P2P traffic (Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18444
--- a/Shorewall/Macros/macro.BitcoinTestnet
+++ b/Shorewall/Macros/macro.BitcoinTestnet
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnet
+#
+# Macro for handling Bitcoin P2P traffic (Testnet mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18333
--- a/Shorewall/Macros/macro.BitcoinTestnetRPC
+++ b/Shorewall/Macros/macro.BitcoinTestnetRPC
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnetRPC
+#
+# Macro for handling Bitcoin RPC traffic (Testnet and Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18332
--- a/Shorewall/Macros/macro.BitcoinZMQ
+++ b/Shorewall/Macros/macro.BitcoinZMQ
@@ -0,0 +1,9 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinZMQ
+#
+# Macro for handling Bitcoin ZMQ traffic
+# See https://github.com/bitcoin/bitcoin/blob/master/doc/zmq.md
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	28332
--- a/Shorewall/Macros/macro.Cockpit
+++ b/Shorewall/Macros/macro.Cockpit
@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Cockpit
+#
+# This macro handles Time protocol (RFC868).
+# Unless you are supporting extremely old hardware or software,
+# you shouldn't be using this.  NTP is a superior alternative.
+#
+#		By Eric Teeter
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	9090
--- a/Shorewall/Macros/macro.IPFS-API
+++ b/Shorewall/Macros/macro.IPFS-API
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-API
+#
+# This macro handles IPFS API port (commands for the IPFS daemon).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     5001
--- a/Shorewall/Macros/macro.IPFS-gateway
+++ b/Shorewall/Macros/macro.IPFS-gateway
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-gateway
+#
+# This macro handles the IPFS gateway to HTTP.
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     8080
--- a/Shorewall/Macros/macro.IPFS-swarm
+++ b/Shorewall/Macros/macro.IPFS-swarm
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
+#
+# This macro handles IPFS data traffic (the connection to IPFS swarm).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     4001
--- a/Shorewall/Macros/macro.ONCRPC
+++ b/Shorewall/Macros/macro.ONCRPC
@@ -0,0 +1,8 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.ONCRPC
+#
+# This macro handles ONC RCP traffic (for rpcbind on Linux, etc).
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp,udp	111
--- a/Shorewall/Macros/macro.Tor
+++ b/Shorewall/Macros/macro.Tor
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Tor
+#
+# Macro for handling Tor Onion Network traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9001	
--- a/Shorewall/Macros/macro.TorBrowserBundle
+++ b/Shorewall/Macros/macro.TorBrowserBundle
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorBrowserBundle
+#
+# Macro for handling Tor Onion Network traffic provided by Tor Browser Bundle
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9150
--- a/Shorewall/Macros/macro.TorControl
+++ b/Shorewall/Macros/macro.TorControl
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorControl
+#
+# Macro for handling Tor Controller Applications traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9051	
--- a/Shorewall/Macros/macro.TorDirectory
+++ b/Shorewall/Macros/macro.TorDirectory
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorDirectory
+#
+# Macro for handling Tor Directory traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9030
--- a/Shorewall/Macros/macro.TorSocks
+++ b/Shorewall/Macros/macro.TorSocks
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorSocks
+#
+# Macro for handling Tor Socks Proxy traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9050	
--- a/Shorewall/Macros/macro.WUDO
+++ b/Shorewall/Macros/macro.WUDO
@@ -0,0 +1,9 @@
+
+# Shorewall -- /usr/share/shorewall/macro.WUDO
+#
+# This macro handles WUDO (Windows Update Delivery Optimization)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	7680
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -5,7 +5,7 @@
 #
 #     (c) 2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -201,6 +201,13 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    my $prerule = '';
    my $rule2 = 0;
    my $jump  = 0;
+    my $raw_matches = get_inline_matches(1);
+
+    if ( $raw_matches =~ s/^\s*+// ) {
+	$prerule = $raw_matches;
+    } else {
+	$rule .= $raw_matches;
+    }

    unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
@@ -242,9 +249,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    $rule .= do_nfacct( $_ );
 		}
 	    }
-	} elsif ( $action eq 'INLINE' ) {
-	    $rule .= get_inline_matches(1);
-	} else {
+	} elsif ( $action ne 'INLINE' ) {
 	    ( $action, my $cmd ) = split /:/, $action;

 	    if ( $cmd ) {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Show More
+++ b/Show More