Correct a runtime error with NFQUEUE.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Clean up links in the manpages
2017-06-12 07:44:34 -07:00 · 2017-06-09 08:49:17 -07:00
239 changed files with 21295 additions and 7064 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -2,7 +2,7 @@
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
@@ -190,7 +190,7 @@ for p in ${!params[@]}; do
 done
 echo '#'                                                                 > shorewallrc
-echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
+echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -173,12 +173,7 @@ my $outfile;
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
-if ( $ENV{SOURCE_DATE_EPOCH} ) {
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date  --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
 } else {
    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
 }
 print $outfile "# rc file: $rcfilename\n#\n";
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -335,8 +335,9 @@ for f in lib.* ; do
 done
 if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
 fi
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.base
+# Shorewall 5.0 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.cli
+# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
 #
-#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=50200
+SHOREWALL_CAPVERSION=50100
 if [ -z "$g_basedir" ]; then
    #
@@ -47,10 +47,6 @@ startup_error() {
    exit 1
 }
 only_root() {
    [ "$(id -u)" != 0 ] && fatal_error "The '$COMMAND' command may only be run by root"
 }
 #
 # Display a chain if it exists
 #
@@ -87,8 +83,6 @@ showchain() # $1 = name of chain
 #
 validate_restorefile() # $* = label
 {
    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
    case $RESTOREFILE in
 	*/*)
 	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
@@ -417,9 +411,9 @@ resolve_arptables() {
 savesets() {
    local supported
-    supported=$(run_it $g_firewall help | fgrep savesets )
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
-    [ -n "$supported" ] && run_it $g_firewall savesets ${g_restorepath}-ipsets 
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
 }
 #
@@ -428,9 +422,9 @@ savesets() {
 savesets1() {
    local supported
-    supported=$(run_it $g_firewall help | fgrep savesets )
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
-    [ -n "$supported" ] && run_it $g_firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }
 #
@@ -441,9 +435,9 @@ do_save() {
    local arptables
    status=0
-    if [ -f $g_firewall ]; then
+    if [ -f ${VARDIR}/firewall ]; then
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    cp -f $g_firewall $g_restorepath
+	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod 700 $g_restorepath
 	    chmod 600 ${g_restorepath}-iptables
@@ -455,7 +449,7 @@ do_save() {
 	    status=1
 	fi
    else
-	echo "   ERROR: $g_firewall does not exist" >&2
+	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
 	status=1
    fi
@@ -640,7 +634,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -6 -o route list table $table | grep -vF cache | sort_routes
+		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -653,7 +647,7 @@ show_routing() {
    else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -6 -o route list | grep -vF cache | sort_routes
+	    ip -$g_family -o route list | grep -vF cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -1143,31 +1137,16 @@ show_a_macro() {
    cat ${directory}/macro.$1
 }
 #
-# Don't dump empty SPD entries or entries from the other address family
+# Don't dump empty SPD entries
 #
-spd_filter() {
+spd_filter()
-    #
+{
-    # af   = Address Family (4 or 6)
+    awk \
-    # afok = Address Family of entry matches af
+    'BEGIN            { skip=0; }; \
-    # p    = print the contents of A (entry is not empty)
+    /^src/            { skip=0; }; \
-    # i    = Number of lines stored in A
+    /^src 0.0.0.0\/0/ { skip=1; }; \
-    #
+    /^src ::\/0/      { skip=1; }; \
-    awk -v af=$g_family \
+                      { if ( skip == 0 ) print; };'
 	'function prnt(A,i,    j) { while ( j < i ) print A[j++]; };\
 \
 	 /^src / { if (p) prnt( A, i );\
 		   afok = 1;\
 		   p	= 0;\
 		   i	= 0;\
 		   if ( af == 4 )\
 		       { if ( /:/ )  afok = 0; }\
 		   else\
 		       { if ( /\./ ) afok = 0; }\
 		 };\
 		 { if ( afok ) A[i++] = $0; };\
 	 /tmpl/	 { p = afok; };\
 \
 	 END	 { if (p) prnt( A, i ); }'
 }
 #
 # Print a heading with leading and trailing black lines
@@ -1180,8 +1159,7 @@ heading() {
 show_ipsec() {
    heading "PFKEY SPD"
-    $IP -s -$g_family xfrm policy | spd_filter
+    $IP -s xfrm policy | spd_filter
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
@@ -1191,26 +1169,6 @@ show_ipsec_command() {
    show_ipsec
 }
 show_saves_command() {
    local f
    local fn
    local mtime
    echo "$g_product $SHOREWALL_VERSION Saves at $g_hostname - $(date)"
    echo "Saved snapshots are:"
    echo
    for f in ${VARDIR}/*-iptables; do
 	fn=$(basename $f)
 	fn=${fn%-iptables}
 	mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
 	[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
 	echo "   $mtime ${fn%-iptables}"
    done
    echo
 }
 #
 # Show Command Executor
 #
@@ -1229,7 +1187,6 @@ show_command() {
    show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
 	if [ -n "$foo" ]; then
 	    macro=$(basename $macro)
 	    macro=${macro#*.}
 	    foo=${foo%.*}
 	    if [ ${#macro} -gt 5 ]; then
@@ -1324,47 +1281,37 @@ show_command() {
    [ -n "$g_debugging" ] && set -x
    COMMAND="$COMMAND $1"
    case "$1" in
 	connections)
 	    only_root
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	tos|mangle)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    only_root
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
 	    only_root
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
@@ -1388,7 +1335,6 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
@@ -1425,50 +1371,33 @@ show_command() {
 	    fi
 	    ;;
 	chain)
 	    only_root
 	    shift
 	    eval show_chain $@ $g_pager
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
        rc)
            shift
 	    [ $# -gt 1 ] && too_many_arguments $2
            if [ -n "$1" -a -d "$1" ]; then
                cat $1/shorewallrc
            elif [ -n "$g_basedir" -a -d "$g_basedir" ]; then
                cat $g_basedir/shorewallrc
            else
                fatal_error "Can not determine the location of the shorewallrc file."
            fi
            ;;
 	policies)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
 	    only_root
 	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1478,7 +1407,6 @@ show_command() {
 	    ;;
 	event)
 	    [ $# -gt 1 ] || too_many_arguments $2
 	    only_root
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
@@ -1486,18 +1414,14 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    setup_dbl
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 	    if chain_exists dynamic; then
@@ -1508,13 +1432,8 @@ show_command() {
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
 	saves)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    show_saves_command
 	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -1561,8 +1480,6 @@ show_command() {
 		    ;;
 	    esac
 	    only_root
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
@@ -1880,7 +1797,7 @@ do_dump_command() {
    echo
-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -1994,6 +1911,41 @@ show_proc() # $1 = name of a file
    [ -f $1 ] && echo "   $1 = $(cat $1)"
 }
 read_yesno_with_timeout() {
    local timeout
    timeout=${1:-60}
    case $timeout in
 	*s)
 	    ;;
 	*m)
 	    timeout=$((${timeout%m} * 60))
 	    ;;
 	*h)
 	    timeout=$((${timeout%h} * 3600))
 	    ;;
    esac
    read -t $timeout yn 2> /dev/null
    if [ $? -eq 2 ]
    then
 	# read doesn't support timeout
 	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
 	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
 	return $?
    else
 	# read supports timeout
 	case "$yn" in
 	    y|Y)
 		return 0
 		;;
 	    *)
 		return 1
 		;;
 	esac
    fi
 }
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2577,114 +2529,109 @@ hits_command() {
    fi
 }
 #
 # Issue an error message and terminate if the firewall isn't started
 #
 require_started() {
    if ! product_is_started; then
 	error_message "ERROR: $g_product is not started"
 	exit 2
    fi
 }
 #
 # 'allow' command executor
 #
 allow_command() {
    local allowed
    local which
    which='-s'
    local range
    range='--src-range'
    local dynexists
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && missing_argument
-    if [ -n "$g_blacklistipset" ]; then
+    if product_is_started ; then
-	case ${IPSET:=ipset} in
+	local allowed
-	    */*)
+	local which
-		if [ ! -x "$IPSET" ]; then
+	which='-s'
-		    fatal_error "IPSET=$IPSET does not exist or is not executable"
+	local range
-		fi
+	range='--src-range'
-		;;
+	local dynexists
 	    *)
 		IPSET="$(mywhich $IPSET)"
 		[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
 		;;
 	esac
    fi
-    if chain_exists dynamic; then
+	if [ -n "$g_blacklistipset" ]; then
 	dynexists=Yes
    elif [ -z "$g_blacklistipset" ]; then
 	require_started
 	fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
    fi
-    [ -n "$g_nolock" ] || mutex_on
+	    case ${IPSET:=ipset} in
-
+		*/*)
-    while [ $# -gt 1 ]; do
+		    if [ ! -x "$IPSET" ]; then
-	shift
+			fatal_error "IPSET=$IPSET does not exist or is not executable"
 	allowed=''
 	case $1 in
 	    from)
 		which='-s'
 		range='--src-range'
 		continue
 		;;
 	    to)
 		which='-d'
 		range='--dst-range'
 		continue
 		;;
 	    *-*)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
 		    fi
-		fi
+		    ;;
-
+		*)
-		if [ -n "$dynexists" ]; then
+		    IPSET="$(mywhich $IPSET)"
-		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
-			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+		    ;;
-			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+	    esac
 			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 		    then
 			allowed=Yes
 		    fi
 		fi
 		;;
 	    *)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
 		    fi
 		fi
 		if [ -n "$dynexists" ]; then
 		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
 		        qt $g_tool -D dynamic $which $1 -j DROP      ||\
 			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
 			qt $g_tool -D dynamic $which $1 -j logreject
 		    then
 			allowed=Yes
 		    fi
 		fi
 		;;
 	esac
 	if [ -n "$allowed" ]; then
 	    progress_message2 "$1 Allowed"
 	else
 	    error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
 	fi
    done
-    [ -n "$g_nolock" ] || mutex_off
+	if chain_exists dynamic; then
 	    dynexists=Yes
 	elif [ -z "$g_blacklistipset" ]; then
 	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
 	fi
 	[ -n "$g_nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
 	    allowed=''
 	    case $1 in
 		from)
 		    which='-s'
 		    range='--src-range'
 		    continue
 		    ;;
 		to)
 		    which='-d'
 		    range='--dst-range'
 		    continue
 		    ;;
 		*-*)
 		    if [ -n "$g_blacklistipset" ]; then
 			if qt $IPSET -D $g_blacklistipset $1; then
 			    allowed=Yes
 			fi
 		    fi
 		    if [ -n "$dynexists" ]; then
 			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 			then
 			    allowed=Yes
 			fi
 		    fi
 		    ;;
 		*)
 		    if [ -n "$g_blacklistipset" ]; then
 			if qt $IPSET -D $g_blacklistipset $1; then
 			    allowed=Yes
 			fi
 		    fi
 		    if [ -n "$dynexists" ]; then
 			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
 			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
 			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
 			    qt $g_tool -D dynamic $which $1 -j logreject
 			then
 			    allowed=Yes
 			fi
 		    fi
 		    ;;
 	    esac
 	    if [ -n "$allowed" ]; then
 		progress_message2 "$1 Allowed"
 	    else
 		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
 	    fi
 	done
 	[ -n "$g_nolock" ] || mutex_off
    else
 	error_message "ERROR: $g_product is not started"
 	exit 2
    fi
 }
 #
@@ -2804,6 +2751,7 @@ determine_capabilities() {
    LENGTH_MATCH=
    CLASSIFY_TARGET=
    ENHANCED_REJECT=
    USEPKTTYPE=
    KLUDGEFREE=
    MARK=
    XMARK=
@@ -2822,7 +2770,7 @@ determine_capabilities() {
    GOTO_TARGET=
    LOGMARK_TARGET=
    IPMARK_TARGET=
-    LOG_TARGET=
+    LOG_TARGET=Yes
    ULOG_TARGET=
    NFLOG_TARGET=
    PERSISTENT_SNAT=
@@ -2855,8 +2803,6 @@ determine_capabilities() {
    WAIT_OPTION=
    CPU_FANOUT=
    NETMAP_TARGET=
    NFLOG_SIZE=
    RESTORE_WAIT_OPTION=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -2880,11 +2826,9 @@ determine_capabilities() {
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi
    [ -z "$(${g_tool}-restore --wait < /dev/null 2>&1)" ] && RESTORE_WAIT_OPTION=Yes
    if qt $g_tool --wait -t filter -L INPUT -n -v; then
 	WAIT_OPTION=Yes
-	g_tool="$g_tool --wait"
+	tool="$tool --wait"
    fi
    chain=fooX$$
@@ -2899,7 +2843,6 @@ determine_capabilities() {
 		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
 	    qt $g_tool -t nat -L INPUT -n && NAT_INPUT_CHAIN=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
@@ -3150,6 +3093,7 @@ determine_capabilities() {
 	fi
    fi
    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
    qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
@@ -3190,15 +3134,12 @@ determine_capabilities() {
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $g_tool -A $chain -j LOG && LOG_TARGET=Yes
+    qt $g_tool -A $chain -j LOG || LOG_TARGET=
    qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
    qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
    if qt $g_tool -A $chain -j NFLOG; then
 	NFLOG_TARGET=Yes
 	qt $g_tool -A $chain -j NFLOG --nflog-size 64 && NFLOG_SIZE=Yes
    fi
    if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -3263,6 +3204,7 @@ report_capabilities_unsorted() {
 	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
 	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
    fi
    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
    report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
    report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
    report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
@@ -3272,8 +3214,8 @@ report_capabilities_unsorted() {
    [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
    report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
    report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
    if [ -n "$IPSET_MATCH" ]; then
 	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
 	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
@@ -3353,11 +3295,9 @@ report_capabilities_unsorted() {
    if [ $g_family -eq 4 ]; then
 	report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "iptables --wait option (WAIT_OPTION)" $WAIT_OPTION
 	report_capability "iptables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    else
 	report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	report_capability "ip6tables --wait option (WAIT_OPTION)" $WAIT_OPTION
 	report_capability "ip6tables-restore --wait option (RESTORE_WAIT_OPTION)" $RESTORE_WAIT_OPTION
    fi
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
@@ -3365,8 +3305,6 @@ report_capabilities_unsorted() {
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
    report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3379,6 +3317,8 @@ report_capabilities() {
 	report_capabilities_unsorted | sort
    fi
    [ -n "$PKTTYPE" ] || USEPKTTYPE=
 }
 report_capabilities_unsorted1() {
@@ -3395,6 +3335,7 @@ report_capabilities_unsorted1() {
    report_capability1 CONNTRACK_MATCH
    report_capability1 NEW_CONNTRACK_MATCH
    report_capability1 OLD_CONNTRACK_MATCH
    report_capability1 USEPKTTYPE
    report_capability1 POLICY_MATCH
    report_capability1 PHYSDEV_MATCH
    report_capability1 PHYSDEV_BRIDGE
@@ -3470,9 +3411,6 @@ report_capabilities_unsorted1() {
    report_capability1 WAIT_OPTION
    report_capability1 CPU_FANOUT
    report_capability1 NETMAP_TARGET
    report_capability1 NFLOG_SIZE
    report_capability1 RESTORE_WAIT_OPTION
    report_capability1 NAT_INPUT_CHAIN
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3777,7 +3715,7 @@ ipcalc_command() {
    valid_address $address || fatal_error "Invalid IP address: $address"
    [ -z "$vlsm" ] && fatal_error "Missing VLSM"
-    [ "x$address" = "x$vlsm" ] && fatal_error "Invalid VLSM"
+    [ "x$address" = "x$vlsm" ] && "Invalid VLSM"
    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"
    address=$address/$vlsm
@@ -3815,7 +3753,7 @@ iprange_command() {
 }
 ipdecimal_command() {
-    if [ $# -eq 1 ]; then
+    if [ $# eq 1 ]; then
 	missing_argument
    else
 	[ $# -eq 2 ] || too_many_arguments $3
@@ -3958,7 +3896,7 @@ get_config() {
    ensure_config_path
-    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -4112,15 +4050,15 @@ start_command() {
 	rc=0
 	[ -n "$g_nolock" ] || mutex_on
-	if [ -x $g_firewall ]; then
+	if [ -x ${VARDIR}/firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
-		run_it $g_firewall $g_debugging start
+		run_it ${VARDIR}/firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
-	    error_message "$g_firewall is missing or is not executable"
+	    error_message "${VARDIR}/firewall is missing or is not executable"
 	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4249,11 +4187,11 @@ restart_command() {
    [ -n "$g_nolock" ] || mutex_on
-    if [ -x $g_firewall ]; then
+    if [ -x ${VARDIR}/firewall ]; then
-	run_it $g_firewall $g_debugging $COMMAND
+	run_it ${VARDIR}/firewall $g_debugging $COMMAND
 	rc=$?
    else
-	error_message "$g_firewall is missing or is not executable"
+	error_message "${VARDIR}/firewall is missing or is not executable"
 	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi
@@ -4263,10 +4201,10 @@ restart_command() {
 }
 run_command() {
-    if [ -x $g_firewall ] ; then
+    if [ -x ${VARDIR}/firewall ] ; then
-	run_it $g_firewall $g_debugging $@
+	run_it ${VARDIR}/firewall $g_debugging $@
    else
-	fatal_error "$g_firewall does not exist or is not executable"
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
@@ -4324,6 +4262,7 @@ usage() # $1 = exit status
    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   reenable <interface>"
    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
    if [ -n "$g_lite" ]; then
@@ -4333,11 +4272,9 @@ usage() # $1 = exit status
    fi
    if [ -z "$g_lite" ]; then
-	echo "   remote-getrc [ -T ] [ -c ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-getcaps [ -T ] [ -R ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
-	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
 	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
 	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
    fi
    echo "   reset [ <chain> ... ]"
@@ -4380,9 +4317,7 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] nfacct"
    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
    echo "   [ show | list | ls ] rc"
    echo "   [ show | list | ls ] routing"
    echo "   [ show | list | ls ] saves"
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
@@ -4431,6 +4366,7 @@ shorewall_cli() {
    g_use_verbosity=
    g_debug=
    g_export=
    g_refreshchains=:none:
    g_confess=
    g_update=
    g_annotate=
@@ -4449,7 +4385,6 @@ shorewall_cli() {
    g_nopager=
    g_blacklistipset=
    g_disconnect=
    g_havemutex=
    VERBOSE=
    VERBOSITY=1
@@ -4622,14 +4557,12 @@ shorewall_cli() {
    case "$COMMAND" in
 	start)
 	    only_root
 	    get_config Yes Yes
 	    shift
 	    start_command $@
 	    ;;
 	stop|clear)
 	    [ $# -ne 1 ] && too_many_arguments $2
 	    only_root
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4637,7 +4570,6 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
 	    only_root
 	    get_config
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4646,22 +4578,19 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
 	    only_root
 	    get_config Yes Yes
 	    shift
 	    restart_command $@
 	    ;;
 	disable|enable|reenable)
 	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it $g_firewall $g_debugging $@
+		run_it ${VARDIR}/firewall $g_debugging $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	blacklist)
 	    only_root
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4670,7 +4599,6 @@ shorewall_cli() {
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    only_root
 	    get_config Yes
 	    run_command $@
 	    ;;
@@ -4680,20 +4608,18 @@ shorewall_cli() {
    	    show_command $@
 	    ;;
 	status)
-	    only_root
+	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
 	    shift
 	    status_command $@
 	    ;;
 	dump)
 	    only_root
 	    get_config Yes No Yes
    	    shift
    	    dump_command $@
 	    ;;
 	hits)
 	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
 	    only_root
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4704,63 +4630,53 @@ shorewall_cli() {
 	    version_command $@
 	    ;;
 	logwatch)
 	    only_root
 	    get_config Yes Yes Yes
 	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
 	    only_root
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
 	    only_root
 	    get_config
 	    allow_command $@
 	    ;;
 	add)
 	    only_root
 	    get_config
 	    shift
 	    add_command $@
 	    ;;
 	delete)
 	    only_root
 	    get_config
 	    shift
 	    delete_command $@
 	    ;;
 	save)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    save_command $@
 	    ;;
 	forget)
 	    only_root
 	    get_config
 	    forget_command $@
 	    ;;
@@ -4777,13 +4693,11 @@ shorewall_cli() {
 	    ipdecimal_command $@
 	    ;;
 	restore)
 	    only_root
 	    get_config
 	    shift
 	    restore_command $@
            ;;
 	call)
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
@@ -4821,20 +4735,17 @@ shorewall_cli() {
 	    usage
 	    ;;
 	iptrace)
 	    only_root
 	    get_config
 	    shift
 	    iptrace_command $@
 	    ;;
 	noiptrace)
 	    only_root
 	    get_config
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || too_many_arguments $2
 	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.common
+# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,48 +269,53 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
    local modulename
    modulename=$1
    shift
    local moduleoptions
    moduleoptions=$*
    local modulefile
    local suffix
    if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		case $moduleloader in
+		shift
-		    insmod)
+
-			for directory in $moduledirectories; do
+		for suffix in $MODULE_SUFFIX ; do
-			    for modulefile in $directory/${modulename}.*; do
+		    for directory in $moduledirectories; do
-				if [ -f $modulefile ]; then
+			modulefile=$directory/${modulename}.${suffix}
-				    insmod $modulefile $moduleoptions
+
 				    return
 				fi
 			    done
 			done
 			;;
 		    *)
 			modprobe -q $modulename $moduleoptions
 			;;
 		esac
 	    fi
 	fi
    elif ! list_search $modulename $DONT_LOAD $MODULES; then
 	case $moduleloader in
 	    insmod)
 		for directory in $moduledirectories; do
 		    for modulefile in $directory/${modulename}.*; do
 			if [ -f $modulefile ]; then
-			    insmod $modulefile $moduleoptions
+			    case $moduleloader in
-			    return
+				insmod)
 				    insmod $modulefile $*
 				    ;;
 				*)
 				    modprobe $modulename $*
 				    ;;
 			    esac
 			    break 2
 			fi
 		    done
 		done
-		;;
+	    fi
-	    *)
+	fi
-		modprobe -q $modulename $moduleoptions
+    elif ! list_search $modulename $DONT_LOAD $MODULES; then
-		;;
+	shift
-	esac
+
 	for suffix in $MODULE_SUFFIX ; do
 	    for directory in $moduledirectories; do
 		modulefile=$directory/${modulename}.${suffix}
 		if [ -f $modulefile ]; then
 		    case $moduleloader in
 			insmod)
 			    insmod $modulefile $*
 			    ;;
 			*)
 			    modprobe $modulename $*
 			    ;;
 		    esac
 		    break 2
 		fi
 	    done
 	done
    fi
 }
@@ -333,6 +338,8 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi
    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -387,6 +394,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi
    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -754,7 +763,7 @@ mutex_on()
    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
-    if [ -z "$g_havemutex" -a $MUTEX_TIMEOUT -gt 0 ]; then
+    if [ $MUTEX_TIMEOUT -gt 0 ]; then
 	lockd=$(dirname $LOCKFILE)
@@ -762,7 +771,7 @@ mutex_on()
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
@@ -775,14 +784,12 @@ mutex_on()
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
 	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-	    lock ${lockf}
+            lock ${lockf}
-	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
+            chmod u=r ${lockf}
 	    chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -792,15 +799,10 @@ mutex_on()
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
 		g_havemutex="rm -f ${lockf}"
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
 	if [ -n "$g_havemutex" ]; then
 	    trap mutex_off EXIT
 	fi
    fi
 }
@@ -809,10 +811,7 @@ mutex_on()
 #
 mutex_off()
 {
-    if [ -n "$g_havemutex" ]; then
+    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
-	eval $g_havemutex
+    rm -f ${LOCKFILE:=${VARDIR}/lock}
 	g_havemutex=
 	trap '' exit
    fi
 }
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.core
+# Shorewall 5.0 -- /usr/share/shorewall/lib.core
 #
-#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +24,7 @@
 # generated scripts.
 #
-SHOREWALL_LIBVERSION=50108
+SHOREWALL_LIBVERSION=50100
 #
 # Fatal Error
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -1,5 +1,6 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
+#
 # Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -1,5 +1,6 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
+#
 # Shorewall 5.0 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -405,6 +405,20 @@
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>options</arg>
      <arg
      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
      <replaceable>directory</replaceable> </arg><arg
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>
@@ -445,54 +459,6 @@
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>options</arg>
      <arg choice="plain"><option>remote-getcaps</option></arg>
      <arg><option>-s</option></arg>
      <arg><option>-R</option></arg>
      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
      <arg><option>-T</option></arg>
      <arg><option>-i</option></arg>
      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>options</arg>
      <arg choice="plain"><option>remote-getrc</option></arg>
      <arg><option>-s</option></arg>
      <arg><option>-c</option></arg>
      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
      <arg><option>-T</option></arg>
      <arg><option>-i</option></arg>
      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall[6]</command>
@@ -847,7 +813,7 @@
      <arg choice="req"><option>show | list | ls </option></arg>
-      <arg choice="plain"><option>saves</option></arg>
+      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -1350,7 +1316,7 @@
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
@@ -1807,6 +1773,63 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
        </option><replaceable>directory</replaceable> ] [
        <replaceable>chain</replaceable>... ]</term>
        <listitem>
          <para>Not available with Shorewall[6]-lite.</para>
          <para>All steps performed by <command>restart</command> are
          performed by <command>refresh</command> with the exception that
          <command>refresh</command> only recreates the chains specified in
          the command while <command>restart</command> recreates the entire
          Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
          the static blacklisting chain <emphasis
          role="bold">blacklst</emphasis> is assumed.</para>
          <para>The listed chains are assumed to be in the filter table. You
          can refresh chains in other tables by prefixing the chain name with
          the table name followed by ":" (e.g., nat:net_dnat). Chain names
          which follow are assumed to be in that table until the end of the
          list or until an entry in the list names another table. Built-in
          chains such as FORWARD may not be refreshed.</para>
          <para>The <option>-n</option> option was added in Shorewall 4.5.3
          causes Shorewall to avoid updating the routing table(s).</para>
          <para>The <option>-d</option> option was added in Shorewall 4.5.3
          causes the compiler to run under the Perl debugger.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
          <emphasis>directory</emphasis> first for configuration files.</para>
          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
          <para>The <emphasis role="bold">refresh</emphasis> command has
          slightly different behavior. When no chain name is given to the
          <emphasis role="bold">refresh</emphasis> command, the mangle table
          is refreshed along with the blacklist chain (if any). This allows
          you to modify <filename>/etc/shorewall/tcrules </filename>and
          install the changes using <emphasis
          role="bold">refresh</emphasis>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">reject</emphasis><replaceable>
        address</replaceable></term>
@@ -1918,57 +1941,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">remote-getcaps</emphasis>
        [-<option>R</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [ [ -D ]
        <replaceable>directory</replaceable> ] [
        <replaceable>system</replaceable> ]</term>
        <listitem>
          <para>Added in Shoreall 5.2.0, this command executes <emphasis
          role="bold">shorewall[6]-lite show capabilities -f &gt;
          /var/lib/shorewall[6]-lite/capabilities</emphasis> on the remote
          <replaceable>system</replaceable> via ssh then the generated file is
          copied to <replaceable>directory</replaceable> on the local system.
          If no <replaceable>directory</replaceable> is given, the current
          working directory is assumed.</para>
          <para>if <emphasis role="bold">-R</emphasis> is included, the remote
          shorewallrc file is also copied to
          <replaceable>directory</replaceable>.</para>
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">remote-getrc</emphasis>
        [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [ [ -D ]
        <replaceable>directory</replaceable> ] [
        <replaceable>system</replaceable> ]</term>
        <listitem>
          <para>Added in Shoreall 5.2.0, this command copies the shorewallrc
          file from the remote <replaceable>system</replaceable> to
          <replaceable>directory</replaceable> on the local system. If no
          <replaceable>directory</replaceable> is given, the current working
          directory is assumed.</para>
          <para>if <emphasis role="bold">-c</emphasis> is included, the remote
          capabilities are also copied to
          <replaceable>directory</replaceable>, as is done by the
          <command>remote-getcaps</command> command.</para>
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">remote-start</emphasis>
        [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
@@ -2020,9 +1992,9 @@
          role="bold">shorewall-lite save</emphasis> via ssh.</para>
          <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall[6]-lite show capabilities -f
+          command <emphasis role="bold">shorewall-lite show capabilities -f
-          &gt; /var/lib/shorewall[6]-lite/capabilities</emphasis> is executed
+          &gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
-          via ssh then the generated file is copied to
+          ssh then the generated file is copied to
          <replaceable>directory</replaceable> using scp. This step is
          performed before the configuration is compiled.</para>
@@ -2033,6 +2005,13 @@
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -2451,11 +2430,11 @@
        <replaceable>filename</replaceable> ]</term>
        <listitem>
-          <para>Creates a snapshot of the currently running firewall. The
+          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
-          dynamic blacklist is stored in /var/lib/shorewall/save. The state of
+          The state of the firewall is stored in
          the firewall is stored in
          /var/lib/shorewall/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall restore</emphasis> command. If
+          <emphasis role="bold">shorewall restore</emphasis> and <emphasis
          role="bold">shorewall -f start</emphasis> commands. If
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
@@ -2758,15 +2737,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">rc</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.2.0. Displays the contents of
                $SHAREDIR/shorewall/shorewallrc.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>[-<option>c</option>]<emphasis role="bold">
              routing</emphasis></term>
@@ -2792,20 +2762,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>saves</term>
              <listitem>
                <para>Added in Shorewall 5.2.0. Lists snapshots created by the
                <command>save</command> command. Each snapshot is listed with
                the date and time when it was taken. If there is a snapshot
                with the name specified in the RESTOREFILE option in <ulink
                url="shorewall.conf.html">shorewall.conf(5</ulink>), that
                snapshot is listed as the <emphasis>default</emphasis>
                snapshot for the <command>restore</command> command.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>
@@ -2965,7 +2921,7 @@
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
@@ -3217,8 +3173,6 @@
    <title>FILES</title>
    <para>/etc/shorewall/</para>
    <para>/etc/shorewall6/</para>
  </refsect1>
  <refsect1>
@@ -3228,18 +3182,13 @@
    url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
    <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
-    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.1
+#     Shorewall Packet Filtering Firewall Control Program - V5.0
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -25,10 +25,6 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
 #
 # Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
 # options
 #
 PRODUCT=shorewall
 #
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.2 rc file
+# Apple OS X Shorewall 5.0 rc file
 #
 BUILD=apple
 HOST=apple
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.2 rc file
+# Arch Linux Shorewall 5.0 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.2 rc file
+# Cygwin Shorewall 5.0 rc file
 #
 BUILD=cygwin
 HOST=cygwin
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.2 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -13,9 +13,9 @@ MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-empty, annotated configuration files are installed
+ANNOTATED=				#If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd	#Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.2 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.2 rc file
+# Default Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,5 +1,5 @@
 #
-# OpenWRT/LEDE Shorewall 5.2 rc file
+# OpenWRT Shorewall 5.0 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.2 rc file
+# RedHat/FedoraShorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat
--- a/Shorewall-core/shorewallrc.sandbox
+++ b/Shorewall-core/shorewallrc.sandbox
@@ -1,28 +0,0 @@
 #
 # Shorewall 5.2 rc file for installing into a Sandbox
 #
 BUILD=                                       # Default is to detect the build system
 HOST=linux
 INSTALLDIR=				     # Set this to the directory where you want Shorewall installed
 PREFIX=${INSTALLDIR}/usr		     # Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share		     # Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share		     # Directory for executable scripts.	
 PERLLIBDIR=${PREFIX}/share/shorewall	     # Directory to install Shorewall Perl module directory	
 CONFDIR=${INSTALLDIR}/etc		     # Directory where subsystem configurations are installed				
 SBINDIR=${INSTALLDIR}/sbin		     # Directory where system administration programs are installed			
 MANDIR=		     			     # Leave empty
 INITDIR=				     # Leave empty				     				
 INITSOURCE=				     # Leave empty
 INITFILE=				     # Leave empty
 AUXINITSOURCE=				     # Leave empty
 AUXINITFILE=				     # Leave empty
 SERVICEDIR=				     # Leave empty
 SERVICEFILE=    			     # Leave empty
 SYSCONFFILE=				     # Leave empty
 SYSCONFDIR=				     # Leave empty			
 SPARSE=					     # Leave empty			
 ANNOTATED=				     # If non-empty, annotated configuration files are installed				
 VARLIB=${INSTALLDIR}/var/lib		     # Directory where product variable data is stored.				
 VARDIR=${VARLIB}/$PRODUCT		     # Directory where product variable data is stored.		
 DEFAULT_PAGER=/usr/bin/less		     # Pager to use if none specified in shorewall[6].conf
 SANDBOX=Yes				     # Indicates SANDBOX installation
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.2 rc file
+# Slackware Shorewall 5.0 rc file
 #
 BUILD=slackware
 HOST=slackware
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.2 rc file
+# SuSE Shorewall 5.0 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -73,16 +73,12 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
-        return 0
+	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-        if [ $PRODUCT = shorewall ]; then
+	return 0
            ${SBINDIR}/shorewall compile
        elif [ $PRODUCT = shorewall6 ]; then
            ${SBINDIR}/shorewall -6 compile
        else
            return 1
        fi
    fi
 }
@@ -112,14 +108,16 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-          #
+	  if [ -x ${STATEDIR}/firewall ]; then
-	  # Run in a sub-shell to avoid name collisions
+              #
-	  #
+	      # Run in a sub-shell to avoid name collisions
-	  (
+	      #
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+	      (
-		  ${STATEDIR}/firewall ${OPTIONS} stop
+		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-	      fi
+		      ${STATEDIR}/firewall ${OPTIONS} stop
-	  )
+		  fi
 	      )
 	  fi
      fi
  done
@@ -147,7 +145,9 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
 	      ${STATEDIR}/firewall ${OPTIONS} clear
 	  fi
      fi
  done
@@ -159,9 +159,8 @@ shorewall_stop () {
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
      fi
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,14 +44,12 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	return 0
    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 1
+	return 0
    fi
 }
@@ -68,20 +66,20 @@ start () {
    printf "Initializing \"Shorewall-based firewalls\": "
    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
 	ipset -R < "$SAVE_IPSETS"
    fi
    for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?
 	if [ $retval -eq 0 ]; then
-	    ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
+	    if [ -x "${STATEDIR}/firewall" ]; then
-	    retval=${PIPESTATUS[0]}
+		${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
-	    [ $retval -ne 0 ] && break
+		retval=${PIPESTATUS[0]}
 		[ $retval -ne 0 ] && break
 	    else
 		retval=6 #Product not configured
 		break
 	    fi
 	else
 	    retval=6 #Product not configured
 	    break
 	fi
    done
@@ -108,25 +106,20 @@ stop () {
 	retval=$?
 	if [ $retval -eq 0 ]; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
+	    if [ -x "${STATEDIR}/firewall" ]; then
-	    retval=${PIPESTATUS[0]}
+		${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
-	    [ $retval -ne 0 ] && break
+		retval=${PIPESTATUS[0]}
 		[ $retval -ne 0 ] && break
 	    else
 		retval=6 #Product not configured
 		break
 	    fi
 	else
 	    retval=6 #Product not configured
 	    break
 	fi
    done
    if [ $retval -eq 0 ]; then
 	if [ -n "$SAVE_IPSETS" ]; then
 	    mkdir -p $(dirname "$SAVE_IPSETS")
 	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
 		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
 	    else
 		rm -f "${SAVE_IPSETS}.tmp"
 	    fi
 	fi
 	rm -f $lockfile
 	success
    else
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,14 +75,12 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	return 0
    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 1
+	return 0
    fi
 }
@@ -94,8 +92,10 @@ start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 		  ${STATEDIR}/firewall ${OPTIONS} stop
 	      fi
 	  fi
      fi
  done
@@ -103,8 +103,6 @@ start () {
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
  return 0
 }
 boot () {
@@ -119,19 +117,17 @@ stop () {
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    if [ -x ${STATEDIR}/firewall ]; then
 		${STATEDIR}/firewall ${OPTIONS} clear
 	    fi
 	fi
    done
    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	else
 	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi
    return 0
 }
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -69,12 +69,10 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	return 0
    elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
-	return 1
+	return 0
    fi
 }
@@ -86,8 +84,10 @@ shorewall_start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	  if [ -x ${STATEDIR}/firewall ]; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 		  ${STATEDIR}/firewall ${OPTIONS} stop
 	      fi
 	  fi
      fi
  done
@@ -107,16 +107,16 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
 	      ${STATEDIR}/firewall ${OPTIONS} clear
 	  fi
      fi
  done
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,14 +79,12 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	return 0
    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
-	return 6
+	return 0
    fi
 }
@@ -98,8 +96,10 @@ shorewall_start () {
  printf "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	  if [ -x $STATEDIR/firewall ]; then
-	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
 	      fi
 	  fi
      fi
  done
@@ -117,16 +117,16 @@ shorewall_stop () {
  printf "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
 	      ${STATEDIR}/firewall ${OPTIONS} clear
 	  fi
      fi
  done
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  rm -f "${SAVE_IPSETS}.tmp"
      fi
  fi
 }
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,12 +33,12 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ -x ${STATEDIR}/firewall ]; then
+    if [ $PRODUCT = shorewall ]; then
        return 0
    elif [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
 }
@@ -67,14 +67,16 @@ shorewall_start () {
    printf "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    #
+	    if [ -x ${STATEDIR}/firewall ]; then
-	    # Run in a sub-shell to avoid name collisions
+		#
-	    #
+		# Run in a sub-shell to avoid name collisions
-	    (
+		#
-		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		(
-		    ${STATEDIR}/firewall ${OPTIONS} stop
+		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		fi
+			${STATEDIR}/firewall ${OPTIONS} stop
-	    )
+		    fi
 		)
 	    fi
 	fi
    done
@@ -93,16 +95,16 @@ shorewall_stop () {
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    if [ -x ${STATEDIR}/firewall ]; then
 		${STATEDIR}/firewall ${OPTIONS} clear
 	    fi
 	fi
    done
    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	else
 	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
    fi
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,6 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
 #        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall/Actions/action.A_AllowICMPs.deprecated
+++ b/Shorewall/Actions/action.A_AllowICMPs.deprecated
@@ -0,0 +1,9 @@
 #
 # Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
 #
 # This action A_ACCEPTs needed ICMP types
 #
 ###############################################################################
 #ACTION		SOURCE		DEST	PROTO		DPORT
 AllowICMPs(A_ACCEPT)
--- a/Shorewall/Actions/action.A_Drop.deprecated
+++ b/Shorewall/Actions/action.A_Drop.deprecated
@@ -0,0 +1,57 @@
 #
 # Shorewall -- /usr/share/shorewall/action.A_Drop
 #
 # The audited default DROP common rules
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ?require AUDIT_TARGET
 ?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Special Handling for Auth
 #
 Auth(A_DROP)
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before broadcast Drop.
 #
 A_AllowICMPs	-	-	icmp
 #
 # Don't log broadcasts and multicasts
 #
 dropBcast(audit)
 dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
 dropInvalid(audit)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(A_DROP)
 A_DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn(audit)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 A_DropDNSrep
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -1,11 +1,11 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_REJECT
+# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
@@ -0,0 +1,54 @@
 #
 # Shorewall -- /usr/share/shorewall/action.A_Reject
 #
 # The audited default REJECT action common rules
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ?require AUDIT_TARGET
 ?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before broadcast Drop.
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop Broadcasts and multicasts so they don't clutter up the log
 # (these must *not* be rejected).
 #
 dropBcast(audit)
 dropMcast(audit)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid(audit)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(A_REJECT)
 A_DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn(audit)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 A_DropDNSrep
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -13,6 +13,7 @@ DEFAULTS ACCEPT
    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
 ?else
 ?COMMENT Needed ICMP types (RFC4890)
    @1	-		-	ipv6-icmp	destination-unreachable
    @1	-		-	ipv6-icmp	packet-too-big
    @1	-		-	ipv6-icmp	time-exceeded
@@ -37,7 +38,7 @@ DEFAULTS ACCEPT
    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
-# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -0,0 +1,84 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Drop
 #
 # The former default DROP common rules. Use of this action is now deprecated
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # The action accepts six optional parameters:
 #
 # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #     actions.
 # 2 - Action to take with Auth requests. Default is to do nothing special
 #     with them.
 # 3 - Action to take with SMB requests. Default is DROP or A_DROP,
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
 # 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 ?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
 ?if passed(@1)
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
    ?else
        ?error The first parameter to Drop must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
 ?endif
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Special Handling for Auth
 #
 ?if passed(@2)
 Auth(@2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before silent broadcast Drop.
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Don't log broadcasts or multicasts
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
 Invalid(DROP,@1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
 DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DropDNSrep(@5)
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.FIN
+++ b/Shorewall/Actions/action.FIN
@@ -1,33 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.FIN
 #
 # FIN Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # FIN[([<action>])]
 #
 # Default action is ACCEPT
 #
 ###############################################################################
 DEFAULTS ACCEPT,-
@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -107,11 +107,6 @@ if ( $command & $REAP_OPT ) {
 $duration .= '--rttl ' if $command & $TTL_OPT;
 if ( ( $targets{$action} || 0 ) & NATRULE ) {
    perl_action_helper( "${action}-", "-m recent --rcheck ${duration}--hitcount $hitcount" );
    $action = 'ACCEPT';
 }
 if ( $command & $RESET_CMD ) {
    require_capability 'MARK_ANYWHERE', '"reset"', 's';
@@ -135,7 +130,7 @@ if ( $command & $RESET_CMD ) {
    #
    # if the event is armed, remove it and perform the action
    #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
 } elsif ( $command & $UPDATE_CMD ) {
    perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
@@ -4,7 +4,7 @@
 # Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -0,0 +1,85 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Reject
 #
 # The former default REJECT action common rules. Use of this action is deprecated.
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
 # b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # The action accepts six optional parameters:
 #
 # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #     actions.
 # 2 - Action to take with Auth requests. Default is to do nothing
 #     special with them.
 # 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
 # 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 ?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
 ?if passed(@1)
    ?if @1 eq 'audit'
 DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
    ?else
 	?error The first parameter to Reject must be 'audit' or '-'
    ?endif
 ?else
 DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
 ?endif
 #ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Special handling for Auth
 #
 ?if passed(@2)
 Auth(@2)
 ?endif
 #
 # ACCEPT critical ICMP types
 #
 # For IPv6 connectivity ipv6-icmp broadcasting is required so
 # AllowICMPs must be before silent broadcast Drop.
 #
 AllowICMPs(@4)	-	-	icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 Broadcast(DROP,@1)
 Multicast(DROP,@1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 Invalid(DROP,@1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
 DropUPnP(@6)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 NotSyn(DROP,@1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DropDNSrep(@5)
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
@@ -41,11 +41,6 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 if ( ( $targets{$action} || 0 ) & NATRULE ) {
    perl_action_helper( "${action}-", "" );
    $action = 'ACCEPT';
 }
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" );
 } else {
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
@@ -37,11 +37,6 @@ fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src
 set_action_disposition( $disposition) if supplied $disposition;
 set_action_name_to_caller;
 if ( ( $targets{$action} || 0 ) & NATRULE ) {
    perl_action_helper( "${action}-", "" );
    $action = 'ACCEPT';
 }
 if ( $destination eq 'dst' ) {
    perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" );
 } else {
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
@@ -26,4 +26,4 @@ $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags ALL NONE
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,RST SYN,RST
 $tcpflags_action	-	-	;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
-$tcpflags_action	-	-	;;+ -p 6 --syn --sport 0
+$tcpflags_action	-	-	;;+ -p tcp --syn --sport 0
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Actions/action.dropBcasts
+++ b/Shorewall/Actions/action.dropBcasts
@@ -1,39 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.dropBcasts
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
 # as published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # dropBcasts[([audit])]
 #
 ###############################################################################
 DEFAULTS -
 ?if passed(@1)
    ?if @1 eq 'audit'
 	?require AUDIT_TARGET
 	Broadcast(A_DROP)
    ?else
 	?error "Invalid argument (@1) to dropBcasts"
    ?endif
 ?else
    Broadcast(DROP)
 ?endif
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Macros/macro.FreeIPA
+++ b/Shorewall/Macros/macro.FreeIPA
@@ -1,16 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.FreeIPA
 #
 # This macro handles FreeIPA server traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 DNS
 HTTP
 HTTPS
 Kerberos
 Kpasswd
 LDAP
 LDAPS
 NTP
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -11,20 +11,13 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	623		# RMCP
 PARAM	-	-	udp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5122,5123	# CD,FD,HD (Asus, Aten)
+PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
-PARAM	-	-	tcp	8889		# WS-MAN
+PARAM	-	-	udp	623		# RMCP
 HTTP
 Telnet
 SNMP
 # TLS/secure ports
 PARAM	-	-	tcp	3520		# Remote Console (Redfish)
 PARAM	-	-	tcp	3669		# Virtual Media (Dell)
 PARAM	-	-	tcp	5124,5126,5127	# CD,FD,HD (AMI)
 PARAM	-	-	tcp	7582		# Remote Console (AMI)
 HTTPS
 SNMP
 SSH						# Serial over Lan
 Telnet
--- a/Shorewall/Macros/macro.Kpasswd
+++ b/Shorewall/Macros/macro.Kpasswd
@@ -1,10 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Kpasswd
 #
 # This macro handles Kerberos "passwd" traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	464
 PARAM	-	-	udp	464
--- a/Shorewall/Macros/macro.RDP
+++ b/Shorewall/Macros/macro.RDP
@@ -6,5 +6,4 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389
--- a/Shorewall/Macros/macro.RedisSecure
+++ b/Shorewall/Macros/macro.RedisSecure
@@ -1,9 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.RedisSecure
 #
 # This macro handles Redis Secure (SSL/TLS) traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	6380
--- a/Shorewall/Macros/macro.Rwhois
+++ b/Shorewall/Macros/macro.Rwhois
@@ -1,9 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Rwhois
 #
 # This macro handles Remote Who Is (rwhois) traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	tcp	4321
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
@@ -1,9 +1,9 @@
 #
-# Shorewall -- /usr/share/shorewall/macro.Apcupsd
+# Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# This macro handles apcupsd traffic.
+# This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-PARAM	-	-	tcp	3551
+SNMPtrap
--- a/Shorewall/Macros/macro.SSDP
+++ b/Shorewall/Macros/macro.SSDP
@@ -1,9 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.SSDP
 #
 # This macro handles SSDP (used by DLNA/UPnP) client traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	1900
--- a/Shorewall/Macros/macro.SSDPserver
+++ b/Shorewall/Macros/macro.SSDPserver
@@ -1,10 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.SSDPserver
 #
 # This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 PARAM	-	-	udp	1900
 PARAM	DEST	SOURCE	udp	-	1900
--- a/Shorewall/Makefile-lite
+++ b/Shorewall/Makefile-lite
@@ -0,0 +1,82 @@
 #     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 ################################################################################
 # Place this file in each export directory. Modify each copy to set HOST
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
 #
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
 #
 ################################################################################
 #                             V A R I A B L E S
 #
 # Files in the export directory on which the firewall script does not depend
 #
 IGNOREFILES =  firewall% Makefile% trace% %~
 #
 # Remote Firewall system
 #
 HOST = gateway
 #
 # Save some typing
 #
 LITEDIR = /var/lib/shorewall-lite
 #
 # Set this if the remote system has a non-standard modules directory
 #
 MODULESDIR=
 #
 # Default target is the firewall script
 #
 ################################################################################
 #                                T A R G E T S
 #
 all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
 capabilities:
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
 # Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
 # 'filter-out' will be presented with the list of files in this directory rather than "*"
 #
 firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
 	shorewall compile -e . firewall
 #
 # Only reload on demand.
 #
 install: firewall
 	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
 	ssh root@$(HOST) "/sbin/shorewall-lite restart"
 #
 # Save running configuration
 #
 save:
 	ssh root@$(HOST) "/sbin/shorewall-lite save"
 #
 # Remove generated files
 #
 clean:
 	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -195,7 +195,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';
-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT_SECTION;
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
    my $prerule = '';
@@ -266,7 +266,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    if ( $source eq 'any' || $source eq 'all' ) {
        $source = ALLIP;
    } else {
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT_SECTION || ! $asection );
+	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
    }
    if ( have_bridges && ! $asection ) {
@@ -282,7 +282,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_chain ( $config{ACCOUNTING_TABLE}, 'accountout' ) ,
+			    ensure_rules_chain ( 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $prerule ,
 			    $rule ,
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -59,7 +59,7 @@ our $have_arptables;
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
    Shorewall::Chains::initialize ($family, 1, $export );
    Shorewall::Zones::initialize ($family, $_[0]);
    Shorewall::Nat::initialize($family);
@@ -103,13 +103,13 @@ sub generate_script_1( $ ) {
    copy2( $lib, $debug ) if -f $lib;
-    emithd<<'EOF';
+    emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
-    for my $exit ( qw/init start tcclear started stop stopped clear restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -125,7 +125,7 @@ EOF
 	emit '}';
    }
-    emithd <<'EOF';
+    emit <<'EOF';
 ################################################################################
 # End user exit functions
 ################################################################################
@@ -209,8 +209,6 @@ sub generate_script_2() {
    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );
    emit 'TEMPFILE=';
@@ -268,13 +266,13 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+	emit( '' );
    }
    pop_indent;
-    emit "}\n"; # End of initialize()
+    emit "\n}\n"; # End of initialize()
    emit( '' ,
 	  '#' ,
@@ -311,9 +309,10 @@ sub generate_script_2() {
 	    push_indent;
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-		verify_required_interfaces(0);
+
 		set_global_variables(0, 0);
-		handle_optional_interfaces;
+
 		handle_optional_interfaces(0);
 	    }
 	    emit ';;';
@@ -325,19 +324,19 @@ sub generate_script_2() {
 	    push_indent;
 	}
 	verify_required_interfaces(1);
 	set_global_variables(1,1);
 	handle_optional_interfaces;
 	if ( $global_variables & NOT_RESTORE ) {
 	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
 	} else {
 	    handle_optional_interfaces(1);
 	}
    } else {
-	verify_required_interfaces(1);
+	emit( 'true' ) unless handle_optional_interfaces(1);
 	emit( 'true' ) unless handle_optional_interfaces;
    }
    pop_indent;
@@ -356,7 +355,7 @@ sub generate_script_2() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_3() {
+sub generate_script_3($) {
    if ( $family == F_IPV4 ) {
 	progress_message2 "Creating iptables-restore input...";
@@ -366,6 +365,7 @@ sub generate_script_3() {
    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    create_load_ipsets;
@@ -397,10 +397,16 @@ sub generate_script_3() {
 	emit 'load_kernel_modules Yes';
    }
-    emit( '' ,
+    emit '';
-	  'run_init_exit',
+
-	  '' ,
+    emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	  'load_ipsets' ,
+	   '   run_refresh_exit' ,
 	   'else' ,
 	   '    run_init_exit',
 	   'fi',
 	   '' );
    emit( 'load_ipsets' ,
 	  '' );
    create_nfobjects;
@@ -458,6 +464,11 @@ sub generate_script_3() {
    dump_proxy_arp;
    emit_unindented '__EOF__';
    emit( '',
 	  'if [ "$COMMAND" != refresh ]; then' );
    push_indent;
    emit 'cat > ${VARDIR}/zones << __EOF__';
    dump_zone_contents;
    emit_unindented '__EOF__';
@@ -470,6 +481,10 @@ sub generate_script_3() {
    dump_mark_layout;
    emit_unindented '__EOF__';
    pop_indent;
    emit "fi\n";
    emit '> ${VARDIR}/nat';
    add_addresses;
@@ -508,12 +523,29 @@ sub generate_script_3() {
    my $config_dir = $globals{CONFIGDIR};
-    emithd <<"EOF";
+    emit<<"EOF";
    set_state Started $config_dir
    run_restored_exit
-else
+elif [ \$COMMAND = refresh ]; then
-    setup_netfilter
+    chainlist_reload
 EOF
    push_indent;
    setup_load_distribution;
    setup_forwarding( $family , 0 );
    pop_indent;
    #
    # Use a parameter list rather than 'here documents' to avoid an extra blank line
    #
    emit( '    run_refreshed_exit',
 	  '    do_iptables -N shorewall' );
    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
    emit( "    set_state Started $config_dir",
 	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
 	  'else',
 	  '    setup_netfilter'	);
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
@@ -538,7 +570,7 @@ EOF
 	  '    run_started_exit',
 	  "fi\n" );
-    emithd<<'EOF';
+    emit<<'EOF';
 date > ${VARDIR}/restarted
 case $COMMAND in
@@ -548,6 +580,9 @@ case $COMMAND in
    reload)
        mylogger kern.info "$g_product reloaded"
        ;;
    refresh)
        mylogger kern.info "$g_product refreshed"
        ;;
    restore)
        mylogger kern.info "$g_product restored"
        ;;
@@ -582,8 +617,8 @@ sub compile_info_command() {
 #
 sub compiler {
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 , $inline ) =
-       ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
    $export         = 0;
    $test           = 0;
@@ -612,6 +647,7 @@ sub compiler {
 		  timestamp     => { store => \$timestamp,     validate => \&validate_boolean   } ,
 		  debug         => { store => \$debug,         validate => \&validate_boolean   } ,
 		  export        => { store => \$export ,       validate => \&validate_boolean   } ,
 		  chains        => { store => \$chains },
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
@@ -619,6 +655,7 @@ sub compiler {
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
 		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -652,10 +689,9 @@ sub compiler {
    set_timestamp( $timestamp );
    set_debug( $debug , $confess );
    #
    #                                      S H O R E W A L L R C ,
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export , $update , $annotate , $inline );
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
@@ -757,10 +793,13 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
    }
    disable_script;
    #
    #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
    enable_script;
    #
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
@@ -778,7 +817,7 @@ sub compiler {
    #
    # Setup Masquerade/SNAT
    #
-    setup_snat;
+    setup_snat( $update );
    #
    # Setup Nat
    #
@@ -859,7 +898,7 @@ sub compiler {
 	optimize_level0;
-	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
+	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -881,7 +920,7 @@ sub compiler {
 	#                          N E T F I L T E R   L O A D
 	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
-	generate_script_3();
+	generate_script_3( $chains );
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,10 +60,10 @@ our @EXPORT = ( qw( ALLIPv4
 		  decompose_net
 		  decompose_net_u32
 		  compare_nets
 		  loopback_address
 		  validate_host
 		  validate_range
 		  ip_range_explicit
 		  expand_port_range
 		  allipv4
 		  allipv6
 		  allip
@@ -74,6 +74,10 @@ our @EXPORT = ( qw( ALLIPv4
 		  resolve_proto
 		  resolve_dnsname
 		  proto_name
 		  validate_port
 		  validate_portpair
 		  validate_portpair1
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
 		 ) );
@@ -99,14 +103,12 @@ our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
 our $loopback_address;
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
 	       IPv4_LOOPBACK       => '127.0.0.1' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
@@ -373,10 +375,6 @@ sub rfc1918_networks() {
    @rfc1918_networks
 }
 sub loopback_address() {
    $loopback_address;
 }
 #
 # Protocol/port validation
 #
@@ -413,6 +411,114 @@ sub proto_name( $ ) {
    $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
 }
 sub validate_port( $$ ) {
    my ($proto, $port) = @_;
    my $value;
    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
 	$port = numeric_value $port;
 	return $port if defined $port && $port && $port <= 65535;
    } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
    }
    return $value if defined $value;
    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    my $pair = $portpair;
    #
    # Accept '-' as a port-range separator
    #
    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
    my @ports = split /:/, $pair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
    $_ = validate_port( $protonum, $_) for grep $_, @ports;
    if ( @ports == 2 ) {
 	$what = 'port range';
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
    } else {
 	$what = 'port';
    }
    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP     ||
 			       $protonum == UDP     ||
 			       $protonum == UDPLITE ||
 			       $protonum == SCTP    ||
 			       $protonum == DCCP );
    join ':', @ports;
 }
 sub validate_portpair1( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
    my @ports = split /-/, $portpair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
    $_ = validate_port( $protonum, $_) for grep $_, @ports;
    if ( @ports == 2 ) {
 	$what = 'port range';
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
    } else {
 	$what = 'port';
 	fatal_error 'Invalid port number (0)' unless $portpair;
    }
    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP  ||
 			       $protonum == UDP  ||
 			       $protonum == SCTP ||
 			       $protonum == DCCP );
    join '-', @ports;
 }
 sub validate_port_list( $$ ) {
    my $result = '';
    my ( $proto, $list ) = @_;
    my @list   = split_list( $list, 'port' );
    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
    }
    $proto = proto_name $proto;
    for ( @list ) {
 	my $value = validate_portpair( $proto , $_ );
 	$result = $result ? join ',', $result, $value : $value;
    }
    $result;
 }
 my %icmp_types = ( any                          => 'any',
 		   'echo-reply'                 => 0,
 		   'destination-unreachable'    => 3,
@@ -466,6 +572,67 @@ sub validate_icmp( $ ) {
    fatal_error "Invalid ICMP Type ($type)"
 }
 #
 # Expands a port range into a minimal list of ( port, mask ) pairs.
 # Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
 #
 # Example:
 #
 #       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
 #       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
 #
 sub expand_port_range( $$ ) {
    my ( $proto, $range ) = @_;
    if ( $range =~ /^(.*):(.*)$/ ) {
 	my ( $first, $last ) = ( $1, $2);
 	my @result;
 	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
 	#
 	# Supply missing first/last port number
 	#
 	$first = 0     if $first eq '';
 	$last  = 65535 if $last eq '';
 	#
 	# Validate the ports
 	#
 	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
 	$last++; #Increment last address for limit testing.
 	#
 	# Break the range into groups:
 	#
 	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
 	#      - Otherwise, find the largest power of two P that divides the first address such that
 	#        the remaining range has less than or equal to P ports. The next group is
 	#        ( <first> , ~( P-1 ) ).
 	#
 	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
 	    my $mask = 0xffff;         #Mask for current ports in group.
 	    my $y    = 2;              #Next power of two to test
 	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
 	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
 		$mask <<= 1;
 		$z  = $y;
 		$y <<= 1;
 	    }
 	    #
 	    #
 	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
 	    $first += $z;
 	}
 	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
 	@result;
    } else {
 	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
    }
 }
 sub valid_6address( $ ) {
    my $address = $_[0];
@@ -762,7 +929,6 @@ sub initialize( $ ) {
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$vlsm_width       = VLSMv4;
 	$loopback_address = IPv4_LOOPBACK;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -775,7 +941,6 @@ sub initialize( $ ) {
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$vlsm_width       = VLSMv6;
 	$loopback_address = IPv6_LOOPBACK;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -667,7 +667,6 @@ sub create_docker_rules() {
    my $chainref = $filter_table->{FORWARD};
    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
    if ( my $dockerref = known_interface('docker0') ) {
@@ -718,7 +717,7 @@ sub add_common_rules ( $ ) {
    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
-	fatal_error( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
    } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
@@ -2448,7 +2447,7 @@ sub setup_mss( ) {
    my $clampmss = $config{CLAMPMSS};
    my $option;
    my @match;
-    my $chainref = $mangle_table->{FORWARD};
+    my $chainref = $filter_table->{FORWARD};
    if ( $clampmss ) {
 	if ( "\L$clampmss" eq 'yes' ) {
@@ -2554,6 +2553,9 @@ EOF
 	        reload)
 	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
 	        refresh)
 	            mylogger kern.err "ERROR:$g_product refresh failed"
 	            ;;
                enable)
                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
@@ -2643,6 +2645,7 @@ EOF
        rm -f ${VARDIR}/proxyarp
    fi
 EOF
    } else {
 	emit <<'EOF';
@@ -2656,6 +2659,7 @@ EOF
        rm -f ${VARDIR}/proxyndp
    fi
 EOF
    }
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -37,7 +37,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();
 Exporter::export_ok_tags('rules');
@@ -587,11 +587,11 @@ EOF
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
    my $have_masq_rules;
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );
 	my $have_masq_rules;
 	directive_callback(
 	    sub ()
 	    {
@@ -647,8 +647,6 @@ sub convert_masq() {
 	close $snat, directive_callback( 0 );
    }
    $have_masq_rules;
 }
 #
@@ -943,17 +941,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-
+	    my @servers = validate_address $server, 1;
 	    my @servers;
 	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
 		$server = record_runtime_address( $1, $2 );
 		$server =~ s/ $//;
 		@servers = ( $server );
 	    } else {
 		@servers = validate_address $server, 1;
 	    }
 	    $server = join ',', @servers;
 	}
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -64,8 +64,6 @@ our @load_interfaces;
 our $balancing;
 our $fallback;
 our $balanced_providers;
 our $fallback_providers;
 our $metrics;
 our $first_default_route;
 our $first_fallback_route;
@@ -101,8 +99,6 @@ sub initialize( $ ) {
    %provider_interfaces    = ();
    @load_interfaces        = ();
    $balancing              = 0;
    $balanced_providers     = 0;
    $fallback_providers     = 0;
    $fallback               = 0;
    $metrics                = 0;
    $first_default_route    = 1;
@@ -125,7 +121,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask   = in_hex( $globals{PROVIDER_MASK} );
+    my $mask = in_hex( $globals{PROVIDER_MASK} );
    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
@@ -161,15 +157,6 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
 		if ( have_ipsec ) {
 		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
 			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
 			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    }
 		}
 		$marked_interfaces{$interface} = 1;
 	    }
@@ -336,24 +323,18 @@ sub balance_default_route( $$$$ ) {
    emit '';
    if ( $first_default_route ) {
-	if ( $balanced_providers == 1 ) {
+	if ( $gateway ) {
-	    if ( $gateway ) {
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 		emit qq(DEFAULT_ROUTE="via $gateway dev $interface $realm");
 	    } else {
 		emit qq(DEFAULT_ROUTE="dev $interface $realm");
 	    }
 	} elsif ( $gateway ) {
 	    emit qq(DEFAULT_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit qq(DEFAULT_ROUTE="nexthop dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 	$first_default_route = 0;
    } else {
 	if ( $gateway ) {
-	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\"";
 	}
    }
 }
@@ -366,24 +347,18 @@ sub balance_fallback_route( $$$$ ) {
    emit '';
    if ( $first_fallback_route ) {
-	if ( $fallback_providers == 1 ) {
+	if ( $gateway ) {
-	    if ( $gateway ) {
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 		emit qq(FALLBACK_ROUTE="via $gateway dev $interface $realm");
 	    } else {
 		emit qq(FALLBACK_ROUTE="dev $interface $realm");
 	    }
 	} elsif ( $gateway ) {
 	    emit qq(FALLBACK_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
 	} else {
-	    emit qq(FALLBACK_ROUTE="nexthop dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 	$first_fallback_route = 0;
    } else {
 	if ( $gateway ) {
-	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm\"";
 	}
    }
 }
@@ -511,7 +486,7 @@ sub process_a_provider( $ ) {
    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, $number );
+	$gateway = get_interface_gateway( $interface, undef, 1 );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
@@ -521,9 +496,6 @@ sub process_a_provider( $ ) {
 	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	$gateway = $1 if $family == F_IPV6 && $gateway =~ /^\[(.+)\]$/;
 	validate_address $gateway, 0;
 	if ( defined $mac ) {
@@ -614,7 +586,6 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'nohostroute' ) {
 		$hostroute = 0;
 	    } elsif ( $option eq 'persistent' ) {
 		warning_message "When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option may not work as expected" if $config{RESTORE_DEFAULT_ROUTE};
 		$persistent = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -622,12 +593,7 @@ sub process_a_provider( $ ) {
 	}
    }
-    if ( $balance ) {
+    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;
 	fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $default;
 	$balanced_providers++;
    } elsif ( $default ) {
 	$fallback_providers++;
    }
    if ( $load ) {
 	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
@@ -701,6 +667,7 @@ sub process_a_provider( $ ) {
 	    $pref = 10000 + $number - 1;
 	}
    }
    unless ( $loose || $pseudo ) {
@@ -859,7 +826,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route replace default dev $physical table $id";
+		emit "run_ip route add default dev $physical table $id";
 	    }
 	}
@@ -875,8 +842,8 @@ sub add_a_provider( $$ ) {
 		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }
-	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
-	    emit( qq(echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
+	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 	if ( ! $noautosrc ) {
@@ -885,25 +852,24 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( '',
+		emit  ( "find_interface_addresses $physical | while read address; do" );
-			"find_interface_addresses $physical | while read address; do",
+		emit  ( "    qt \$IP -$family rule del from \$address" );
-			"    qt \$IP -$family rule del from \$address",
+		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
 			'done'
 		      );
 	    }
 	}
-	if ( @{$providerref->{persistent_routes}} ) {
+	    if ( @{$providerref->{persistent_routes}} ) {
-	    emit '';
+		emit '';
-	    emit $_ for @{$providers{$table}->{persistent_routes}};
+		emit $_ for @{$providers{$table}->{persistent_routes}};
-	}
+	    }
-	if ( @{$providerref->{persistent_rules}} ) {
+	    if ( @{$providerref->{persistent_rules}} ) {
-	    emit '';
+		emit '';
-	    emit $_ for @{$providers{$table}->{persistent_rules}};
+		emit $_ for @{$providers{$table}->{persistent_rules}};
 	    }
 	}
 	pop_indent;
@@ -911,6 +877,7 @@ sub add_a_provider( $$ ) {
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );
 	pop_indent;
 	emit( "}\n" );
@@ -936,7 +903,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route replace default dev $physical table $id";
+		emit "run_ip route add default dev $physical table $id";
 	    }
 	}
    }
@@ -968,7 +935,7 @@ CEOF
 	my $hexmark = in_hex( $mark );
 	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $persistent || $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
@@ -997,7 +964,7 @@ CEOF
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}
-	emit "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
    }
    if ( $balance ) {
@@ -1009,16 +976,14 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route replace default via $gateway src $address dev $physical table $id metric $number);
+	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route replace default table $id dev $physical metric $number);
+	    emit qq(run_ip route add default table $id dev $physical metric $number);
 	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}
 	emit( 'g_fallback=Yes' ) if $persistent;
 	$metrics = 1;
    }
@@ -1040,13 +1005,12 @@ CEOF
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
 		if ( $persistent ) {
-		    emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),
+		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
 			  qq(    qt \$IP -$family rule del from $address pref 20000),
 			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
-		    emit  "qt \$IP -$family rule del from $address" if $persistent || $config{DELETE_THEN_ADD};
+		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
@@ -1103,21 +1067,7 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
-	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
 	    );
 	if ( ! $pseudo && $config{USE_DEFAULT_RT} && $config{RESTORE_DEFAULT_ROUTE} ) {
 	    emit  ( '#',
 		    '# We now have a viable default route in the \'default\' table so delete any default routes in the main table',
 		    '#',
 		    'while qt \$IP -$family route del default table ' . MAIN_TABLE . '; do',
 		    '    true',
 		    'done',
 		    ''
 		);
 	}
 	emit_started_message( '', 2, $pseudo, $table, $number );
 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1251,7 +1201,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1262,14 +1212,12 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
-	emit( "echo 1 > \${VARDIR}/${physical}.status",
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );
 	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
 	    );
 	if ( $pseudo ) {
-	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
+	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
 	} else {
-	    emit( "progress_message2 \"Provider $table ($number) stopped\"" );
+	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
 	}
 	pop_indent;
@@ -1370,7 +1318,7 @@ sub add_an_rtrule1( $$$$$ ) {
    $priority = "pref $priority";
-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $persistent || $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
    if ( $persistent ) {
@@ -1468,22 +1416,22 @@ sub add_a_route( ) {
    if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes,            qq(run_ip route replace $dest via $gateway dev $physical table $id);
+	    push @$routes,            qq(run_ip route add $dest via $gateway dev $physical table $id);
-	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway dev $physical table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route add $dest via $gateway dev $physical table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} elsif ( $null ) {
-	    push @$routes,            qq(run_ip route replace $null $dest table $id);
+	    push @$routes,            qq(run_ip route add $null $dest table $id);
-	    push @$persistent_routes, qq(run_ip route replace $null $dest table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route add $null $dest table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes,            qq(run_ip route replace $dest via $gateway table $id);
+	    push @$routes,            qq(run_ip route add $dest via $gateway table $id);
-	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway table $id) if $persistent;
+	    push @$persistent_routes, qq(run_ip route add $dest via $gateway table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
    } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes,            qq(run_ip route replace $dest dev $physical table $id);
+	push @$routes,            qq(run_ip route add $dest dev $physical table $id);
-	push @$persistent_routes, qq(run_ip route replace $dest dev $physical table $id) if $persistent;
+	push @$persistent_routes, qq(run_ip route add $dest dev $physical table $id) if $persistent;
 	push @$routes,             q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
    }
@@ -1585,17 +1533,16 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        while qt \$IP -6 route delete default table $table; do true; done",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
-		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
-		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
 		    '    fi',
 		    '' );
 	}
 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit  ( '',
+	    emit  ( "    while qt \$IP -$family route del default table $main; do",
 		    "    while qt \$IP -$family route del default table $main; do",
 		    '        true',
 		    '    done',
 		    ''
@@ -1607,7 +1554,7 @@ sub finish_providers() {
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    [ -z "\${FALLBACK_ROUTE}\${g_fallback}" ] && restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -1634,7 +1581,7 @@ sub finish_providers() {
 	}
 	emit ( '#',
-	       '# Delete any default routes with metric 0 in the \'balance\' table',
+	       '# Delete any routes in the \'balance\' table',
 	       '#',
 	       "while qt \$IP -$family route del default table $balance; do",
 	       '    true',
@@ -1649,7 +1596,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
@@ -1662,10 +1609,7 @@ sub finish_providers() {
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( '#',
+	emit( "delete_default_routes $default",
 	      '# No balanced fallback routes - delete any routes with metric 0 from the \'default\' table',
 	      '#',
 	      "delete_default_routes $default",
 	      ''
 	    );
    }
@@ -1710,7 +1654,7 @@ sub process_providers( $ ) {
    }
    if ( $providers ) {
-	fatal_error q(Either all 'fallback' providers must specify a weight or none of them can specify a weight) if $fallback && $metrics;
+	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
 	my $fn = open_file( 'route_rules' );
@@ -1741,7 +1685,7 @@ sub process_providers( $ ) {
    add_a_provider( $providers{$_}, $tcdevices ) for @providers;
-    emithd << 'EOF';;
+    emit << 'EOF';;
 #
 # Enable an optional provider
@@ -1787,11 +1731,12 @@ EOF
    pop_indent;
    pop_indent;
-    emithd << 'EOF';;
+    emit << 'EOF';;
        *)
            startup_error "$g_interface is not an optional provider or interface"
            ;;
    esac
 }
 #
@@ -1895,19 +1840,20 @@ sub setup_providers() {
 	start_providers;
-	setup_null_routing, emit '' if $config{NULL_ROUTE_RFC1918};
+	setup_null_routing if $config{NULL_ROUTE_RFC1918};
-	if ( @providers ) {
+	emit '';
-	    emit "start_$providers{$_}->{what}_$_" for @providers;
+
-	    emit '';
+	emit "start_$providers{$_}->{what}_$_" for @providers;
-	}
+
 	emit '';
 	finish_providers;
 	emit "\nrun_ip route flush cache";
 	pop_indent;
-	emit 'fi';
+	emit "fi\n";
 	setup_route_marking if @routemarked_interfaces || @load_interfaces;
    } else {
@@ -1918,10 +1864,9 @@ sub setup_providers() {
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
 	    emit '';
 	}
-	emit "undo_routing";
+	emit "\nundo_routing";
 	emit "restore_default_route $config{USE_DEFAULT_RT}";
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
@@ -1946,8 +1891,9 @@ sub setup_providers() {
 	pop_indent;
-	emit 'fi';
+	emit "fi\n";
    }
 }
 #
@@ -2196,13 +2142,17 @@ sub provider_realm( $ ) {
 }
 #
-# Perform processing related to optional interfaces. Returns true if there are optional interfaces.
+# This function is called by the compiler when it is generating the detect_configuration() function.
-
+# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
 # ..._IS_USABLE interface variables appropriately for the  optional interfaces
 #
-sub handle_optional_interfaces() {
+# Returns true if there were required or optional interfaces
 #
 sub handle_optional_interfaces( $ ) {
    my @interfaces;
    my $wildcards;
    #
    # First do the provider interfacess. Those that are real providers will never have wildcard physical
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
@@ -2226,6 +2176,10 @@ sub handle_optional_interfaces() {
    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
 	my $gencase     = shift;
 	verify_required_interfaces( $gencase );
 	emit '' if $gencase;
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -2368,7 +2322,7 @@ sub handle_optional_interfaces() {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
-		  '        start|reload|restore)'
+		  '        start|reload|restore|refresh)'
 		);
 	    if ( $family == F_IPV4 ) {
@@ -2389,6 +2343,8 @@ sub handle_optional_interfaces() {
 	return 1;
    }
    verify_required_interfaces( shift );
 }
 #
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,7 +96,6 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
    }
    emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
 	   '' ,
 	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );
    push @proxyarp, "$address $interface $external $haveroute";
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -91,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
    my $disposition = $action;
    my $exception_rule = '';
-
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
    my $level = '';
    if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
@@ -138,14 +138,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 	if ( $proto ne '-' ) {
 	    if ( $proto =~ s/:all$// ) {
 		fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
 	    } else {
 		$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
 	    }
 	}
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
@@ -207,9 +199,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
    expand_rule( $chainref ,
 		 $restriction ,
 		 '',
-		 do_proto( $proto, $ports, $sports ) . 
+		 $rule,
 		 do_user ( $user ) . 
 		 do_condition( $switch , $chainref->{name} ),
 		 $source ,
 		 $dest ,
 		 '' ,
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -225,11 +225,11 @@ sub handle_in_bandwidth( $$$ ) {
    if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
-		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst drop\n" );
+		  "    police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
 	} else {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
 		  "    estimator $in_interval $in_decay basic \\",
-		  "    police avrate ${in_avrate}kbit drop\n" );
+		  "    police drop avrate ${in_avrate}kbit\n" );
 	}
    } else {
 	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 	    while ( @sportlist ) {
 		my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
-		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
+		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
 		$rule .= ' or' if @sportlist;
 	    }
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tunnels.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
@@ -85,8 +85,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( ${zone}, ${fw} );
+		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-		$outchainref = ensure_rules_chain( ${fw}, ${zone} );
+		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
 		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  p => 50, @$source;
@@ -250,8 +250,8 @@ sub setup_tunnels() {
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );
-	my $inchainref  = ensure_rules_chain( ${zone}, ${fw}   );
+	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-	my $outchainref = ensure_rules_chain( ${fw},   ${zone} );
+	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
 	$gateways = ALLIP if $gateways eq '-';
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,8 +90,9 @@ our @EXPORT = ( qw( NOTHING
 		    interface_is_optional
 		    interface_is_required
 		    find_interfaces_by_option
 		    find_interfaces_by_option1
 		    get_interface_option
-		    get_interface_origin
+                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    interface_zone
@@ -113,31 +114,31 @@ our $VERSION = 'MODULEVERSION';
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
 #     %zones{<zone1> => {name =>       <name>,
-#			 type =>       <zone type>	 FIREWALL, IP, IPSEC, BPORT;
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
-#			 complex =>    0|1
+#                        complex =>    0|1
-#			 super	 =>    0|1
+#                        super   =>    0|1
-#			 options =>    { in_out	 => < policy match string >
+#                        options =>    { in_out  => < policy match string >
-#					 in	 => < policy match string >
+#                                        in      => < policy match string >
-#					 out	 => < policy match string >
+#                                        out     => < policy match string >
-#				       }
+#                                      }
-#			 parents =>    [ <parents> ]	  Parents, Children and interfaces are listed by name
+#                        parents =>    [ <parents> ]      Parents, Children and interfaces are listed by name
-#			 children =>   [ <children> ]
+#                        children =>   [ <children> ]
-#			 interfaces => { <interfaces1> => 1, ... }
+#                        interfaces => { <interfaces1> => 1, ... }
-#			 bridge =>     <bridge>
+#                        bridge =>     <bridge>
-#			 hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
+#                        hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
-#								   options => { <option1> => <value1>
+#                                                                  options => { <option1> => <value1>
-#										...
+#                                                                               ...
-#									      }
+#                                                                             }
-#								   hosts   => [ <net1> , <net2> , ... ]
+#                                                                  hosts   => [ <net1> , <net2> , ... ]
-#								   exclusions => [ <net1>, <net2>, ... ]
+#                                                                  exclusions => [ <net1>, <net2>, ... ]
-#								   origin   => <where defined>
+#                                                                  origin   => <where defined>
-#								 }
+#                                                                }
-#						 <interface2> => ...
+#                                                <interface2> => ...
-#					       }
+#                                              }
-#					     ]
+#                                            ]
-#			}
+#                       }
-#	      <zone2> => ...
+#             <zone2> => ...
-#	    }
+#           }
 #
 #     $firewall_zone names the firewall zone.
 #
@@ -159,27 +160,27 @@ our %reservedName = ( all => 1,
 #
 #     @interfaces lists the interface names in the order that they appear in the interfaces file.
 #
-#     %interfaces { <interface1> => { name	  => <name of interface>
+#     %interfaces { <interface1> => { name        => <name of interface>
-#				      root	  => <name without trailing '+'>
+#                                     root        => <name without trailing '+'>
-#				      options	  => { port => undef|1
+#                                     options     => { port => undef|1
-#						     { <option1> } => <val1> ,		#See %validinterfaceoptions
+#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
-#						       ...
+#                                                      ...
-#						     }
+#                                                    }
-#				      zone	  => <zone name>
+#                                     zone        => <zone name>
-#				      multizone	  => undef|1   #More than one zone interfaces through this interface
+#                                     multizone   => undef|1   #More than one zone interfaces through this interface
-#				      nets	  => <number of nets in interface/hosts records referring to this interface>
+#                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#				      bridge	  => <bridge name> # Same as ->{name} if not a bridge port.
+#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
-#				      ports	  => <number of port on this bridge>
+#                                     ports       => <number of port on this bridge>
-#				      ipsec	  => undef|1 # Has an ipsec host group
+#                                     ipsec       => undef|1 # Has an ipsec host group
-#				      broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
-#				      number	  => <ordinal position in the interfaces file>
+#                                     number      => <ordinal position in the interfaces file>
-#				      physical	  => <physical interface name>
+#                                     physical    => <physical interface name>
-#				      base	  => <shell variable base representing this interface>
+#                                     base        => <shell variable base representing this interface>
-#				      wildcard	  => undef|1 # Wildcard Name
+#                                     wildcard    => undef|1 # Wildcard Name
-#				      zones	  => { zone1 => 1, ... }
+#                                     zones       => { zone1 => 1, ... }
-#				      origin	  => <where defined>
+#                                     origin      => <where defined>
-#				    }
+#                                   }
-#		  }
+#                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
@@ -252,17 +253,6 @@ use constant { NO_UPDOWN   => 1,
 our %validinterfaceoptions;
 our %procinterfaceoptions=( accept_ra   => 1,
 			    arp_filter  => 1,
 			    arp_ignore  => 1,
 			    forward     => 1,
 			    logmartians => 1,
 			    proxyarp    => 1,
 			    proxyndp    => 1,
 			    routefilter => 1,
 			    sourceroute => 1,
 			  );
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -327,7 +317,7 @@ sub initialize( $$ ) {
    %mapbase = ();
    %mapbase1 = ();
    $baseseq = 0;
-    $minroot = undef;
+    $minroot = 0;
    $loopback_interface = '';
    %validzoneoptions = ( mss            => NUMERIC,
@@ -349,7 +339,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
-				  dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
+				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -373,9 +363,9 @@ sub initialize( $$ ) {
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
-				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST + IF_OPTION_WILDOK,
+				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
 				  unmanaged   => SIMPLE_IF_OPTION,
-				  wait        => NUMERIC_IF_OPTION,
+				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -400,7 +390,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
-				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
+				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -412,18 +402,18 @@ sub initialize( $$ ) {
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER + IF_OPTION_WILDOK,
+				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => BINARY_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				    unmanaged   => SIMPLE_IF_OPTION,
 				    upnp        => SIMPLE_IF_OPTION,
 				    upnpclient  => SIMPLE_IF_OPTION,
-				    wait        => NUMERIC_IF_OPTION,
+				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -711,40 +701,6 @@ sub haveipseczones() {
    0;
 }
 #
 # Returns 1 if the two interfaces passed are related
 #
 sub interface_match( $$ ) {
    my ( $piface, $ciface ) = @_;
    return 1 if $piface eq $ciface;
    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
    return 1 if $piface eq $cifaceref->{bridge};
    return 1 if $ciface eq $pifaceref->{bridge};
    if ( defined $minroot ) {
 	if ( $piface =~ /\+$/ ) {
 	    my $root    = $pifaceref->{root};
 	    my $rlength = length( $root );
 	    while ( length( $ciface ) >= $rlength ) {
 		return 1 if $ciface eq $root;
 		chop $ciface;
 	    }
 	} elsif ( $ciface =~ /\+$/ ) {
 	    my $root    = $cifaceref->{root};
 	    my $rlength = length( $root );
 	    while ( length( $piface ) >= $rlength ) {
 		return 1 if $piface eq $root;
 		chop $piface;
 	    }
 	}
    }
    0;
 }
 #
 # Report about zones.
 #
@@ -782,7 +738,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
+				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -791,17 +747,6 @@ sub zone_report()
 	    }
 	}
      PARENT:
 	for my $p ( @{$zoneref->{parents}} ) {
 	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
 		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
 		    next PARENT if interface_match( $pi, $ci );
 		}
 	    }
 	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
 	}
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -1214,16 +1159,15 @@ sub process_interface( $$ ) {
    }
    my $wildcard = 0;
    my $physwild = 0;
    my $root;
    if ( $interface =~ /\+$/ ) {
-	$wildcard = $physwild = 1; # Default physical name is the logical name
+	$wildcard = 1;
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;
-	if ( defined $minroot ) {
+	if ( $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
 	    $minroot = $len;
@@ -1269,6 +1213,8 @@ sub process_interface( $$ ) {
 	my %hostoptions = ( dynamic => 0 );
 	for my $option (split_list1 $options, 'option' ) {
 	    next if $option eq '-';
 	    ( $option, my $value ) = split /=/, $option;
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
@@ -1305,6 +1251,7 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
 		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
@@ -1328,6 +1275,7 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
 		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1379,9 +1327,7 @@ sub process_interface( $$ ) {
 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
-		    $physwild = ( $value =~ /\+$/ );
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $physwild;
 		    $physical = $value;
 		} else {
 		    assert(0);
@@ -1409,14 +1355,6 @@ sub process_interface( $$ ) {
 	    $options{ignore} = 0;
 	}
 	for my $option ( keys %options ) {
 	    if ( $root ) {
 		warning_message( "The '$option' option is ignored when used with a wildcard physical name" ) if $physwild && $procinterfaceoptions{$option};
 	    } else {
 		warning_message( "The '$option' option is ignored when used with interface name '+'" ) unless $validinterfaceoptions{$option} & IF_OPTION_WILDOK;
 	    }
 	}
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
@@ -1475,7 +1413,6 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
 						   physwild   => $physwild, # Currently unused
 					         };
    $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1634,11 +1571,13 @@ sub known_interface($)
    my $iface = $interface;
-    if ( defined $minroot ) {
+    if ( $minroot ) {
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface >= $minroot ) {
+	while ( length $iface > $minroot ) {
 	    chop $iface;
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1660,8 +1599,6 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
 	    chop $iface;
 	}
    }
@@ -1875,8 +1812,7 @@ sub find_interfaces_by_option( $;$ ) {
    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
-	next unless $interfaceref->{root};                                   # Don't return '+' interface
+	next unless $interfaceref->{root};
 	next if $procinterfaceoptions{$option} && $interfaceref->{physwild}; # Ignore /proc options on wildcard interface
 	my $optionsref = $interfaceref->{options};
 	if ( $nonzero ) {
@@ -1891,6 +1827,35 @@ sub find_interfaces_by_option( $;$ ) {
    \@ints;
 }
 #
 # Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
 #
 # - All entries in %interfaces are searched.
 # - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
 #
 sub find_interfaces_by_option1( $ ) {
    my $option = $_[0];
    my @ints = ();
    my $wild = 0;
    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 	next unless defined $interfaceref->{physical};
 	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
 	    $wild ||= $interfaceref->{wildcard};
 	    push @ints , $interface
 	}
    }
    return unless defined wantarray;
    wantarray ? ( \@ints, $wild ) : \@ints;
 }
 #
 # Return the value of an option for an interface
 #
@@ -2021,7 +1986,6 @@ sub verify_required_interfaces( $ ) {
 	emit( "esac\n" );
 	$returnvalue = 1;
    }
    $interfaces = find_interfaces_by_option( 'required' );
@@ -2031,7 +1995,7 @@ sub verify_required_interfaces( $ ) {
 	if ( $generate_case ) {
 	    emit( 'case "$COMMAND" in' );
 	    push_indent;
-	    emit( 'start|reload|restore)' );
+	    emit( 'start|reload|restore|refresh)' );
 	    push_indent;
 	}
@@ -2067,7 +2031,7 @@ sub verify_required_interfaces( $ ) {
 	    emit( ';;' );
 	    pop_indent;
 	    pop_indent;
-	    emit( "esac\n" );
+	    emit( 'esac' );
 	}
 	$returnvalue = 1;
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -32,6 +32,7 @@
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
 #         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
@@ -39,6 +40,7 @@
 #         --shorewallrc=<path>        # Path to global shorewallrc file.
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
 #    If the <filename> is omitted, then a 'check' operation is performed.
@@ -62,6 +64,7 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --timestamp ]
    [ --debug ]
    [ --confess ]
    [ --refresh=<chainlist> ]
    [ --log=<filename> ]
    [ --log-verbose={-1|0-2} ]
    [ --test ]
@@ -72,6 +75,7 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --shorewallrc=<pathname> ]
    [ --shorewallrc1=<pathname> ]
    [ --config_path=<path-list> ]
    [ --inline ]
 _EOF_
 exit shift @_;
@@ -86,6 +90,7 @@ my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
 my $confess       = 0;
 my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
@@ -97,6 +102,7 @@ my $update        = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 my $shorewallrc1  = '';
 my $inline        = 0;
 Getopt::Long::Configure ('bundling');
@@ -111,6 +117,8 @@ my $result = GetOptions('h'               => \$help,
 			'timestamp'       => \$timestamp,
 			't'               => \$timestamp,
 		        'debug'           => \$debug,
 			'r=s'             => \$chains,
 			'refresh=s'       => \$chains,
 			'log=s'           => \$log,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
@@ -124,6 +132,7 @@ my $result = GetOptions('h'               => \$help,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
 			'inline'          => \$inline,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -138,6 +147,7 @@ compiler( script          => $ARGV[0] || '',
 	  timestamp       => $timestamp,
 	  debug           => $debug,
 	  export          => $export,
 	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
@@ -149,4 +159,5 @@ compiler( script          => $ARGV[0] || '',
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc,
 	  shorewallrc1    => $shorewallrc1,
 	  inline          => $inline,
 	);
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1,4 +1,4 @@
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -369,7 +369,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 delete_default_routes() # $1 = table number
 {
    $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
-	qt $IP -$g_family route del $route table $1
+	qt $IP -$g_family route del $route
    done
 } 
@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {
    if [ -n "$g_purge" ]; then
-	if [ -n "$(mywhich conntrack)" ]; then
+	if [ -n $(mywhich conntrack) ]; then
            conntrack -F
 	else
            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -899,7 +899,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface $2 = table number
+detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
@@ -912,8 +912,6 @@ detect_gateway() # $1 = interface $2 = table number
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
@@ -1065,6 +1063,8 @@ clear_firewall() {
    run_iptables -F
    qt $IPTABLES -t raw -F
    echo 1 > /proc/sys/net/ipv4/ip_forward
    if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
@@ -1373,6 +1373,8 @@ clear_firewall() {
    run_iptables -F
    qt $IP6TABLES -t raw -F
    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
    run_clear_exit
    set_state "Cleared"
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -1,23 +1,5 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
 #
 #   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #	Free Software Foundation, either version 2 of the license or, at your
 #	option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 ###############################################################################
 #
 # Give Usage Information
@@ -96,13 +78,11 @@ reload_command() {
    detect_configuration
    define_firewall
    status=$?
-
+    if [ -n "$SUBSYSLOCK" ]; then
-    if [ $status -eq 0 ]; then
+ 	[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
 	[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
 	progress_message3 "done."
    else
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
    fi
    [ $status -eq 0 ] && progress_message3 "done."
 }
 ################################################################################
@@ -147,10 +127,8 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
 g_dockeringress=
 g_dockernetwork=
 g_forcereload=
 g_fallback=
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
@@ -286,10 +264,8 @@ case "$COMMAND" in
 	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
-	    for table in raw mangle nat filter; do
+	    $g_tool -Z
-		qt $g_tool -t $table -Z
+	    $g_tool -t mangle -Z
 	    done
 	    date > ${VARDIR}/restarted
 	    status=0
 	    progress_message3 "$g_product Counters Reset"
@@ -373,7 +349,6 @@ case "$COMMAND" in
    clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
 	detect_configuration
 	clear_firewall
 	status=0
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -443,12 +418,9 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	mutex_on
 	if product_is_started; then
 	    COMMAND=disable
 	    detect_configuration $1
-	    disable_provider $1 Yes
+	    COMMAND=enable  disable_provider $1 Yes
-	    COMMAND=enable
+	    COMMAND=disable enable_provider  $1 Yes
 	    detect_configuration $1
 	    enable_provider  $1 Yes
 	fi
 	mutex_off
 	status=0
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -45,8 +45,6 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
@@ -79,7 +77,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -185,6 +183,8 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
@@ -199,10 +199,14 @@ MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -217,8 +221,6 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=Yes
 RESTART=restart
@@ -247,8 +249,6 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,4 +14,4 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     NET_IF          dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=eth0
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -56,8 +56,6 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
@@ -90,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -196,6 +194,8 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Off
@@ -210,10 +210,14 @@ MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -228,8 +232,6 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=No
 RESTART=restart
@@ -258,8 +260,6 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     NET_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
-dmz     DMZ_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
+dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -53,8 +53,6 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
@@ -87,7 +85,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -193,6 +191,8 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
@@ -207,10 +207,14 @@ MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -225,8 +229,6 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=No
 RESTART=restart
@@ -255,8 +257,6 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		NET_IF
+			192.168.0.0/16		eth0
--- a/Shorewall/Samples/three-interfaces/stoppedrules
+++ b/Shorewall/Samples/three-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012-2017 by the Shorewall Team
+# Copyright (C) 2012-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,8 +13,8 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		LOC_IF		-
+ACCEPT		eth1		-
-ACCEPT		-		LOC_IF
+ACCEPT		-		eth1
-ACCEPT		DMZ_IF		-
+ACCEPT		eth2		-
-ACCEPT		-		DMZ_IF
+ACCEPT		-		eth2
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,5 +14,5 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -56,8 +56,6 @@ LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOG_ZONE=Both
 LOGALLNEW=
 LOGFILE=/var/log/messages
@@ -90,7 +88,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -196,6 +194,8 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
@@ -210,10 +210,14 @@ MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MINIUPNPD=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX="ko ko.xz"
 MULTICAST=No
 MUTEX_TIMEOUT=60
@@ -228,8 +232,6 @@ PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=Yes
 REQUIRE_INTERFACE=No
 RESTART=restart
@@ -258,8 +260,6 @@ TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=No
 USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
-# Copyright (C) 2006-2017 by the Shorewall Team
+# Copyright (C) 2006-2016 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -20,4 +20,4 @@
 MASQUERADE		10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		NET_IF
+			192.168.0.0/16		eth0
--- a/Shorewall/Samples/two-interfaces/stoppedrules
+++ b/Shorewall/Samples/two-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
 # Shorewall - Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012-2017 by the Shorewall Team
+# Copyright (C) 2012-2015 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -13,5 +13,5 @@
 ###############################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
-ACCEPT		LOC_IF		-
+ACCEPT		eth1		-
-ACCEPT		-		LOC_IF
+ACCEPT		-		eth1
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,8 +8,11 @@
 #
 ###############################################################################
 #ACTION
 A_AllowICMPs inline		# Audited version of AllowICMPs
 A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
 A_Reject			# Audited Default action for REJECT policy
 AllowICMPs   inline		# Allow Required ICMP packets
 allowBcast   inline		# Silently Allow Broadcast
 allowinUPnP  inline		# Allow UPnP inbound (to firewall) traffic
@@ -18,44 +21,33 @@ allowMcast   inline		# Silently Allow Multicast
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 ?if __ADDRTYPE
 Broadcast    inline,audit	# Handles Broadcast/Anycast
 ?else
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
-?endif
+DNSAmp				# Matches one-question recursive DNS queries
-DNSAmp	     proto=17		# Matches one-question recursive DNS queries
+Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 dropMcast    inline		# Silently Drop Multicast
-dropNotSyn   noinline,proto=6	# Silently Drop Non-syn TCP packets
+dropNotSyn   noinline		# Silently Drop Non-syn TCP packets
-DropDNSrep   inline,proto=17	# Drops DNS replies
+DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
 FIN	     inline,audit,\	# Handles ACK,FIN packets
 	     proto=6
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event
 Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
 	     state=INVALID	#
 Limit	     noinline		# Limit the rate of connections from each individual IP address
 ?if __ADDRTYPE
 Multicast    inline,audit	# Handles Multicast
 ?else
 Multicast    noinline,audit	# Handles Multicast
 ?endif
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn	     inline,audit,\	# Handles TCP packets which do not have SYN=1 and ACK=0
+NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
-	     proto=6
+rejNotSyn    noinline		# Silently Reject Non-syn TCP packets
-rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
+Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit,\	# Handle packets with RST set
+RST	     inline,audit	# Handle packets with RST set
 	     proto=6
 SetEvent     inline		# Initialize an event
-TCPFlags     proto=6		# Handle bad flag combinations.
+TCPFlags			# Handle bad flag combinations.
 Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED	#
--- a/Shorewall/configfiles/disabled
+++ b/Shorewall/configfiles/disabled
@@ -1,12 +0,0 @@
 #
 # Shorewall -- /etc/shorewall/disabled
 #
 # Add commands below that you want executed when an optional
 # interface is successfully disabled using the 'disable' command
 #
 # When the commands are invoked:
 #
 #  $1 contains the physical name of the interface
 #  $2 contains the logical name of the interface
 #  $3 contains the name of the provider associated with the interface,
      if any
--- a/Shorewall/configfiles/enabled
+++ b/Shorewall/configfiles/enabled
@@ -1,12 +0,0 @@
 #
 # Shorewall -- /etc/shorewall/enabled
 #
 # Add commands below that you want executed when an optional
 # interface is successfully enabled using the 'enable' command
 #
 # When the commands are invoked:
 #
 #  $1 contains the physical name of the interface
 #  $2 contains the logical name of the interface
 #  $3 contains the name of the provider associated with the interface,
      if any
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -0,0 +1,10 @@
 #
 # Shorewall -- /etc/shorewall/masq
 #
 # For information about entries in this file, type "man shorewall-masq"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###################################################################################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	e027f5078f	Correct a runtime error with NFQUEUE. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-06-12 07:44:34 -07:00
Tom Eastep	81b42afa30	Clean up links in the manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-06-09 08:49:17 -07:00