Clear the firewall on Debian during systemd stop

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correctly handle expansion of option names
2017-03-15 13:01:24 -07:00 · 2017-03-15 11:47:54 -07:00 · 2017-03-15 11:36:47 -07:00 · 2017-01-07 16:20:38 -08:00 · 2017-01-07 16:20:26 -08:00 · 2016-12-27 16:35:58 -08:00
340 changed files with 30934 additions and 13266 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -2,7 +2,7 @@
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
@@ -190,7 +190,7 @@ for p in ${!params[@]}; do
 done

 echo '#'                                                                 > shorewallrc
-echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
+echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo "# rc file: $rcfile"                                               >> shorewallrc
 echo '#'                                                                >> shorewallrc

--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -173,12 +173,7 @@ my $outfile;

 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";

-if ( $ENV{SOURCE_DATE_EPOCH} ) {
-    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date  --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
-} else {
-    printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
-}
-
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
 print $outfile "# rc file: $rcfilename\n#\n";

 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,20 +22,64 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version
+
 PRODUCT=shorewall-core
 Product="Shorewall Core"
-
+ 
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
+    echo "usage: $ME [ <configuration-file> ] "
+    echo "       $ME -v"
+    echo "       $ME -h"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -54,16 +98,16 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -82,7 +126,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
@@ -104,14 +148,14 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc
 	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
 	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -125,7 +169,7 @@ elif [ $# -eq 1 ]; then
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -241,12 +285,13 @@ case "$HOST" in
    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
    *)
-	fatal_error "Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
 	;;
 esac

 if [ -z "$file" ]; then
-    if [ $HOST = linux ]; then
+    if $HOST = linux; then
 	file=shorewallrc.default
    else
 	file=shorewallrc.${HOST}
@@ -259,8 +304,7 @@ if [ -z "$file" ]; then
    echo "" >&2
    echo "Example:" >&2
    echo "" >&2
-    echo "   ./install.sh $file" >&2
-    exit 1
+    echo "   ./install.sh $file" &>2
 fi

 if [ -n "$DESTDIR" ]; then
@@ -271,31 +315,45 @@ if [ -n "$DESTDIR" ]; then
    fi
 fi

-echo "Installing $Product Version $VERSION"
+echo "Installing Shorewall Core Version $VERSION"

 #
 # Create directories
 #
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/shorewall 0755
+mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
+chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall

-make_parent_directory ${DESTDIR}${SHAREDIR}/shorewall 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall

-make_parent_directory ${DESTDIR}${CONFDIR} 0755
+mkdir -p ${DESTDIR}${CONFDIR}
+chmod 755 ${DESTDIR}${CONFDIR}

-[ -n "${SYSCONFDIR}" ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+if [ -n "${SYSCONFDIR}" ]; then
+    mkdir -p ${DESTDIR}${SYSCONFDIR}
+    chmod 755 ${DESTDIR}${SYSCONFDIR}
+fi

 if [ -z "${SERVICEDIR}" ]; then
    SERVICEDIR="$SYSTEMD"
 fi

-[ -n "${SERVICEDIR}" ] && make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+if [ -n "${SERVICEDIR}" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
+    chmod 755 ${DESTDIR}${SERVICEDIR}
+fi

-make_parent_directory ${DESTDIR}${SBINDIR} 0755
+mkdir -p ${DESTDIR}${SBINDIR}
+chmod 755 ${DESTDIR}${SBINDIR}

-[ -n "${MANDIR}" ] && make_parent_directory ${DESTDIR}${MANDIR} 0755
+if [ -n "${MANDIR}" ]; then
+    mkdir -p ${DESTDIR}${MANDIR}
+    chmod 755 ${DESTDIR}${MANDIR}
+fi

 if [ -n "${INITFILE}" ]; then
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}

    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
@@ -307,12 +365,6 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
-# Install the CLI
-#
-install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
-#
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -324,40 +376,10 @@ echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 # Install the libraries
 #
 for f in lib.* ; do
-    case $f in
-        *installer)
-            ;;
-        *)
-            install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
-            echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
-            ;;
-    esac
+    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
+    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done

-if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
-fi
-
-#
-# Install the Man Pages
-#
-if [ -n "$MANDIR" ]; then
-    cd manpages
-
-    [ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
-
-    for f in *.8; do
-	gzip -9c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
-	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
-    done
-
-    cd ..
-
-    echo "Man Pages Installed"
-fi
-
 #
 # Symbolically link 'functions' to lib.base
 #
@@ -366,7 +388,7 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion

 if [ -z "${DESTDIR}" ]; then
    if [ $update -ne 0 ]; then
@@ -391,20 +413,14 @@ fi

 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
-        case $f in
-            *installer)
-                ;;
-            *)
-                if [ $BUILD != apple ]; then
-                    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
-                else
-                    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
-                fi
-                ;;
-        esac
+	if [ $BUILD != apple ]; then
+	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+	else
+	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
+	fi
    done
 fi
 #
-# Report Success
+#  Report Success
 #
-echo "$Product Version $VERSION Installed"
+echo "Shorewall Core Version $VERSION Installed"
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.base
+# Shorewall 5.0 -- /usr/share/shorewall/lib.base
 #
-#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -20,22 +20,412 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library is a compatibility wrapper around lib.core.
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
 #

-if [ -z "$PRODUCT" ]; then
+SHOREWALL_LIBVERSION=40509
+
+[ -n "${g_program:=shorewall}" ]
+
+if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc

-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
+    g_confdir="$CONFDIR"/$g_program
+    g_readrc=1
+fi

-    if [ -z "$SHOREWALL_LIBVERSION" ]; then
-	. ${g_basedir}/lib.core
+g_basedir=${SHAREDIR}/shorewall
+
+case $g_program in
+    shorewall)
+	g_product="Shorewall"
+	g_family=4
+	g_tool=iptables
+	g_lite=
+	;;
+    shorewall6)
+	g_product="Shorewall6"
+	g_family=6
+	g_tool=ip6tables
+	g_lite=
+	;;
+    shorewall-lite)
+	g_product="Shorewall Lite"
+	g_family=4
+	g_tool=iptables
+	g_lite=Yes
+	;;
+    shorewall6-lite)
+	g_product="Shorewall6 Lite"
+	g_family=6
+	g_tool=ip6tables
+	g_lite=Yes
+	;;
+esac
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi
+
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+#
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+}
+
+#
+# Undo the effect of 'separate_list()'
+#
+combine_list()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o,}$f"
+    done
+
+    echo $o
+}
+
+#
+# Validate an IP address
+#
+valid_address() {
+    local x
+    local y
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	case $x in
+	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
+		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
+                ;;
+	    *)
+	        IFS=$ifs
+		return 2
+		;;
+	esac
+    done
+
+    IFS=$ifs
+
+    return 0
+}
+
+#
+# Miserable Hack to work around broken BusyBox ash in OpenWRT
+#
+addr_comp() {
+    test $(bc <<EOF
+$1 > $2
+EOF
+) -eq 1
+
+}
+
+#
+# Enumerate the members of an IP range -- When using a shell supporting only
+# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
+#
+# Comes in two flavors:
+#
+# ip_range() - produces a mimimal list of network/host addresses that spans
+#              the range.
+#
+# ip_range_explicit() - explicitly enumerates the range.
+#
+ip_range() {
+    local first
+    local last
+    local l
+    local x
+    local y
+    local z
+    local vlsm
+
+    case $1 in
+	!*)
+	    #
+	    # Let iptables complain if it's a range
+	    #
+	    echo $1
+	    return
+	    ;;
+	[0-9]*.*.*.*-*.*.*.*)
+            ;;
+	*)
+	    echo $1
+	    return
+	    ;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
    fi

-    set_default_product
+    l=$(( $last + 1 ))

-    setup_product_environment
-fi
+    while addr_comp $l $first; do
+	vlsm=
+	x=31
+	y=2
+	z=1
+
+	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
+	    vlsm=/$x
+	    x=$(( $x - 1 ))
+	    z=$y
+	    y=$(( $y * 2 ))
+	done
+
+	echo $(encodeaddr $first)$vlsm
+	first=$(($first + $z))
+    done
+}
+
+ip_range_explicit() {
+    local first
+    local last
+
+    case $1 in
+    [0-9]*.*.*.*-*.*.*.*)
+	;;
+    *)
+	echo $1
+	return
+	;;
+    esac
+
+    first=$(decodeaddr ${1%-*})
+    last=$(decodeaddr ${1#*-})
+
+    if addr_comp $first $last; then
+	fatal_error "Invalid IP address range: $1"
+    fi
+
+    while ! addr_comp $first $last; do
+	echo $(encodeaddr $first)
+	first=$(($first + 1))
+    done
+}
+
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
+#
+# Netmask to VLSM
+#
+ip_vlsm() {
+    local mask
+    mask=$(decodeaddr $1)
+    local vlsm
+    vlsm=0
+    local x
+    x=$(( 128 << 24 )) # 0x80000000
+
+    while [ $(( $x & $mask )) -ne 0 ]; do
+	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
+	vlsm=$(($vlsm + 1))
+    done
+
+    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
+	echo "Invalid net mask: $1" >&2
+    else
+	echo $vlsm
+    fi
+}
+
+#
+# Set default config path
+#
+ensure_config_path() {
+    local F
+    F=${g_sharedir}/configpath
+    if [ -z "$CONFIG_PATH" ]; then
+	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
+	. $F
+    fi
+
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+    fi
+}
+
+#
+# Get fully-qualified name of file
+#
+resolve_file() # $1 = file name
+{
+    local pwd
+    pwd=$PWD
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	.)
+	    echo $pwd
+	    ;;
+	./*)
+	    echo ${pwd}${1#.}
+	    ;;
+	..)
+	    cd ..
+	    echo $PWD
+	    cd $pwd
+	    ;;
+	../*)
+	    cd ..
+	    resolve_file ${1#../}
+	    cd $pwd
+	    ;;
+	*)
+	    echo $pwd/$1
+	    ;;
+    esac
+}
+
+#
+# Determine how to do "echo -e"
+#
+
+find_echo() {
+    local result
+
+    result=$(echo "a\tb")
+    [ ${#result} -eq 3 ] && { echo echo; return; }
+
+    result=$(echo -e "a\tb")
+    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
+
+    result=$(which echo)
+    [ -n "$result" ] && { echo "$result -e"; return; }
+
+    echo echo
+}
+
+# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
+#
+#     None - No mktemp
+#     BSD  - BSD mktemp (Mandrake)
+#     STD  - mktemp.org mktemp
+#
+find_mktemp() {
+    local mktemp
+    mktemp=`mywhich mktemp 2> /dev/null`
+
+    if [ -n "$mktemp" ]; then
+	if qt mktemp -V ; then
+	    MKTEMP=STD
+	else
+	    MKTEMP=BSD
+	fi
+    else
+	MKTEMP=None
+    fi
+}
+
+#
+# create a temporary file. If a directory name is passed, the file will be created in
+# that directory. Otherwise, it will be created in a temporary directory.
+#
+mktempfile() {
+
+    [ -z "$MKTEMP" ] && find_mktemp
+
+    if [ $# -gt 0 ]; then
+	case "$MKTEMP" in
+	    BSD)
+		mktemp $1/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -p $1 shorewall.XXXXXX
+		;;
+	    None)
+		> $1/shorewall-$$ && echo $1/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    else
+	case "$MKTEMP" in
+	    BSD)
+		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
+		;;
+	    STD)
+		mktemp -t shorewall.XXXXXX
+		;;
+	    None)
+		rm -f ${TMPDIR:-/tmp}/shorewall-$$
+		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
+		;;
+	    *)
+		error_message "ERROR:Internal error in mktempfile"
+		;;
+	esac
+    fi
+}
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.common
+# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -269,48 +269,53 @@ loadmodule() # $1 = module name, $2 - * arguments
 {
    local modulename
    modulename=$1
-    shift
-    local moduleoptions
-    moduleoptions=$*
    local modulefile
    local suffix

    if [ -d /sys/module/ ]; then
 	if ! list_search $modulename $DONT_LOAD; then
 	    if [ ! -d /sys/module/$modulename ]; then
-		case $moduleloader in
-		    insmod)
-			for directory in $moduledirectories; do
-			    for modulefile in $directory/${modulename}.*; do
-				if [ -f $modulefile ]; then
-				    insmod $modulefile $moduleoptions
-				    return
-				fi
-			    done
-			done
-			;;
-		    *)
-			modprobe -q $modulename $moduleoptions
-			;;
-		esac
-	    fi
-	fi
-    elif ! list_search $modulename $DONT_LOAD $MODULES; then
-	case $moduleloader in
-	    insmod)
-		for directory in $moduledirectories; do
-		    for modulefile in $directory/${modulename}.*; do
+		shift
+
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
+
 			if [ -f $modulefile ]; then
-			    insmod $modulefile $moduleoptions
-			    return
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
 			fi
 		    done
 		done
-		;;
-	    *)
-		modprobe -q $modulename $moduleoptions
-		;;
-	esac
+	    fi
+	fi
+    elif ! list_search $modulename $DONT_LOAD $MODULES; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
    fi
 }

@@ -333,6 +338,8 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi

+    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
+
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -387,6 +394,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi

+    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
+
    if [ -n "$MODULESDIR" ]; then
 	case "$MODULESDIR" in
 	    +*)
@@ -754,7 +763,7 @@ mutex_on()

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

-    if [ -z "$g_havemutex" -a $MUTEX_TIMEOUT -gt 0 ]; then
+    if [ $MUTEX_TIMEOUT -gt 0 ]; then

 	lockd=$(dirname $LOCKFILE)

@@ -762,7 +771,7 @@ mutex_on()

 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
@@ -775,14 +784,12 @@ mutex_on()

 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
-	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-	    lock ${lockf}
-	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
-	    chmod u=r ${lockf}
+            lock ${lockf}
+            chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -792,15 +799,10 @@ mutex_on()
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
-		g_havemutex="rm -f ${lockf}"
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
-
-	if [ -n "$g_havemutex" ]; then
-	    trap mutex_off EXIT
-	fi
    fi
 }

@@ -809,10 +811,7 @@ mutex_on()
 #
 mutex_off()
 {
-    if [ -n "$g_havemutex" ]; then
-	eval $g_havemutex
-	g_havemutex=
-	trap '' exit
-    fi
+    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
+    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }

--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,440 +0,0 @@
-#
-# Shorewall 5.2 -- /usr/share/shorewall/lib.core
-#
-#     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# This library contains the code common to all Shorewall components except the
-# generated scripts.
-#
-
-SHOREWALL_LIBVERSION=50108
-
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 2
-}
-
-setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product
-    g_basedir=${SHAREDIR}/shorewall
-
-    g_sharedir="$SHAREDIR"/$PRODUCT
-    g_confdir="$CONFDIR"/$PRODUCT
-
-    case $PRODUCT in
-	shorewall)
-	    g_product="Shorewall"
-	    g_family=4
-	    g_tool=iptables
-	    g_lite=
-	    ;;
-	shorewall6)
-	    g_product="Shorewall6"
-	    g_family=6
-	    g_tool=ip6tables
-	    g_lite=
-	    ;;
-	shorewall-lite)
-	    g_product="Shorewall Lite"
-	    g_family=4
-	    g_tool=iptables
-	    g_lite=Yes
-	    ;;
-	shorewall6-lite)
-	    g_product="Shorewall6 Lite"
-	    g_family=6
-	    g_tool=ip6tables
-	    g_lite=Yes
-	    ;;
-	*)
-	    fatal_error "Unknown PRODUCT ($PRODUCT)"
-	    ;;
-    esac
-
-    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
-    #
-    # We need to do this again, now that we have the correct product
-    #
-    [ -n "$1" ] && . ${g_basedir}/shorewallrc
-
-    if [ -z "${VARLIB}" ]; then
-	VARLIB=${VARDIR}
-	VARDIR=${VARLIB}/${PRODUCT}
-    elif [ -z "${VARDIR}" ]; then
-	VARDIR="${VARLIB}/${PRODUCT}"
-    fi
-}
-
-set_default_product() {
-    case $(basename $0) in
-	shorewall6)
-	    PRODUCT=shorewall6
-	    ;;
-	shorewall4)
-	    PRODUCT=shorewall
-	    ;;
-	shorewall-lite)
-	    PRODUCT=shorewall-lite
-	    ;;
-	shorewall6-lite)
-	    PRODUCT=shorewall6-lite
-	    ;;
-	*)
-	    if [ -f ${g_basedir}/version ]; then
-		PRODUCT=shorewall
-	    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
-		PRODUCT=shorewall-lite
-	    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
-		PRODUCT=shorewall6-lite
-	    else
-		fatal_error "No Shorewall firewall product is installed"
-	    fi
-	    ;;
-    esac
-}
-
-# Not configured Error
-#
-not_configured_error() # $@ = Message
-{
-    echo "   ERROR: $@" >&2
-    exit 6
-}
-
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-}
-
-#
-# Undo the effect of 'separate_list()'
-#
-combine_list()
-{
-    local f
-    local o
-    o=
-
-    for f in $* ; do
-        o="${o:+$o,}$f"
-    done
-
-    echo $o
-}
-
-#
-# Validate an IP address
-#
-valid_address() {
-    local x
-    local y
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	case $x in
-	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
-		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
-                ;;
-	    *)
-	        IFS=$ifs
-		return 2
-		;;
-	esac
-    done
-
-    IFS=$ifs
-
-    return 0
-}
-
-#
-# Miserable Hack to work around broken BusyBox ash in OpenWRT
-#
-addr_comp() {
-    test $(bc <<EOF
-$1 > $2
-EOF
-) -eq 1
-
-}
-
-#
-# Enumerate the members of an IP range -- When using a shell supporting only
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
-#
-# Comes in two flavors:
-#
-# ip_range() - produces a mimimal list of network/host addresses that spans
-#              the range.
-#
-# ip_range_explicit() - explicitly enumerates the range.
-#
-ip_range() {
-    local first
-    local last
-    local l
-    local x
-    local y
-    local z
-    local vlsm
-
-    case $1 in
-	!*)
-	    #
-	    # Let iptables complain if it's a range
-	    #
-	    echo $1
-	    return
-	    ;;
-	[0-9]*.*.*.*-*.*.*.*)
-            ;;
-	*)
-	    echo $1
-	    return
-	    ;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    l=$(( $last + 1 ))
-
-    while addr_comp $l $first; do
-	vlsm=
-	x=31
-	y=2
-	z=1
-
-	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
-	    vlsm=/$x
-	    x=$(( $x - 1 ))
-	    z=$y
-	    y=$(( $y * 2 ))
-	done
-
-	echo $(encodeaddr $first)$vlsm
-	first=$(($first + $z))
-    done
-}
-
-ip_range_explicit() {
-    local first
-    local last
-
-    case $1 in
-    [0-9]*.*.*.*-*.*.*.*)
-	;;
-    *)
-	echo $1
-	return
-	;;
-    esac
-
-    first=$(decodeaddr ${1%-*})
-    last=$(decodeaddr ${1#*-})
-
-    if addr_comp $first $last; then
-	fatal_error "Invalid IP address range: $1"
-    fi
-
-    while ! addr_comp $first $last; do
-	echo $(encodeaddr $first)
-	first=$(($first + 1))
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
-#
-# Netmask to VLSM
-#
-ip_vlsm() {
-    local mask
-    mask=$(decodeaddr $1)
-    local vlsm
-    vlsm=0
-    local x
-    x=$(( 128 << 24 )) # 0x80000000
-
-    while [ $(( $x & $mask )) -ne 0 ]; do
-	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
-	vlsm=$(($vlsm + 1))
-    done
-
-    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
-	echo "Invalid net mask: $1" >&2
-    else
-	echo $vlsm
-    fi
-}
-
-#
-# Set default config path
-#
-ensure_config_path() {
-    local F
-    F=${g_sharedir}/configpath
-    if [ -z "$CONFIG_PATH" ]; then
-	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
-	. $F
-    fi
-
-    if [ -n "$g_shorewalldir" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
-    fi
-}
-
-#
-# Get fully-qualified name of file
-#
-resolve_file() # $1 = file name
-{
-    local pwd
-    pwd=$PWD
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	.)
-	    echo $pwd
-	    ;;
-	./*)
-	    echo ${pwd}${1#.}
-	    ;;
-	..)
-	    cd ..
-	    echo $PWD
-	    cd $pwd
-	    ;;
-	../*)
-	    cd ..
-	    resolve_file ${1#../}
-	    cd $pwd
-	    ;;
-	*)
-	    echo $pwd/$1
-	    ;;
-    esac
-}
-
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
-#
-#     None - No mktemp
-#     BSD  - BSD mktemp (Mandrake)
-#     STD  - mktemp.org mktemp
-#
-find_mktemp() {
-    local mktemp
-    mktemp=`mywhich mktemp 2> /dev/null`
-
-    if [ -n "$mktemp" ]; then
-	if qt mktemp -V ; then
-	    MKTEMP=STD
-	else
-	    MKTEMP=BSD
-	fi
-    else
-	MKTEMP=None
-    fi
-}
-
-#
-# create a temporary file. If a directory name is passed, the file will be created in
-# that directory. Otherwise, it will be created in a temporary directory.
-#
-mktempfile() {
-
-    [ -z "$MKTEMP" ] && find_mktemp
-
-    if [ $# -gt 0 ]; then
-	case "$MKTEMP" in
-	    BSD)
-		mktemp $1/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -p $1 shorewall.XXXXXX
-		;;
-	    None)
-		> $1/shorewall-$$ && echo $1/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    else
-	case "$MKTEMP" in
-	    BSD)
-		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
-		;;
-	    STD)
-		mktemp -t shorewall.XXXXXX
-		;;
-	    None)
-		rm -f ${TMPDIR:-/tmp}/shorewall-$$
-		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
-		;;
-	    *)
-		error_message "ERROR:Internal error in mktempfile"
-		;;
-	esac
-    fi
-}
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -1,88 +0,0 @@
-#
-# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
-#
-#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# The purpose of this library is to hold those functions used by the products installer.
-#
-#########################################################################################
-
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
-make_directory() # $1 = directory , $2 = mode
-{
-    mkdir $1
-    chmod $2 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
-}
-
-make_parent_directory() # $1 = directory , $2 = mode
-{
-    mkdir -p $1
-    chmod $2 $1
-    [ -n "$OWNERSHIP" ] && chown $OWNER:$GROUP $1
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
-}
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -1,105 +0,0 @@
-#
-# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
-#
-#     (c) 2017 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#       This program is part of Shorewall.
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of the GNU General Public License as published by the
-#       Free Software Foundation, either version 2 of the license or, at your
-#       option, any later version.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# The purpose of this library is to hold those functions used by the products uninstaller.
-#
-#########################################################################################
-
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-remove_file() # $1 = file to remove
-{
-    if [ -n "$1" ] ; then
-        if [ -f $1 -o -L $1 ] ; then
-            rm -f $1
-            echo "$1 Removed"
-        fi
-    fi
-}
-
-remove_directory() # $1 = directory to remove
-{
-    if [ -n "$1" ] ; then
-        if [ -d $1 ] ; then
-            rm -rf $1
-            echo "$1 Removed"
-        fi
-    fi
-}
-
-remove_file_with_wildcard() # $1 = file with wildcard to remove
-{
-    if [ -n "$1" ] ; then
-        for f in $1; do
-            if [ -d $f ] ; then
-                rm -rf $f
-                echo "$f Removed"
-            elif [ -f $f -o -L $f ] ; then
-                rm -f $f
-                echo "$f Removed"
-            fi
-        done
-    fi
-}
-
-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
-}
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.2 rc file
+# Apple OS X Shorewall 5.0 rc file
 #
 BUILD=apple
 HOST=apple
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.2 rc file
+# Arch Linux Shorewall 5.0 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.2 rc file
+# Cygwin Shorewall 5.0 rc file
 #
 BUILD=cygwin
 HOST=cygwin
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.2 rc file
+# Debian Shorewall 4.5 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -13,9 +13,9 @@ MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-empty, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd	#Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+ANNOTATED=				#If non-zero, annotated configuration files are installed
+SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.2 rc file
+# Debian Shorewall 4.5 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
@@ -14,7 +14,7 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian.sysvinit              #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,8 +1,8 @@
 #
-# Default Shorewall 5.2 rc file
+# Default Shorewall 5.0 rc file
 #
-BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux
+BUILD=                                  #Default is to detect the build system
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,8 +1,8 @@
 #
-# OpenWRT/LEDE Shorewall 5.2 rc file
+# Created by Shorewall Core version 5.0.2-RC1 configure -  Fri, Nov 06, 2015 10:02:03 AM
+#
+# Input: host=openwrt
 #
-BUILD=                                 #Default is to detect the build system
-HOST=openwrt
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.2 rc file
+# RedHat/FedoraShorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat
--- a/Shorewall-core/shorewallrc.sandbox
+++ b/Shorewall-core/shorewallrc.sandbox
@@ -1,28 +0,0 @@
-#
-# Shorewall 5.2 rc file for installing into a Sandbox
-#
-BUILD=                                       # Default is to detect the build system
-HOST=linux
-INSTALLDIR=				     # Set this to the directory where you want Shorewall installed
-PREFIX=${INSTALLDIR}/usr		     # Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share		     # Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share		     # Directory for executable scripts.	
-PERLLIBDIR=${PREFIX}/share/shorewall	     # Directory to install Shorewall Perl module directory	
-CONFDIR=${INSTALLDIR}/etc		     # Directory where subsystem configurations are installed				
-SBINDIR=${INSTALLDIR}/sbin		     # Directory where system administration programs are installed			
-MANDIR=		     			     # Leave empty
-INITDIR=				     # Leave empty				     				
-INITSOURCE=				     # Leave empty
-INITFILE=				     # Leave empty
-AUXINITSOURCE=				     # Leave empty
-AUXINITFILE=				     # Leave empty
-SERVICEDIR=				     # Leave empty
-SERVICEFILE=    			     # Leave empty
-SYSCONFFILE=				     # Leave empty
-SYSCONFDIR=				     # Leave empty			
-SPARSE=					     # Leave empty			
-ANNOTATED=				     # If non-empty, annotated configuration files are installed				
-VARLIB=${INSTALLDIR}/var/lib		     # Directory where product variable data is stored.				
-VARDIR=${VARLIB}/$PRODUCT		     # Directory where product variable data is stored.		
-DEFAULT_PAGER=/usr/bin/less		     # Pager to use if none specified in shorewall[6].conf
-SANDBOX=Yes				     # Indicates SANDBOX installation
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.2 rc file
+# Slackware Shorewall 5.0 rc file
 #
 BUILD=slackware
 HOST=slackware
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.2 rc file
+# SuSE Shorewall 5.0 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Core Modules
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,75 +26,64 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx # The Build script inserts the actual version
-PRODUCT=shorewall-core
+VERSION=xxx #The Build script inserts the actual version
+PRODUCT="shorewall-core"
 Product="Shorewall Core"
-
+ 
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
-#
-# Parse the run line
-#
-finished=0
-
-while [ $finished -eq 0 ]; do
-    option=$1
-
-    case "$option" in
-	-*)
-	    option=${option#-}
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "$Product Firewall Uninstaller Version $VERSION"
-			exit 0
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
-	    ;;
-	*)
-	    finished=1
-	    ;;
-    esac
-done
-
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -104,11 +93,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -116,26 +105,20 @@ fi
 if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Core Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling $Product $VERSION"
+echo "Uninstalling Shorewall Core $VERSION"

-if [ -n "${MANDIR}" ]; then
-    remove_file_with_wildcard ${MANDIR}/man5/shorewall\*
-    remove_file_with_wildcard ${MANDIR}/man8/shorewall\*
-fi
+rm -rf ${SHAREDIR}/shorewall
+rm -f ~/.shorewallrc
+
+echo "Shorewall Core Uninstalled"

-remove_directory ${SHAREDIR}/shorewall
-remove_file ~/.shorewallrc

-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"
--- a/Shorewall-init/default.debian.systemd
+++ b/Shorewall-init/default.debian.systemd
@@ -1,21 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0
-#
-# Where Up/Down events get logged
-#
-LOGFILE=/var/log/shorewall-ifupdown.log
-
-# Startup options - set verbosity to 0 (minimal reporting)
-OPTIONS="-V0"
-
-# IOF
--- a/Shorewall-init/default.debian.sysvinit
+++ b/Shorewall-init/default.debian.sysvinit
@@ -1,27 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0
-#
-# Set this to the name of the file that is to hold
-# ipset contents. Shorewall-init will load those ipsets
-# during 'start' and will save them there during 'stop'.
-#
-SAVE_IPSETS=""
-#
-# Where Up/Down events get logged
-#
-LOGFILE=/var/log/shorewall-ifupdown.log
-
-# Startup options - set verbosity to 0 (minimal reporting)
-OPTIONS="-V0"
-
-# IOF
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
 	fi
    fi
 }
@@ -130,7 +128,7 @@ for PRODUCT in $PRODUCTS; do
    setstatedir

    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
    fi
 done

--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -33,11 +33,9 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+    if [ ! -x "$STATEDIR/firewall" ]; then
+	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT $OPTIONS compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
-	    ${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall -6 compile
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
 	fi
    fi
 }
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -73,16 +73,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ -x ${STATEDIR}/firewall ]; then
-        return 0
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
-        if [ $PRODUCT = shorewall ]; then
-            ${SBINDIR}/shorewall compile
-        elif [ $PRODUCT = shorewall6 ]; then
-            ${SBINDIR}/shorewall -6 compile
-        else
-            return 1
-        fi
+	return 0
    fi
 }

@@ -108,18 +102,20 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "

  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-          #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  (
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
-	      fi
-	  )
+	  if [ -x ${STATEDIR}/firewall ]; then
+              #
+	      # Run in a sub-shell to avoid name collisions
+	      #
+	      (
+		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		      ${STATEDIR}/firewall ${OPTIONS} stop
+		  fi
+	      )
+	  fi
      fi
  done

@@ -127,7 +123,7 @@ shorewall_start () {

  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then

-      printf "Restoring ipsets: "
+      echo -n "Restoring ipsets: "

      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -144,10 +140,12 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
      fi
  done

@@ -159,9 +157,8 @@ shorewall_stop () {

      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
-	  rm -f "${SAVE_IPSETS}.tmp"
 	  echo_notdone
      fi

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,14 +44,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	${SBINDIR}/$PRODUCT $OPTIONS compile -c
    else
-	return 1
+	return 0
    fi
 }

@@ -66,22 +62,22 @@ start () {
 	return 6 #Not configured
    fi

-    printf "Initializing \"Shorewall-based firewalls\": "
-
-    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-	ipset -R < "$SAVE_IPSETS"
-    fi
+    echo -n "Initializing \"Shorewall-based firewalls\": "

    for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?

 	if [ $retval -eq 0 ]; then
-	    ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
+	    fi
 	else
-	    retval=6 #Product not configured
 	    break
 	fi
    done
@@ -101,32 +97,27 @@ stop () {
    local PRODUCT
    local STATEDIR

-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "

    for PRODUCT in $PRODUCTS; do
 	setstatedir
 	retval=$?

 	if [ $retval -eq 0 ]; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
+	    fi
 	else
-	    retval=6 #Product not configured
 	    break
 	fi
    done

    if [ $retval -eq 0 ]; then
-	if [ -n "$SAVE_IPSETS" ]; then
-	    mkdir -p $(dirname "$SAVE_IPSETS")
-	    if ipset -S > "${SAVE_IPSETS}.tmp"; then
-		grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	    else
-		rm -f "${SAVE_IPSETS}.tmp"
-	    fi
-	fi
-
 	rm -f $lockfile
 	success
    else
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,14 +75,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
-	return 1
+	return 0
    fi
 }

@@ -91,11 +87,13 @@ start () {
    local PRODUCT
  local STATEDIR

-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
 	  fi
      fi
  done
@@ -103,8 +101,6 @@ start () {
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
-
-  return 0
 }

 boot () {
@@ -116,22 +112,20 @@ stop () {
    local PRODUCT
    local STATEDIR

-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
 	fi
    done

    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	else
-	    rm -f "${SAVE_IPSETS}.tmp"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	fi
    fi
-
-    return 0
 }

--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -69,12 +69,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    else
-	return 1
+	return 0
    fi
 }

@@ -83,11 +81,13 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
 	  fi
      fi
  done
@@ -104,19 +104,19 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
      fi
  done

  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-      else
-	  rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      fi
  fi

--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,14 +79,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    else
-	return 6
+	return 0
    fi
 }

@@ -95,11 +91,13 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR

-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	  if [ -x $STATEDIR/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	      fi
 	  fi
      fi
  done
@@ -114,19 +112,19 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR

-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
      fi
  done

  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-      else
-	  rm -f "${SAVE_IPSETS}.tmp"
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      fi
  fi
 }
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -27,21 +27,58 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version.
 PRODUCT=shorewall-init
 Product="Shorewall Init"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <configuration-file> ]"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

+fatal_error() 
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -60,16 +97,23 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 0755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+}
+
+require() 
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -90,7 +134,7 @@ while [ $finished -eq 0 ] ; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Installer Version $VERSION"
+			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -115,17 +159,17 @@ done
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
+    #
+    # Load packager's settings if any
+    #
    if [ -f ./shorewallrc ]; then
-	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
-    elif [ -f ~/.shorewallrc ]; then
+	. ./shorewallrc || exit 1
 	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
-    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
-    else
-	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
+     else
+	fatal_error "No configuration file specified and ~/.shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
@@ -133,11 +177,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -254,10 +298,12 @@ case "$HOST" in
 	echo "Installing Openwrt-specific configuration..."
 	;;
    linux)
-	fatal_error "Shorewall-init is not supported on this system"
+	echo "ERROR: Shorewall-init is not supported on this system" >&2
+	exit 1
 	;;
    *)
-	fatal_error "Unsupported HOST distribution: \"$HOST\""
+	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
+	exit 1;
 	;;
 esac

@@ -269,27 +315,30 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
    
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    make_directory ${DESTDIR}${INITDIR} 0755
 fi

-echo "Installing $Product Version $VERSION"
+echo "Installing Shorewall Init Version $VERSION"

 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi

-[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
+if [ -n "$DESTDIR" ]; then
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 0755 ${DESTDIR}${CONFDIR}/logrotate.d
+fi

 #
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${INITDIR}
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
    
@@ -308,21 +357,25 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
-    [ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
-    install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
-    echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
+	mkdir -p ${DESTDIR}${SBINDIR}
+        chmod 0755 ${DESTDIR}${SBINDIR}
+    fi
+    install_file shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init 0700
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
+    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi

 #
 # Create /usr/share/shorewall-init if needed
 #
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 0755 ${DESTDIR}${SHAREDIR}/shorewall-init

 #
 # Install logrotate file
@@ -335,53 +388,55 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
+chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall-init/version

 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/$PRODUCT/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
+    rm -f ${SHAREDIR}/shorewall-init/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi

 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
+	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
    elif [ $configure -eq 0 ]; then
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
    fi

-    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
-	[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
+	if [ -n "${DESTDIR}" ]; then
+	    mkdir -p ${DESTDIR}${ETC}/default
+	fi

-	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
-	install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
-	echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
+	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
+	echo "sysconfig file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
    fi

    IFUPDOWN=ifupdown.debian.sh
 else
    if [ -n "$DESTDIR" ]; then
-	make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+	mkdir -p ${DESTDIR}${SYSCONFDIR}

 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
-		make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
 	    elif [ $HOST = gentoo ]; then
 		# Gentoo does not support if-{up,down}.d
 		/bin/true
 	    elif [ $HOST = openwrt ]; then
-		# Not implemented on OpenWRT
+		# Not implemented on openwrt
 		/bin/true
 	    else
-		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
+		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi
@@ -403,13 +458,13 @@ if [ $HOST != openwrt ]; then

    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

-    make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
+    mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init

-    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
+    install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 fi

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
+    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

@@ -428,8 +483,8 @@ case $HOST in
    suse)
 	if [ -z "$RPM" ]; then
 	    if [ $configure -eq 0 ]; then
-		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
-		make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
 	    fi

 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
@@ -463,17 +518,17 @@ if [ -z "$DESTDIR" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable ${PRODUCT}.service; then
-                    echo "$Product will start automatically at boot"
+                    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif mywhich insserv; then
-		if insserv ${INITDIR}/$PRODUCT; then
-                    echo "$Product will start automatically at boot"
+		if insserv ${INITDIR}/shorewall-init; then
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif mywhich update-rc.d ; then
 		if update-rc.d $PRODUCT enable; then
-                    echo "$Product will start automatically at boot"
+		    echo "$PRODUCT will start automatically at boot"
 		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 		else
 		    cant_autostart
@@ -494,31 +549,31 @@ if [ -z "$DESTDIR" ]; then
 	    /bin/true
 	else
 	    if [ -n "$SERVICEDIR" ]; then
-		if systemctl enable ${PRODUCT}.service; then
-		    echo "$Product will start automatically at boot"
+		if systemctl enable shorewall-init.service; then
+		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
-		if insserv ${INITDIR}/$PRODUCT ; then
-		    echo "$Product will start automatically at boot"
+		if insserv ${INITDIR}/shorewall-init ; then
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
-		if chkconfig --add $PRODUCT ; then
-		    echo "$Product will start automatically at boot"
-		    chkconfig --list $PRODUCT
+		if chkconfig --add shorewall-init ; then
+		    echo "Shorewall Init will start automatically in run levels as follows:"
+		    chkconfig --list shorewall-init
 		else
 		    cant_autostart
 		fi
 	    elif [ -x ${SBINDIR}/rc-update ]; then
-		if rc-update add $PRODUCT default; then
-		    echo "$Product will start automatically at boot"
+		if rc-update add shorewall-init default; then
+		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
 		/etc/init.d/$PRODUCT enable
-		if /etc/init.d/$PRODUCT enabled; then
+		if /etc/init.d/shorewall-init enabled; then
 		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
@@ -532,11 +587,11 @@ else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
-		make_parent_directory ${DESTDIR}/etc/rcS.d 0755
+		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi

-	    ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
-	    echo "$Product will start automatically at boot"
+	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
+	    echo "Shorewall Init will start automatically at boot"
 	fi
    fi
 fi
@@ -547,8 +602,8 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-		make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
+		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
+		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
 	    done
 	    ;;
 	redhat)
@@ -559,19 +614,19 @@ if [ -d ${DESTDIR}/etc/ppp ]; then
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
 		    if grep -qF Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
+			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
 			break
 		    fi
 		else
-		    cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		fi
 	    done
 	    ;;
    esac
 fi
 #
-# Report Success
+#  Report Success
 #
 echo "shorewall Init Version $VERSION Installed"
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,12 +33,10 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ -x ${STATEDIR}/firewall ]; then
-        return 0
-    elif [ $PRODUCT = shorewall ]; then
-	${SBINDIR}/shorewall compile
-    elif [ $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall -6 compile
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    else
+	return 0
    fi
 }

@@ -64,17 +62,19 @@ shorewall_start () {
    local PRODUCT
    local STATEDIR

-    printf "Initializing \"Shorewall-based firewalls\": "
+    echo -n "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    #
-	    # Run in a sub-shell to avoid name collisions
-	    #
-	    (
-		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		    ${STATEDIR}/firewall ${OPTIONS} stop
-		fi
-	    )
+	    if [ -x ${STATEDIR}/firewall ]; then
+		#
+		# Run in a sub-shell to avoid name collisions
+		#
+		(
+		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+			${STATEDIR}/firewall ${OPTIONS} stop
+		    fi
+		)
+	    fi
 	fi
    done

@@ -90,19 +90,19 @@ shorewall_stop () {
    local PRODUCT
    local STATEDIR

-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
 	fi
    done

    if [ -n "$SAVE_IPSETS" ]; then
 	mkdir -p $(dirname "$SAVE_IPSETS")
 	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	else
-	    rm -f "${SAVE_IPSETS}.tmp"
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
 	fi
    fi

--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Init
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,34 +26,62 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx  #The Build script inserts the actual version
 PRODUCT=shorewall-init
 Product="Shorewall Init"

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
-#
-# Parse the run line
-#
 finished=0
 configure=1

@@ -90,17 +118,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
-
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -110,72 +138,72 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file || exit 1
 else
    usage 1
 fi

-if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
+if [ -f ${SHAREDIR}/shorewall-init/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Init Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling $Product $VERSION"
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+
+echo "Uninstalling Shorewall Init $VERSION"

 [ -n "$SANDBOX" ] && configure=0

-[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+INITSCRIPT=${CONFDIR}/init.d/shorewall-init

-remove_file  ${SBINDIR}/$PRODUCT
-
-FIREWALL=${CONFDIR}/init.d/$PRODUCT
-
-if [ -f "$FIREWALL" ]; then
+if [ -f "$INITSCRIPT" ]; then
    if [ $configure -eq 1 ]; then
-	if [ $HOST = openwrt ] ; then
-	    if /etc/init.d/$PRODUCT enabled; then
-		/etc/init.d/$PRODUCT disable
+	if [ $HOST = openwrt ]; then
+	    if /etc/init.d/shorewall-init enabled; then
+		/etc/init.d/shorewall-init disable
 	    fi
+	elif mywhich updaterc.d ; then
+	    updaterc.d shorewall-init remove
 	elif mywhich insserv ; then
-            insserv -r $FIREWALL
-	elif mywhich update-rc.d ; then
-	    update-rc.d ${PRODUCT} remove
+            insserv -r $INITSCRIPT
 	elif mywhich chkconfig ; then
-	    chkconfig --del $(basename $FIREWALL)
+	    chkconfig --del $(basename $INITSCRIPT)
 	fi
    fi

-    remove_file $FIREWALL
+    remove_file $INITSCRIPT
 fi

-[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi

 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    remove_file $SERVICEDIR/${PRODUCT}.service
+    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    rm -f $SERVICEDIR/shorewall-init.service
 fi

 if [ $HOST = openwrt ]; then
-    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 else
-    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
-    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
+    [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+    [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
 fi

-remove_file ${CONFDIR}/default/$PRODUCT
-remove_file ${CONFDIR}/sysconfig/$PRODUCT
+remove_file ${CONFDIR}/default/shorewall-init
+remove_file ${CONFDIR}/sysconfig/shorewall-init

 remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall

@@ -200,11 +228,10 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
 fi

-remove_directory ${SHAREDIR}/$PRODUCT
-remove_directory ${LIBEXECDIR}/$PRODUCT
-remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
+rm -f  ${SBINDIR}/shorewall-init
+rm -rf ${SHAREDIR}/shorewall-init
+rm -rf ${LIBEXECDIR}/shorewall-init
+
+echo "Shorewall Init Uninstalled"
+

-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -0,0 +1,18 @@
+# Shorewall Lite Makefile to restart if firewall script is newer than last restart
+VARDIR=$(shell /sbin/shorewall-lite show vardir)
+SHAREDIR=/usr/share/shorewall-lite
+RESTOREFILE?=.restore
+
+all: $(VARDIR)/$(RESTOREFILE)
+
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
+	@/sbin/shorewall-lite -q save >/dev/null; \
+	if \
+	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
+	then \
+	    /sbin/shorewall-lite -q save >/dev/null; \
+	else \
+	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
+	fi
+
+# EOF
--- a/Shorewall-lite/default.debian.sysvinit
+++ b/Shorewall-lite/default.debian.sysvinit
@@ -1,5 +1,5 @@
 # prevent startup with default configuration
-# set the following variable to 1 in order to allow Shorewall-lite to start
+# set the following varible to 1 in order to allow Shorewall-lite to start

 startup=0

@@ -16,7 +16,7 @@ startup=0
 #    wait_interface=

 #
-# Global start/restart/reload/stop options
+# Startup options
 #
 OPTIONS=""

@@ -30,16 +30,6 @@ STARTOPTIONS=""
 #
 RESTARTOPTIONS=""

-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
--- a/Shorewall-lite/default.debian.systemd
+++ b/Shorewall-lite/default.debian.systemd
@@ -1,26 +0,0 @@
-#
-# Global start/restart/reload/stop options
-#
-OPTIONS=""
-
-#
-# Start options
-#
-STARTOPTIONS=""
-
-#
-# Restart options
-#
-RESTARTOPTIONS=""
-
-#
-# Reload options
-#
-RELOADOPTIONS=""
-
-#
-# Stop options
-#
-STOPOPTIONS=""
-
-# EOF
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -13,7 +13,7 @@

 . /lib/lsb/init-functions

-SRWL='/sbin/shorewall -l'
+SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}

@@ -85,7 +85,7 @@ fi

 # start the firewall
 shorewall_start () {
-  printf "Starting \"Shorewall firewall\": "
+  echo -n "Starting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
@@ -93,10 +93,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  if [ "$SAFESTOP" = 1 ]; then
-      printf "Stopping \"Shorewall Lite firewall\": "
+      echo -n "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
-      printf "Clearing all \"Shorewall Lite firewall\" rules: "
+      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -104,14 +104,14 @@ shorewall_stop () {

 # restart the firewall
 shorewall_restart () {
-  printf "Restarting \"Shorewall firewall\": "
+  echo -n "Restarting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

 # refresh the firewall
 shorewall_refresh () {
-  printf "Refreshing \"Shorewall firewall\": "
+  echo -n "Refreshing \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc

-prog="shorewall -l"
+prog="shorewall-lite"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi

 start() {
-    printf $"Starting Shorewall: "
+    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }

 stop() {
-    printf $"Stopping Shorewall: "
+    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    printf $"Restarting Shorewall: "
+    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"

 start() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
 }

 boot() {
@@ -78,17 +78,17 @@ boot() {
 }

 restart() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
 }

 reload() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
 }

 stop() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
 }

 status() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,19 +22,62 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx #The Build script inserts the actual version

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
-    echo "where <option> is one of"
-    echo "  -h"
-    echo "  -v"
-    echo "  -n"
+    echo "usage: $ME [ <configuration-file> ]"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
 install_file() # $1 = source $2 = target $3 = mode
 {
    if cp -f $1 $2; then
@@ -53,12 +96,25 @@ install_file() # $1 = source $2 = target $3 = mode
    exit 1
 }

+make_directory() # $1 = directory , $2 = mode
+{
+    mkdir -p $1
+    chmod 755 $1
+    [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
+
+}
+
+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-if [ -f shorewall-lite.service ]; then
+if [ -f shorewall-lite ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
 else
@@ -66,11 +122,6 @@ else
    Product="Shorewall6 Lite"
 fi

-#
-# Source common functions
-#
-. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
-
 #
 # Parse the run line
 #
@@ -117,14 +168,12 @@ done
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc || exit 1
 	file=./shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
    elif [ -f ~/.shorewallrc ]; then
-	file=~/.shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. ~/.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	file=/usr/share/shorewall/shorewallrc
-        . $file || fatal_error "Can not load the RC file: $file"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -134,11 +183,11 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi
@@ -269,7 +318,8 @@ case "$HOST" in
    linux)
 	;;
    *)
-	fatal_error "ERROR: Unknown HOST \"$HOST\""
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
 	;;
 esac

@@ -281,7 +331,8 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi

-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    make_directory ${DESTDIR}${SBINDIR} 755
+    make_directory ${DESTDIR}${INITDIR} 755

 else
    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
@@ -311,9 +362,9 @@ else
 fi

 #
-# Check for ${SHAREDIR}/$PRODUCT/version
+# Check for ${SBINDIR}/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -321,20 +372,27 @@ fi

 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

-[ -n "${INITFILE}" ] && make_parent_directory ${DESTDIR}${INITDIR} 0755
+install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
+[ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
+
+echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"

 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
-make_parent_directory ${DESTDIR}${SBINDIR} 0755
-make_parent_directory ${DESTDIR}${VARDIR} 0755
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}
+
+chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT

 if [ -n "$DESTDIR" ]; then
-    make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
-    make_parent_directory ${DESTDIR}${INITDIR} 0755
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
 fi

 if [ -n "$INITFILE" ]; then
@@ -355,9 +413,9 @@ if [ -z "${SERVICEDIR}" ]; then
 fi

 if [ -n "$SERVICEDIR" ]; then
-    make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
+    mkdir -p ${DESTDIR}${SERVICEDIR}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
+    install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 644
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
 fi
@@ -375,6 +433,15 @@ elif [ $HOST = gentoo ]; then
    # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
    perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
+
+#
+# Install the  Makefile
+#
+install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
+[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
+echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
+
 #
 # Install the default config path file
 #
@@ -386,14 +453,8 @@ echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/confi
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-        case $f in
-            *installer)
-                ;;
-            *)
-                install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-                echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-                ;;
-        esac
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
    fi
 done

@@ -421,12 +482,12 @@ if [ -f modules ]; then
 fi

 if [ -f helpers ]; then
-    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 0600
+    install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 600
    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi

 for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 644
    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done

@@ -437,19 +498,17 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages

-    make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
+    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

    for f in *.5; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

-    make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
-
    for f in *.8; do
 	gzip -c $f > $f.gz
-	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
+	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done

@@ -459,7 +518,7 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 fi

 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
+    install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 644
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi

@@ -467,7 +526,7 @@ fi
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
@@ -481,16 +540,14 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup

-#
-#  Creatae the symbolic link for the CLI
-#
-ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
-
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
 if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-    [ ${DESTDIR} ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
+    if [ ${DESTDIR} ]; then
+	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	chmod 755 ${DESTDIR}${SYSCONFDIR}
+    fi

    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
@@ -498,6 +555,7 @@ fi

 if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi

 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
@@ -558,6 +616,6 @@ if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${
 fi

 #
-# Report Success
+#  Report Success
 #
 echo "$Product Version $VERSION Installed"
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -28,7 +28,7 @@
 #
 #   On the target system (the system where the firewall program is to run):
 #
-#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] shorecap > capabilities
+#       [ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] [ MODULE_SUFFIX="<module suffix list>" ] shorecap > capabilities
 #
 #    Now move the capabilities file to the compilation system. The file must
 #    be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
@@ -38,26 +38,26 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.


-PRODUCT=shorewall-lite
+g_program=shorewall-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1

 . ${SHAREDIR}/shorewall/lib.cli
-
-setup_product_environment
-
-. ${SHAREDIR}/shorewall-lite/configpath
+. /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
+#         Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
+#
+################################################################################################
+PRODUCT=shorewall-lite
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
+
+shorewall_cli $@
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script to back uninstall Shoreline Firewall Lite
+# Script to back uninstall Shoreline Firewall
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
@@ -26,7 +26,9 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx # The Build script inserts the actual version
+VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall-lite
+Product="Shorewall Lite"

 usage() # $1 = exit status
 {
@@ -39,27 +41,46 @@ usage() # $1 = exit status
    exit $1
 }

-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}

-if [ -f shorewall-lite.service ]; then
-    PRODUCT=shorewall-lite
-    Product="Shorewall Lite"
-else
-    PRODUCT=shorewall6-lite
-    Product="Shorewall6 Lite"
-fi
+qt()
+{
+    "$@" >/dev/null 2>&1
+}

-#
-# Source common functions
-#
-. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}

-#
-# Parse the run line
-#
 finished=0
 configure=1

@@ -76,7 +97,7 @@ while [ $finished -eq 0 ]; do
 			usage 0
 			;;
 		    v)
-			echo "$Product Firewall Uninstaller Version $VERSION"
+			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    n*)
@@ -96,17 +117,17 @@ while [ $finished -eq 0 ]; do
 	    ;;
    esac
 done
-
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
-        . ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
+	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
-        . ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-        . /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
+	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
@@ -116,50 +137,46 @@ elif [ $# -eq 1 ]; then
 	/*|.*)
 	    ;;
 	*)
-	    file=./$file || exit 1
+	    file=./$file
 	    ;;
    esac

-    . $file || fatal_error "Can not load the RC file: $file"
+    . $file
 else
    usage 1
 fi

-if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
+if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
+	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
-    echo "WARNING: $Product Version $VERSION is not installed"
+    echo "WARNING: Shorewall Lite Version $VERSION is not installed"
    VERSION=""
 fi

-echo "Uninstalling $Product $VERSION"
+echo "Uninstalling Shorewall Lite $VERSION"

 [ -n "$SANDBOX" ] && configure=0

 if [ $configure -eq 1 ]; then
    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-	${SBINDIR}/$PRODUCT clear
-    elif qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
-	${SBINDIR}/$PRODUCT clear
+	shorewall-lite clear
    fi
 fi

-remove_file ${SBINDIR}/$PRODUCT
-
-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
    if [ $HOST = openwrt ]; then
-	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
-	    /etc/init.d/$PRODUCT disable
+	if [ $configure -eq 1 ] && /etc/init.d/shorewall-lite enabled; then
+	    /etc/init.d/shorewall-lite disable
 	fi
 	
-	FIREWALL=$(readlink ${SHAREDIR}/$PRODUCT/init)
+	FIREWALL=$(readlink ${SHAREDIR}/shorewall-lite/init)
    else
-	FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
+	FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
    fi
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
@@ -167,10 +184,10 @@ fi

 if [ -f "$FIREWALL" ]; then
    if [ $configure -eq 1 ]; then
-	if mywhich insserv ; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall-lite remove
+	elif mywhich insserv ; then
            insserv -r $FIREWALL
-	elif mywhich update-rc.d ; then
-	    update-rc.d ${PRODUCT} remove
 	elif mywhich chkconfig ; then
 	    chkconfig --del $(basename $FIREWALL)
 	fi
@@ -179,29 +196,26 @@ if [ -f "$FIREWALL" ]; then
    remove_file $FIREWALL
 fi

-[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
+[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"

 if [ -n "$SERVICEDIR" ]; then
-    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
-    remove_file $SERVICEDIR/${PRODUCT}.service
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SERVICEDIR/shorewall-lite.service
 fi

-remove_directory ${CONFDIR}/$PRODUCT
-remove_directory ${VARDIR}
-remove_directory ${SHAREDIR}/$PRODUCT
-remove_directory ${LIBEXECDIR}/$PRODUCT
-remove_file  ${CONFDIR}/logrotate.d/$PRODUCT
+rm -f ${SBINDIR}/shorewall-lite

-if [ -n "$SYSCONFDIR" ]; then
-    [ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
-fi
+rm -rf ${CONFDIR}/shorewall-lite
+rm -rf ${VARDIR}
+rm -rf ${SHAREDIR}/shorewall-lite
+rm -rf ${LIBEXECDIR}/shorewall-lite
+rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
+rm -f  ${SYSCONFDIR}/shorewall-lite

 if [ -n "${MANDIR}" ]; then
-    remove_file_with_wildcard ${MANDIR}/man5/${PRODUCT}\*
-    remove_file_with_wildcard ${MANDIR}/man8/${PRODUCT}\*
+    rm -f ${MANDIR}/man5/shorewall-lite*
+    rm -f ${MANDIR}/man8/shorewall-lite*
 fi

-#
-# Report Success
-#
-echo "$Product $VERSION Uninstalled"
+echo "Shorewall Lite Uninstalled"
+
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -1,44 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.AllowICMPs
-#
-# This action ACCEPTs needed ICMP types.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-DEFAULTS ACCEPT
-
-?if __IPV4
-    @1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
-    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
-?else
-?COMMENT Needed ICMP types (RFC4890)
-    @1	-		-	ipv6-icmp	destination-unreachable
-    @1	-		-	ipv6-icmp	packet-too-big
-    @1	-		-	ipv6-icmp	time-exceeded
-    @1	-		-	ipv6-icmp	parameter-problem
-
-# The following should have a ttl of 255 and must be allowed to transit a bridge
-    @1	-		-	ipv6-icmp	router-solicitation
-    @1	-		-	ipv6-icmp	router-advertisement
-    @1	-		-	ipv6-icmp	neighbour-solicitation
-    @1	-		-	ipv6-icmp	neighbour-advertisement
-    @1	-		-	ipv6-icmp	137	# Redirect
-    @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
-    @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
-
-# The following should have a link local source address and must be allowed to transit a bridge
-    @1	fe80::/10	-	ipv6-icmp	130	# Listener query
-    @1	fe80::/10	-	ipv6-icmp	131	# Listener report
-    @1	fe80::/10	-	ipv6-icmp	132	# Listener done
-    @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
-
-# The following should be received with a ttl of 255 and must be allowed to transit a bridge
-    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
-    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
-
-# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
-    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
-    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
-    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
-?endif
--- a/Shorewall/Actions/action.BLACKLIST
+++ b/Shorewall/Actions/action.BLACKLIST
@@ -1,50 +0,0 @@
-#
-# Shorewall - /usr/share/shorewall/action.BLACKLIST
-#
-# This action:
-#
-#   - Adds the sender to the dynamic blacklist ipset
-#   - Optionally acts on the packet (default is DROP)
-#
-# Parameters:
-#
-# 1 - Action to take after adding the packet. Default is DROP.
-#     Pass -- if you don't want to take any action.
-# 2 - Timeout for ipset entry. Default is the timeout specified in
-#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
-#
-###############################################################################
-# Note -- This action is defined with the 'section' option, so the first
-#         parameter is always the section name. That means that in the
-#         following text, the first parameter passed in the rule is actually
-#         @2.
-###############################################################################
-?if $1 eq 'BLACKLIST'
-   ?if $BLACKLIST_LOG_LEVEL
-       blacklog
-   ?else
-       $BLACKLIST_DISPOSITION
-   ?endif
-?else
-   ?if ! "$SW_DBL_IPSET"
-   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
-   ?endif
-
-   DEFAULTS -,DROP,-
-   #
-   # Add to the blacklist
-   #
-   ?if passed(@3)
-       ADD($SW_DBL_IPSET:src:@3)
-   ?elsif $SW_DBL_TIMEOUT
-       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
-   ?else
-       ADD($SW_DBL_IPSET:src)
-   ?endif
-   #
-   # Dispose of the packet if asked
-   #
-   ?if passed(@2)
-      @2
-   ?endif
-?endif
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -1,65 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Broadcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Broadcast[([<action>|[,{audit|-}])]
-#
-# Default action is DROP
-#
-###############################################################################
-
-DEFAULTS DROP,-
-
-?if __ADDRTYPE
-    @1	-	-	-	;; -m addrtype --dst-type BROADCAST
-    @1	-	-	-	;; -m addrtype --dst-type ANYCAST
-?else
-    ?begin perl;
-
-    use strict;
-    use Shorewall::IPAddrs;
-    use Shorewall::Config;
-    use Shorewall::Chains;
-
-    my ( $action, $audit ) = get_action_params( 2 );
-    my $chainref           = get_action_chain;
-    my ( $level, $tag )    = get_action_logging;
-
-    fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit';
-
-    my $target             = require_audit ( $action , $audit );
-
-    if ( $family == F_IPV4 ) {
-        add_commands $chainref, 'for address in $ALL_BCASTS; do';
-    } elsif ($family == F_IPV6 ) {
-        add_commands $chainref, 'for address in $ALL_ACASTS; do';
-    }
-
-    incr_cmd_level $chainref;
-    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-    add_jump $chainref, $target, 0, "-d \$address ";
-    decr_cmd_level $chainref;
-    add_commands $chainref, 'done';
-
-    1;
-
-    ?end perl;
-?endif
--- a/Shorewall/Actions/action.DropDNSrep
+++ b/Shorewall/Actions/action.DropDNSrep
@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.DropDNSrep
-#
-# This macro silently drops DNS UDP replies that are in the New state
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-DEFAULTS DROP
-@1	-	-	udp	-	53 { comment="Late DNS Replies" }
--- a/Shorewall/Actions/action.FIN
+++ b/Shorewall/Actions/action.FIN
@@ -1,33 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.FIN
-#
-# FIN Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# FIN[([<action>])]
-#
-# Default action is ACCEPT
-#
-###############################################################################
-
-DEFAULTS ACCEPT,-
-
-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN
--- a/Shorewall/Actions/action.Limit
+++ b/Shorewall/Actions/action.Limit
@@ -1,70 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Limit
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Limit(<recent-set>,<num-connections>,<timeout>)
-#
-###############################################################################
-
-DEFAULTS -,-,-
-
-?begin perl
-
-use strict;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my $chainref        = get_action_chain;
-my @param           = get_action_params(3);
-my ( $level, $tag ) = get_action_logging;
-
-@param = split( ',', $tag ), $tag = $param[0] unless supplied( join '', @param );
-
-fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
-
-my $set   = $param[0];
-
-for ( @param[1,2] ) {
-    fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
-}
-
-my $count = $param[1] + 1;
-
-require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
-
-warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
-
-add_irule $chainref, recent => "--name $set --set";
-
-if ( $level ne '' ) {
-    my $xchainref = new_chain 'filter' , "$chainref->{name}%";
-    log_irule_limit( $level, $xchainref, '', 'DROP', [], $tag, 'add' , '' );
-    add_ijump $xchainref, j => 'DROP';
-    add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
-} else {
-    add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
-}
-
-add_ijump $chainref, j => 'ACCEPT';
-
-1;
-
-?end perl
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -1,56 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.Multicast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Multicast[([<action>|-[,{audit|-}])]
-#
-# Default action is DROP
-#
-###############################################################################
-
-DEFAULTS DROP,-
-
-?if __ADDRTYPE
-    @1	-	-	-	;; -m addrtype --dst-type MULTICAST
-?else
-    ?begin perl;
-
-    use strict;
-    use Shorewall::IPAddrs;
-    use Shorewall::Config;
-    use Shorewall::Chains;
-
-    my ( $action, $audit ) = get_action_params( 2 );
-    my $chainref           = get_action_chain;
-    my ( $level, $tag )    = get_action_logging;
-
-    fatal_error "Invalid parameter to action Multicast" if supplied $audit && $audit ne 'audit';
-
-    my $target = require_audit ( $action , $audit );
-    my $dest   = ( $family == F_IPV4 ) ? join( ' ', '-d', IPv4_MULTICAST . ' ' ) : join( ' ', '-d', IPv6_MULTICAST . ' ' );
-
-    log_rule_limit( $level, $chainref, 'Multicast' , $action, '', $tag, 'add', $dest ) if $level ne '';
-    add_jump $chainref, $target, 0, $dest;
-
-    1;
-
-    ?end perl;
-?endif
--- a/Shorewall/Actions/action.allowBcast
+++ b/Shorewall/Actions/action.allowBcast
@@ -1,38 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.allowBcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# allowBcast[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Broadcast(A_ACCEPT)
-    ?else
-	?error "Invalid argument (@1) to allowBcast"
-    ?endif
-?else
-    Broadcast(ACCEPT)
-?endif
--- a/Shorewall/Actions/action.allowMcast
+++ b/Shorewall/Actions/action.allowMcast
@@ -1,38 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.allowMcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# allowMcast[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Multicast(A_ACCEPT)
-    ?else
-	?error "Invalid argument (@1) to allowMcast"
-    ?endif
-?else
-    Multicast(ACCEPT)
-?endif
--- a/Shorewall/Actions/action.allowinUPnP
+++ b/Shorewall/Actions/action.allowinUPnP
@@ -1,40 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.allowinUPnP
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# allowinUPnP[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	A_ACCEPT - - 17 1900
-	A_ACCEPT - -  6 49152
-    ?else
-	?error "Invalid argument (@1) to allowinUPnP"
-    ?endif
-?else
-    ACCEPT - - 17 1900
-    ACCEPT - -	6 49152
-?endif
--- a/Shorewall/Actions/action.dropBcast
+++ b/Shorewall/Actions/action.dropBcast
@@ -1,39 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropBcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropBcast[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Broadcast(A_DROP)
-    ?else
-	?error "Invalid argument (@1) to dropBcast"
-    ?endif
-?else
-    Broadcast(DROP)
-?endif
-
--- a/Shorewall/Actions/action.dropBcasts
+++ b/Shorewall/Actions/action.dropBcasts
@@ -1,39 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropBcasts
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropBcasts[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Broadcast(A_DROP)
-    ?else
-	?error "Invalid argument (@1) to dropBcasts"
-    ?endif
-?else
-    Broadcast(DROP)
-?endif
-
--- a/Shorewall/Actions/action.dropMcast
+++ b/Shorewall/Actions/action.dropMcast
@@ -1,38 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropMcast
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropMcast[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	Multicast(A_DROP)
-    ?else
-	?error "Invalid argument (@1) to dropMcast"
-    ?endif
-?else
-    Multicast(DROP)
-?endif
--- a/Shorewall/Actions/action.dropNotSyn
+++ b/Shorewall/Actions/action.dropNotSyn
@@ -1,38 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.dropNotSyn
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# dropNotSyn[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	A_DROP {proto=6:!syn}
-    ?else
-	?error "Invalid argument (@1) to dropNotSyn"
-    ?endif
-?else
-    DROP {proto=6:!syn}
-?endif
--- a/Shorewall/Actions/action.forwardUPnP
+++ b/Shorewall/Actions/action.forwardUPnP
@@ -1,43 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.forwardUPnP
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# forwardUPnP
-#
-###############################################################################
-
-DEFAULTS -
-
-?begin perl
-
-use strict;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my $chainref = get_action_chain;
-
-set_optflags( $chainref, DONT_OPTIMIZE );
-
-add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
-
-1;
-
-?end perl
--- a/Shorewall/Actions/action.rejNotSyn
+++ b/Shorewall/Actions/action.rejNotSyn
@@ -1,39 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.rejNotSyn
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# rejNotSyn[([audit])]
-#
-###############################################################################
-
-DEFAULTS -
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-	?require AUDIT_TARGET
-	A_REJECT {proto=6:!syn}
-    ?else
-	?error "Invalid argument (@1) to rejNotSyn"
-    ?endif
-?else
-    REJECT(tcp-reset) {proto=6:!syn}
-?endif
-
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -0,0 +1,13 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.AllowICMPs
+#
+# This macro ACCEPTs needed ICMP types.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+?COMMENT Needed ICMP types
+
+DEFAULT ACCEPT
+PARAM	-	-	icmp	fragmentation-needed
+PARAM	-	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -0,0 +1,13 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.blacklist
+#
+# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+?if $BLACKLIST_LOGLEVEL
+blacklog
+?else
+$BLACKLIST_DISPOSITION
+?endif
--- a/Shorewall/Macros/macro.Drop
+++ b/Shorewall/Macros/macro.Drop
@@ -0,0 +1,49 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Drop
+#
+# This macro generates the same rules as the Drop default action
+# It is used in place of action.Drop when USE_ACTIONS=No.
+#
+# Example:
+#
+#	Drop	net	all
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+#
+# Don't log 'auth' DROP
+#
+DROP	-	-	tcp	113
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast
+#
+# ACCEPT critical ICMP types
+#
+ACCEPT	-	-	icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+DROP	-	-	udp	135,445
+DROP	-	-	udp	137:139
+DROP	-	-	udp	1024:	137
+DROP	-	-	tcp	135,139,445
+DROP	-	-	udp	1900
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.DropDNSrep
+#
+# This macro silently drops DNS UDP replies
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+?COMMENT Late DNS Replies
+
+DEFAULT DROP
+PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.FreeIPA
+++ b/Shorewall/Macros/macro.FreeIPA
@@ -1,16 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.FreeIPA
-#
-# This macro handles FreeIPA server traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-DNS
-HTTP
-HTTPS
-Kerberos
-Kpasswd
-LDAP
-LDAPS
-NTP
--- a/Shorewall/Macros/macro.IPFS-API
+++ b/Shorewall/Macros/macro.IPFS-API
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.IPFS-API
-#
-# This macro handles IPFS API port (commands for the IPFS daemon).
-#
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
-
-PARAM   -       -       tcp     5001
--- a/Shorewall/Macros/macro.IPFS-gateway
+++ b/Shorewall/Macros/macro.IPFS-gateway
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.IPFS-gateway
-#
-# This macro handles the IPFS gateway to HTTP.
-#
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
-
-PARAM   -       -       tcp     8080
--- a/Shorewall/Macros/macro.IPFS-swarm
+++ b/Shorewall/Macros/macro.IPFS-swarm
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
-#
-# This macro handles IPFS data traffic (the connection to IPFS swarm).
-#
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
-
-PARAM   -       -       tcp     4001
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -11,20 +11,13 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

 PARAM	-	-	tcp	623		# RMCP
-PARAM	-	-	udp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5122,5123	# CD,FD,HD (Asus, Aten)
+PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
-PARAM	-	-	tcp	8889		# WS-MAN
+PARAM	-	-	udp	623		# RMCP
 HTTP
-Telnet
-SNMP
-
-# TLS/secure ports
-PARAM	-	-	tcp	3520		# Remote Console (Redfish)
-PARAM	-	-	tcp	3669		# Virtual Media (Dell)
-PARAM	-	-	tcp	5124,5126,5127	# CD,FD,HD (AMI)
-PARAM	-	-	tcp	7582		# Remote Console (AMI)
 HTTPS
+SNMP
 SSH						# Serial over Lan
+Telnet
--- a/Shorewall/Macros/macro.Kpasswd
+++ b/Shorewall/Macros/macro.Kpasswd
@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Kpasswd
-#
-# This macro handles Kerberos "passwd" traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	464
-PARAM	-	-	udp	464
--- a/Shorewall/Macros/macro.RDP
+++ b/Shorewall/Macros/macro.RDP
@@ -6,5 +6,4 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

-PARAM	-	-	udp	3389
 PARAM	-	-	tcp	3389
--- a/Shorewall/Macros/macro.RedisSecure
+++ b/Shorewall/Macros/macro.RedisSecure
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.RedisSecure
-#
-# This macro handles Redis Secure (SSL/TLS) traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	6380
--- a/Shorewall/Macros/macro.Reject
+++ b/Shorewall/Macros/macro.Reject
@@ -0,0 +1,49 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Reject
+#
+# This macro generates the same rules as the Reject default action
+# It is used in place of action.Reject when USE_ACTIONS=No.
+#
+# Example:
+#
+#	Reject	loc	fw
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+#
+# Don't log 'auth' REJECT
+#
+REJECT	-	-	tcp	113
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast
+#
+# ACCEPT critical ICMP types
+#
+ACCEPT	-	-	icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+REJECT	-	-	udp	135,445
+REJECT	-	-	udp	137:139
+REJECT	-	-	udp	1024:	137
+REJECT	-	-	tcp	135,139,445
+DROP	-	-	udp	1900
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.Rwhois
+++ b/Shorewall/Macros/macro.Rwhois
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Rwhois
-#
-# This macro handles Remote Who Is (rwhois) traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	4321
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
@@ -1,9 +1,9 @@
 #
-# Shorewall -- /usr/share/shorewall/macro.Apcupsd
+# Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# This macro handles apcupsd traffic.
+# This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

-PARAM	-	-	tcp	3551
+SNMPtrap
--- a/Shorewall/Macros/macro.SSDP
+++ b/Shorewall/Macros/macro.SSDP
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.SSDP
-#
-# This macro handles SSDP (used by DLNA/UPnP) client traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	udp	1900
--- a/Shorewall/Macros/macro.SSDPserver
+++ b/Shorewall/Macros/macro.SSDPserver
@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.SSDPserver
-#
-# This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	udp	1900
-PARAM	DEST	SOURCE	udp	-	1900
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -0,0 +1,23 @@
+#
+# Shorewall -- /etc/shorewall/Makefile
+#
+# Reload Shorewall if config files are updated.
+
+SWBIN	?= /sbin/shorewall -q
+CONFDIR	?= /etc/shorewall
+SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
+
+.PHONY: clean
+
+$(SWSTATE): $(CONFDIR)/*
+	@$(SWBIN) save >/dev/null; \
+	RESULT=$$($(SWBIN) reload 2>&1); \
+	if [ $$? -eq 0 ]; then \
+	    $(SWBIN) save >/dev/null; \
+	else \
+	    echo "$${RESULT}" >&2; \
+	    false; \
+	fi
+
+clean:
+	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
--- a/Shorewall/Makefile-lite
+++ b/Shorewall/Makefile-lite
@@ -0,0 +1,82 @@
+#     Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+################################################################################
+# Place this file in each export directory. Modify each copy to set HOST
+# to the name of the remote firewall corresponding to the directory.
+#
+#	To make the 'firewall' script, type "make".
+#
+#	Once the script is compiling correctly, you can install it by
+#	typing "make install".
+#
+################################################################################
+#                             V A R I A B L E S
+#
+# Files in the export directory on which the firewall script does not depend
+#
+IGNOREFILES =  firewall% Makefile% trace% %~
+#
+# Remote Firewall system
+#
+HOST = gateway
+#
+# Save some typing
+#
+LITEDIR = /var/lib/shorewall-lite
+#
+# Set this if the remote system has a non-standard modules directory
+#
+MODULESDIR=
+#
+# Default target is the firewall script
+#
+################################################################################
+#                                T A R G E T S
+#
+all: firewall
+#
+# Only generate the capabilities file if it doesn't already exist
+#
+capabilities:
+	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
+	scp root@$(HOST):$(LITEDIR)/capabilities .
+#
+# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that
+# 'filter-out' will be presented with the list of files in this directory rather than "*"
+#
+firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities
+	shorewall compile -e . firewall
+#
+# Only reload on demand.
+#
+install: firewall
+	scp firewall firewall.conf root@$(HOST):$(LITEDIR)
+	ssh root@$(HOST) "/sbin/shorewall-lite restart"
+#
+# Save running configuration
+#
+save:
+	ssh root@$(HOST) "/sbin/shorewall-lite save"
+#
+# Remove generated files
+#
+clean:
+	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -195,7 +195,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';

-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT_SECTION;
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;

    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
    my $prerule = '';
@@ -266,7 +266,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    if ( $source eq 'any' || $source eq 'all' ) {
        $source = ALLIP;
    } else {
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT_SECTION || ! $asection );
+	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
    }

    if ( have_bridges && ! $asection ) {
@@ -282,7 +282,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {

 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_chain ( $config{ACCOUNTING_TABLE}, 'accountout' ) ,
+			    ensure_rules_chain ( 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $prerule ,
 			    $rule ,
@@ -519,9 +519,9 @@ sub setup_accounting() {

 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
-		    for my $chain1 ( keys %accountingjumps ) {
+		    for my $chain1 ( sort  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
+			    for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -59,7 +59,7 @@ our $have_arptables;
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
    Shorewall::Chains::initialize ($family, 1, $export );
    Shorewall::Zones::initialize ($family, $_[0]);
    Shorewall::Nat::initialize($family);
@@ -93,23 +93,24 @@ sub generate_script_1( $ ) {
 	    my $date = compiletime;

 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+
+	    copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
 	}

-	copy  $globals{SHAREDIRPL} . '/lib.runtime', 0;
-	copy2 $globals{SHAREDIRPL} . '/lib.common' , $debug;
    }

    my $lib = find_file 'lib.private';

    copy2( $lib, $debug ) if -f $lib;

-    emithd<<'EOF';
+    emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF

-    for my $exit ( qw/init start tcclear started stop stopped clear restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -125,7 +126,7 @@ EOF
 	emit '}';
    }

-    emithd <<'EOF';
+    emit <<'EOF';
 ################################################################################
 # End user exit functions
 ################################################################################
@@ -209,8 +210,6 @@ sub generate_script_2() {
    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
-    emit ( qq([ -n "\${CONFDIR:=$shorewallrc1{CONFDIR}}" ]) );
-    emit ( qq([ -n "\${SHAREDIR:=$shorewallrc1{SHAREDIR}}" ]) );

    emit 'TEMPFILE=';

@@ -268,13 +267,13 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( '' );
    }

    pop_indent;

-    emit "}\n"; # End of initialize()
+    emit "\n}\n"; # End of initialize()

    emit( '' ,
 	  '#' ,
@@ -311,9 +310,10 @@ sub generate_script_2() {
 	    push_indent;

 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-		verify_required_interfaces(0);
+
 		set_global_variables(0, 0);
-		handle_optional_interfaces;
+
+		handle_optional_interfaces(0);
 	    }

 	    emit ';;';
@@ -325,19 +325,19 @@ sub generate_script_2() {
 	    push_indent;
 	}

-	verify_required_interfaces(1);
 	set_global_variables(1,1);
-	handle_optional_interfaces;

 	if ( $global_variables & NOT_RESTORE ) {
+	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
+	} else {
+	    handle_optional_interfaces(1);
 	}
    } else {
-	verify_required_interfaces(1);
-	emit( 'true' ) unless handle_optional_interfaces;
+	emit( 'true' ) unless handle_optional_interfaces(1);
    }

    pop_indent;
@@ -356,7 +356,7 @@ sub generate_script_2() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_3() {
+sub generate_script_3($) {

    if ( $family == F_IPV4 ) {
 	progress_message2 "Creating iptables-restore input...";
@@ -366,6 +366,7 @@ sub generate_script_3() {

    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
+    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    create_load_ipsets;

@@ -397,10 +398,16 @@ sub generate_script_3() {
 	emit 'load_kernel_modules Yes';
    }

-    emit( '' ,
-	  'run_init_exit',
-	  '' ,
-	  'load_ipsets' ,
+    emit '';
+
+    emit ( 'if [ "$COMMAND" = refresh ]; then' ,
+	   '   run_refresh_exit' ,
+	   'else' ,
+	   '    run_init_exit',
+	   'fi',
+	   '' );
+
+    emit( 'load_ipsets' ,
 	  '' );

    create_nfobjects;
@@ -458,6 +465,11 @@ sub generate_script_3() {
    dump_proxy_arp;
    emit_unindented '__EOF__';

+    emit( '',
+	  'if [ "$COMMAND" != refresh ]; then' );
+
+    push_indent;
+
    emit 'cat > ${VARDIR}/zones << __EOF__';
    dump_zone_contents;
    emit_unindented '__EOF__';
@@ -470,6 +482,10 @@ sub generate_script_3() {
    dump_mark_layout;
    emit_unindented '__EOF__';

+    pop_indent;
+
+    emit "fi\n";
+
    emit '> ${VARDIR}/nat';

    add_addresses;
@@ -508,12 +524,29 @@ sub generate_script_3() {

    my $config_dir = $globals{CONFIGDIR};

-    emithd <<"EOF";
+    emit<<"EOF";
    set_state Started $config_dir
    run_restored_exit
-else
-    setup_netfilter
+elif [ \$COMMAND = refresh ]; then
+    chainlist_reload
 EOF
+    push_indent;
+    setup_load_distribution;
+    setup_forwarding( $family , 0 );
+    pop_indent;
+    #
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
+    #
+    emit( '    run_refreshed_exit',
+	  '    do_iptables -N shorewall' );
+
+    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+
+    emit( "    set_state Started $config_dir",
+	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+	  'else',
+	  '    setup_netfilter'	);
+
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
@@ -538,7 +571,7 @@ EOF
 	  '    run_started_exit',
 	  "fi\n" );

-    emithd<<'EOF';
+    emit<<'EOF';
 date > ${VARDIR}/restarted

 case $COMMAND in
@@ -548,6 +581,9 @@ case $COMMAND in
    reload)
        mylogger kern.info "$g_product reloaded"
        ;;
+    refresh)
+        mylogger kern.info "$g_product refreshed"
+        ;;
    restore)
        mylogger kern.info "$g_product restored"
        ;;
@@ -582,8 +618,8 @@ sub compile_info_command() {
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
-       ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 , $inline ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );

    $export         = 0;
    $test           = 0;
@@ -612,6 +648,7 @@ sub compiler {
 		  timestamp     => { store => \$timestamp,     validate => \&validate_boolean   } ,
 		  debug         => { store => \$debug,         validate => \&validate_boolean   } ,
 		  export        => { store => \$export ,       validate => \&validate_boolean   } ,
+		  chains        => { store => \$chains },
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
@@ -619,6 +656,7 @@ sub compiler {
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -652,10 +690,9 @@ sub compiler {
    set_timestamp( $timestamp );
    set_debug( $debug , $confess );
    #
-    #                                      S H O R E W A L L R C ,
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export , $update , $annotate , $inline );
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
@@ -664,7 +701,7 @@ sub compiler {
    #
    # Allow user to load Perl modules
    #
-    run_user_exit 'compile';
+    run_user_exit1 'compile';
    #
    # Create a temp file to hold the script
    #
@@ -757,10 +794,13 @@ sub compiler {
 	emit '}'; # End of setup_common_rules()
    }

+    disable_script;
    #
    #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
+    enable_script;
+    #
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
@@ -778,7 +818,7 @@ sub compiler {
    #
    # Setup Masquerade/SNAT
    #
-    setup_snat;
+    setup_snat( $update );
    #
    # Setup Nat
    #
@@ -859,7 +899,7 @@ sub compiler {

 	optimize_level0;

-	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
+	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -881,7 +921,7 @@ sub compiler {
 	#                          N E T F I L T E R   L O A D
 	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
-	generate_script_3();
+	generate_script_3( $chains );
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
@@ -905,7 +945,7 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	copy $globals{SHAREDIRPL} . 'prog.footer';
+	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;

 	disable_script;
 	#
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,10 +60,10 @@ our @EXPORT = ( qw( ALLIPv4
 		  decompose_net
 		  decompose_net_u32
 		  compare_nets
-		  loopback_address
 		  validate_host
 		  validate_range
 		  ip_range_explicit
+		  expand_port_range
 		  allipv4
 		  allipv6
 		  allip
@@ -74,6 +74,10 @@ our @EXPORT = ( qw( ALLIPv4
 		  resolve_proto
 		  resolve_dnsname
 		  proto_name
+		  validate_port
+		  validate_portpair
+		  validate_portpair1
+		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
 		 ) );
@@ -99,14 +103,12 @@ our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
-our $loopback_address;

 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv4_LOOPBACK       => '127.0.0.1' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
@@ -373,10 +375,6 @@ sub rfc1918_networks() {
    @rfc1918_networks
 }

-sub loopback_address() {
-    $loopback_address;
-}
-
 #
 # Protocol/port validation
 #
@@ -391,8 +389,6 @@ sub resolve_proto( $ ) {
    my $proto = $_[0];
    my $number;

-    $proto =~ s/:.*//;
-
    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
@@ -413,6 +409,114 @@ sub proto_name( $ ) {
    $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
 }

+sub validate_port( $$ ) {
+    my ($proto, $port) = @_;
+
+    my $value;
+
+    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+	$port = numeric_value $port;
+	return $port if defined $port && $port && $port <= 65535;
+    } else {
+	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
+	$value = getservbyname( $port, $proto );
+    }
+
+    return $value if defined $value;
+
+    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
+
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+}
+
+sub validate_portpair( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
+
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+
+    my @ports = split /:/, $pair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP     ||
+			       $protonum == UDP     ||
+			       $protonum == UDPLITE ||
+			       $protonum == SCTP    ||
+			       $protonum == DCCP );
+    join ':', @ports;
+
+}
+
+sub validate_portpair1( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
+
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+
+    my @ports = split /-/, $portpair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP  ||
+			       $protonum == UDP  ||
+			       $protonum == SCTP ||
+			       $protonum == DCCP );
+    join '-', @ports;
+
+}
+
+sub validate_port_list( $$ ) {
+    my $result = '';
+    my ( $proto, $list ) = @_;
+    my @list   = split_list( $list, 'port' );
+
+    if ( @list > 1 && $list =~ /[:-]/ ) {
+	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
+    }
+
+    $proto = proto_name $proto;
+
+    for ( @list ) {
+	my $value = validate_portpair( $proto , $_ );
+	$result = $result ? join ',', $result, $value : $value;
+    }
+
+    $result;
+}
+
 my %icmp_types = ( any                          => 'any',
 		   'echo-reply'                 => 0,
 		   'destination-unreachable'    => 3,
@@ -466,6 +570,67 @@ sub validate_icmp( $ ) {
    fatal_error "Invalid ICMP Type ($type)"
 }

+#
+# Expands a port range into a minimal list of ( port, mask ) pairs.
+# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
+#
+# Example:
+#
+#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
+#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
+#
+sub expand_port_range( $$ ) {
+    my ( $proto, $range ) = @_;
+
+    if ( $range =~ /^(.*):(.*)$/ ) {
+	my ( $first, $last ) = ( $1, $2);
+	my @result;
+
+	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
+	#
+	# Supply missing first/last port number
+	#
+	$first = 0     if $first eq '';
+	$last  = 65535 if $last eq '';
+	#
+	# Validate the ports
+	#
+	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+
+	$last++; #Increment last address for limit testing.
+	#
+	# Break the range into groups:
+	#
+	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
+	#      - Otherwise, find the largest power of two P that divides the first address such that
+	#        the remaining range has less than or equal to P ports. The next group is
+	#        ( <first> , ~( P-1 ) ).
+	#
+	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
+	    my $mask = 0xffff;         #Mask for current ports in group.
+	    my $y    = 2;              #Next power of two to test
+	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
+
+	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
+		$mask <<= 1;
+		$z  = $y;
+		$y <<= 1;
+	    }
+	    #
+	    #
+	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
+	    $first += $z;
+	}
+
+	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
+
+	@result;
+
+    } else {
+	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
+    }
+}
+
 sub valid_6address( $ ) {
    my $address = $_[0];

@@ -762,7 +927,6 @@ sub initialize( $ ) {
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$vlsm_width       = VLSMv4;
-	$loopback_address = IPv4_LOOPBACK;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -775,7 +939,6 @@ sub initialize( $ ) {
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$vlsm_width       = VLSMv6;
-	$loopback_address = IPv6_LOOPBACK;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -127,7 +127,7 @@ sub setup_ecn()
 	}

 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );

 	    progress_message "$doing ECN control on @interfaces...";

@@ -667,7 +667,6 @@ sub create_docker_rules() {

    my $chainref = $filter_table->{FORWARD};

-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );

    if ( my $dockerref = known_interface('docker0') ) {
@@ -718,7 +717,7 @@ sub add_common_rules ( $ ) {

    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
-	fatal_error( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
    } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
@@ -1029,7 +1028,7 @@ sub add_common_rules ( $ ) {
 	    );
    }
 	    
-    run_user_exit 'initdone';
+    run_user_exit1 'initdone';

    if ( $upgrade ) {
 	convert_blacklist;
@@ -1214,53 +1213,55 @@ sub add_common_rules ( $ ) {
 	}
    }

-    my $announced = 0;
+    if ( $family == F_IPV4 ) {
+	my $announced = 0;

-    $list = find_interfaces_by_option 'upnp';
+	$list = find_interfaces_by_option 'upnp';

-    if ( @$list ) {
-	progress_message2 "$doing UPnP";
+	if ( @$list ) {
+	    progress_message2 "$doing UPnP";

-	$chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
+	    $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );

-	add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
+	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );

-	my $chainref1;
+	    my $chainref1;

-	if ( $config{MINIUPNPD} ) {
-	    $chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
-	    add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+	    if ( $config{MINIUPNPD} ) {
+		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+	    }
+
+	    $announced = 1;
+
+	    for $interface ( @$list ) {
+		add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
+	    }
 	}

-	$announced = 1;
+	$list = find_interfaces_by_option 'upnpclient';

-	for $interface ( @$list ) {
-	    add_ijump_extended $nat_table->{PREROUTING} ,            j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
-	    add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
-	}
-    }
+	if ( @$list ) {
+	    progress_message2 "$doing UPnP" unless $announced;

-    $list = find_interfaces_by_option 'upnpclient';
+	    for $interface ( @$list ) {
+		my $chainref = $filter_table->{input_option_chain $interface};
+		my $base     = uc var_base get_physical $interface;
+		my $optional = interface_is_optional( $interface );
+		my $variable = get_interface_gateway( $interface, ! $optional );
+		my $origin   = get_interface_origin( $interface );

-    if ( @$list ) {
-	progress_message2 "$doing UPnP" unless $announced;
-
-	for $interface ( @$list ) {
-	    my $chainref = $filter_table->{input_option_chain $interface};
-	    my $base     = uc var_base get_physical $interface;
-	    my $optional = interface_is_optional( $interface );
-	    my $variable = get_interface_gateway( $interface, ! $optional );
-	    my $origin   = get_interface_origin( $interface );
-
-	    if ( $optional ) {
-		add_commands( $chainref,
-			      qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
-		incr_cmd_level( $chainref );
-		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
-		decr_cmd_level( $chainref );
-		add_commands( $chainref, 'fi' );
-	    } else {
-		add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		if ( $optional ) {
+		    add_commands( $chainref,
+				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
+		    incr_cmd_level( $chainref );
+		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		    decr_cmd_level( $chainref );
+		    add_commands( $chainref, 'fi' );
+		} else {
+		    add_ijump_extended( $chainref, j => 'ACCEPT', $origin, imatch_source_dev( $interface ), s => $variable, p => 'udp' );
+		}
 	    }
 	}
    }
@@ -1296,7 +1297,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
    }

-    my @maclist_interfaces = ( keys %maclist_interfaces );
+    my @maclist_interfaces = ( sort keys %maclist_interfaces );

    if ( $phase == 1 ) {

@@ -1453,6 +1454,8 @@ sub setup_mac_lists( $ ) {
 		}
 	    }

+	    run_user_exit2( 'maclog', $chainref );
+
 	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
@@ -1617,7 +1620,7 @@ sub handle_loopback_traffic() {
 	    # Handle conntrack rules
 	    #
 	    if ( $notrackref->{referenced} ) {
-		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;

@@ -1638,8 +1641,8 @@ sub handle_loopback_traffic() {
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};

-	    for my $typeref ( values %{$source_hosts_ref} ) {
-		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
+	    for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
+		for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);

 		    for my $net ( @{$hostref->{hosts}} ) {
@@ -1661,7 +1664,7 @@ sub add_interface_jumps {
    our %input_jump_added;
    our %output_jump_added;
    our %forward_jump_added;
-    my @interfaces = grep $_ ne '%vserver%', @_;
+    my @interfaces = sort grep $_ ne '%vserver%', @_;
    my $dummy;
    my $lo_jump_added = interface_zone( loopback_interface ) && ! get_interface_option( loopback_interface, 'destonly' );
    #
@@ -1678,6 +1681,12 @@ sub add_interface_jumps {
 	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );

+	if ( have_capability 'RAWPOST_TABLE' ) {
+	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
+	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
+	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
+	}
+
 	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
    }
    #
@@ -1775,7 +1784,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};

-	for my $interface ( keys %$source_ref ) {
+	for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -2287,9 +2296,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( keys %$source_hosts_ref ) {
+	for my $type ( sort keys %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( keys %$typeref ) {
+	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2374,9 +2383,9 @@ sub generate_matrix() {

 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT

-		for my $type ( keys %{$zone1ref->{hosts}} ) {
+		for my $type ( sort keys %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( keys %$typeref ) {
+		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
@@ -2448,7 +2457,7 @@ sub setup_mss( ) {
    my $clampmss = $config{CLAMPMSS};
    my $option;
    my @match;
-    my $chainref = $mangle_table->{FORWARD};
+    my $chainref = $filter_table->{FORWARD};

    if ( $clampmss ) {
 	if ( "\L$clampmss" eq 'yes' ) {
@@ -2554,6 +2563,9 @@ EOF
 	        reload)
 	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
+	        refresh)
+	            mylogger kern.err "ERROR:$g_product refresh failed"
+	            ;;
                enable)
                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
@@ -2643,6 +2655,7 @@ EOF

        rm -f ${VARDIR}/proxyarp
    fi
+
 EOF
    } else {
 	emit <<'EOF';
@@ -2656,6 +2669,7 @@ EOF

        rm -f ${VARDIR}/proxyndp
    fi
+
 EOF
    }

--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -37,7 +37,7 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();

 Exporter::export_ok_tags('rules');
@@ -587,11 +587,11 @@ EOF
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
-    my $have_masq_rules;
-
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );

+	my $have_masq_rules;
+
 	directive_callback(
 	    sub ()
 	    {
@@ -647,8 +647,6 @@ sub convert_masq() {

 	close $snat, directive_callback( 0 );
    }
-
-    $have_masq_rules;
 }

 #
@@ -792,39 +790,88 @@ sub setup_netmap() {

 		my @rule = do_iproto( $proto, $dport, $sport );

-		my @rulein;
-		my @ruleout;
+		unless ( $type =~ /:/ ) {
+		    my @rulein;
+		    my @ruleout;

-		$net1 = validate_net $net1, 0;
-		$net2 = validate_net $net2, 0;
+		    $net1 = validate_net $net1, 0;
+		    $net2 = validate_net $net2, 0;

-		if ( $interfaceref->{root} ) {
-		    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
-		} else {
-		    @rulein  = imatch_source_dev( $interface );
-		    @ruleout = imatch_dest_dev( $interface );
-		    $interface = $interfaceref->{name};
-		}
+		    if ( $interfaceref->{root} ) {
+			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		    } else {
+			@rulein  = imatch_source_dev( $interface );
+			@ruleout = imatch_dest_dev( $interface );
+			$interface = $interfaceref->{name};
+		    }

-		require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';
+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';

-		if ( $type eq 'DNAT' ) {
-		    dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
-				      j => 'NETMAP' ,
-				      "--to $net2",
-				      $net1 ,
-				      @rulein  ,
-				      imatch_source_net( $net3 ) );
-		} elsif ( $type eq 'SNAT' ) {
-		    source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
-				       j => 'NETMAP' ,
-				       "--to $net2" ,
-				       $net1 ,
-				       @ruleout ,
-				       imatch_dest_net( $net3 ) );
+		    if ( $type eq 'DNAT' ) {
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
+					  j => 'NETMAP' ,
+					  "--to $net2",
+					  $net1 ,
+					  @rulein  ,
+					  imatch_source_net( $net3 ) );
+		    } elsif ( $type eq 'SNAT' ) {
+			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+					   j => 'NETMAP' ,
+					   "--to $net2" ,
+					   $net1 ,
+					   @ruleout ,
+					   imatch_dest_net( $net3 ) );
+		    } else {
+			fatal_error "Invalid type ($type)";
+		    }
+		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
+		    my ( $target , $chain ) = ( $1, $2 );
+		    my $table = 'raw';
+		    my @match;
+
+		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
+
+		    $net2 = validate_net $net2, 0;
+
+		    unless ( $interfaceref->{root} ) {
+			@match = imatch_dest_dev(  $interface );
+			$interface = $interfaceref->{name};
+		    }
+
+		    if ( $chain eq 'P' ) {
+			$chain = prerouting_chain $interface;
+			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
+		    } elsif ( $chain eq 'O' ) {
+			$chain = output_chain $interface;
+		    } else {
+			$chain = postrouting_chain $interface;
+			$table = 'rawpost';
+		    }
+
+		    my $chainref = ensure_chain( $table, $chain );
+
+
+		    if ( $target eq 'DNAT' ) {
+			dest_iexclusion( $chainref ,
+					 j => 'RAWDNAT' ,
+					 "--to-dest $net2" ,
+					 $net1 ,
+					 imatch_source_net( $net3 ) ,
+					 @rule ,
+					 @match
+				       );
+		    } else {
+			source_iexclusion( $chainref ,
+					   j  => 'RAWSNAT' ,
+					   "--to-source $net2" ,
+					   $net1 ,
+					   imatch_dest_net( $net3 ) ,
+					   @rule ,
+					   @match );
+		    }
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
-		    fatal_error "Invalid type ($type)";
+		    fatal_error "Invalid TYPE ($type)";
 		}

 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
@@ -943,17 +990,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-
-	    my @servers;
-
-	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
-		$server = record_runtime_address( $1, $2 );
-		$server =~ s/ $//;
-		@servers = ( $server );
-	    } else {
-		@servers = validate_address $server, 1;
-	    }
-
+	    my @servers = validate_address $server, 1;
 	    $server = join ',', @servers;
 	}

--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -64,8 +64,6 @@ our @load_interfaces;

 our $balancing;
 our $fallback;
-our $balanced_providers;
-our $fallback_providers;
 our $metrics;
 our $first_default_route;
 our $first_fallback_route;
@@ -101,8 +99,6 @@ sub initialize( $ ) {
    %provider_interfaces    = ();
    @load_interfaces        = ();
    $balancing              = 0;
-    $balanced_providers     = 0;
-    $fallback_providers     = 0;
    $fallback               = 0;
    $metrics                = 0;
    $first_default_route    = 1;
@@ -125,7 +121,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask   = in_hex( $globals{PROVIDER_MASK} );
+    my $mask = in_hex( $globals{PROVIDER_MASK} );
    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
@@ -161,15 +157,6 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
-
-		if ( have_ipsec ) {
-		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
-			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
-		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
-			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
-		    }
-		}
-
 		$marked_interfaces{$interface} = 1;
 	    }

@@ -336,24 +323,18 @@ sub balance_default_route( $$$$ ) {
    emit '';

    if ( $first_default_route ) {
-	if ( $balanced_providers == 1 ) {
-	    if ( $gateway ) {
-		emit qq(DEFAULT_ROUTE="via $gateway dev $interface $realm");
-	    } else {
-		emit qq(DEFAULT_ROUTE="dev $interface $realm");
-	    }
-	} elsif ( $gateway ) {
-	    emit qq(DEFAULT_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
+	if ( $gateway ) {
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(DEFAULT_ROUTE="nexthop dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}

 	$first_default_route = 0;
    } else {
 	if ( $gateway ) {
-	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\"";
 	}
    }
 }
@@ -366,24 +347,18 @@ sub balance_fallback_route( $$$$ ) {
    emit '';

    if ( $first_fallback_route ) {
-	if ( $fallback_providers == 1 ) {
-	    if ( $gateway ) {
-		emit qq(FALLBACK_ROUTE="via $gateway dev $interface $realm");
-	    } else {
-		emit qq(FALLBACK_ROUTE="dev $interface $realm");
-	    }
-	} elsif ( $gateway ) {
-	    emit qq(FALLBACK_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
+	if ( $gateway ) {
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(FALLBACK_ROUTE="nexthop dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}

 	$first_fallback_route = 0;
    } else {
 	if ( $gateway ) {
-	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm\"";
 	}
    }
 }
@@ -511,7 +486,7 @@ sub process_a_provider( $ ) {

    if ( ( $gw = lc $gateway ) eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
-	$gateway = get_interface_gateway( $interface, undef, $number );
+	$gateway = get_interface_gateway( $interface, undef, 1 );
 	$gatewaycase = 'detect';
 	set_interface_option( $interface, 'gateway', 'detect' );
    } elsif ( $gw eq 'none' ) {
@@ -521,9 +496,6 @@ sub process_a_provider( $ ) {
 	set_interface_option( $interface, 'gateway', 'none' );
    } elsif ( $gateway && $gateway ne '-' ) {
 	( $gateway, $mac ) = split_host_list( $gateway, 0 );
-
-	$gateway = $1 if $family == F_IPV6 && $gateway =~ /^\[(.+)\]$/;
-
 	validate_address $gateway, 0;

 	if ( defined $mac ) {
@@ -547,11 +519,11 @@ sub process_a_provider( $ ) {
    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );

    if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
-	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
    } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
    }

    unless ( $options eq '-' ) {
@@ -614,7 +586,6 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option eq 'nohostroute' ) {
 		$hostroute = 0;
 	    } elsif ( $option eq 'persistent' ) {
-		warning_message "When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option may not work as expected" if $config{RESTORE_DEFAULT_ROUTE};
 		$persistent = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -622,12 +593,7 @@ sub process_a_provider( $ ) {
 	}
    }

-    if ( $balance ) {
-	fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $default;
-	$balanced_providers++;
-    } elsif ( $default ) {
-	$fallback_providers++;
-    }
+    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;

    if ( $load ) {
 	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
@@ -637,37 +603,19 @@ sub process_a_provider( $ ) {

    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};

-    unless ( $pseudo ) {
-	if ( $local ) {
-	    fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
-	    fatal_error "'track' not valid with 'local'"           if $track;
-	    fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
-	    fatal_error "'persistent' is not valid with 'local"    if $persistent;
-	} elsif ( $tproxy ) {
-	    fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	    fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
-	    fatal_error "'track' not valid with 'tproxy'"          if $track;
-	    fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
-	    fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
-	    fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
-	    $mark = $globals{TPROXY_MARK};
-	} elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
-	    if ( $config{USE_DEFAULT_RT} ) {
-		if ( $rf ) {
-		    fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
-		} else {
-		    fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
-		}
-	    } else {
-		unless ( $balance ) {
-		    if ( $rf ) {
-			fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
-		    } else {
-			fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
-		    }
-		}
-	    }
-	}
+    if ( $local ) {
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
+	fatal_error "'track' not valid with 'local'"           if $track;
+	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
+	fatal_error "'persistent' is not valid with 'local"    if $persistent;
+    } elsif ( $tproxy ) {
+	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
+	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
+	fatal_error "'track' not valid with 'tproxy'"          if $track;
+	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
+	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
+	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
+	$mark = $globals{TPROXY_MARK};
    }

    my $val = 0;
@@ -701,6 +649,7 @@ sub process_a_provider( $ ) {
 	    
 	    $pref = 10000 + $number - 1;
 	}
+
    }

    unless ( $loose || $pseudo ) {
@@ -859,7 +808,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route replace default dev $physical table $id";
+		emit "run_ip route add default dev $physical table $id";
 	    }
 	}

@@ -875,8 +824,8 @@ sub add_a_provider( $$ ) {
 		emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    }

-	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
-	    emit( qq(echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
+	    emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
+	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}

 	if ( ! $noautosrc ) {
@@ -885,25 +834,24 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( '',
-			"find_interface_addresses $physical | while read address; do",
-			"    qt \$IP -$family rule del from \$address",
-			"    run_ip rule add from \$address pref 20000 table $id",
+		emit  ( "find_interface_addresses $physical | while read address; do" );
+		emit  ( "    qt \$IP -$family rule del from \$address" );
+		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
 			'done'
 		      );
 	    }
-	}

-	if ( @{$providerref->{persistent_routes}} ) {
-	    emit '';
-	    emit $_ for @{$providers{$table}->{persistent_routes}};
-	}
+	    if ( @{$providerref->{persistent_routes}} ) {
+		emit '';
+		emit $_ for @{$providers{$table}->{persistent_routes}};
+	    }

-	if ( @{$providerref->{persistent_rules}} ) {
-	    emit '';
-	    emit $_ for @{$providers{$table}->{persistent_rules}};
+	    if ( @{$providerref->{persistent_rules}} ) {
+		emit '';
+		emit $_ for @{$providers{$table}->{persistent_rules}};
+	    }
 	}

 	pop_indent;
@@ -911,6 +859,7 @@ sub add_a_provider( $$ ) {
 	emit( qq(fi\n),
 	      qq(echo 1 > \${VARDIR}/${physical}_disabled) );

+
 	pop_indent;

 	emit( "}\n" );
@@ -936,7 +885,7 @@ sub add_a_provider( $$ ) {
 	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route replace default dev $physical table $id";
+		emit "run_ip route add default dev $physical table $id";
 	    }
 	}
    }
@@ -968,7 +917,7 @@ CEOF
 	my $hexmark = in_hex( $mark );
 	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';

-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $persistent || $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};

 	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
 	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
@@ -997,7 +946,7 @@ CEOF
 	    emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
 	}

-	emit "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm";
+	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
    }

    if ( $balance ) {
@@ -1009,16 +958,14 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
-	    emit qq(run_ip route replace default via $gateway src $address dev $physical table $id metric $number);
+	    emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route replace default table $id dev $physical metric $number);
+	    emit qq(run_ip route add default table $id dev $physical metric $number);
 	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}

-	emit( 'g_fallback=Yes' ) if $persistent;
-
 	$metrics = 1;
    }

@@ -1040,13 +987,12 @@ CEOF
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
 		if ( $persistent ) {
-		    emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),
-			  qq(    qt \$IP -$family rule del from $address pref 20000),
+		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
 			  qq(    run_ip rule add from $address pref 20000 table $id),
 			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
 			  qq(fi) );
 		} else {
-		    emit  "qt \$IP -$family rule del from $address" if $persistent || $config{DELETE_THEN_ADD};
+		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 		}
@@ -1103,21 +1049,7 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}

-	emit( qq(rm -f \${VARDIR}/${physical}_disabled),
-	      $pseudo ? "run_enabled_exit ${physical} ${interface}" : "run_enabled_exit ${physical} ${interface} ${table}"
-	    );
-
-	if ( ! $pseudo && $config{USE_DEFAULT_RT} && $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit  ( '#',
-		    '# We now have a viable default route in the \'default\' table so delete any default routes in the main table',
-		    '#',
-		    'while qt \$IP -$family route del default table ' . MAIN_TABLE . '; do',
-		    '    true',
-		    'done',
-		    ''
-		);
-	}
-
+	emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
 	emit_started_message( '', 2, $pseudo, $table, $number );

 	if ( get_interface_option( $interface, 'used_address_variable' ) || get_interface_option( $interface, 'used_gateway_variable' ) ) {
@@ -1251,7 +1183,7 @@ CEOF
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1262,14 +1194,12 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}

-	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      $pseudo ? "run_disabled_exit ${physical} ${interface}" : "run_disabled_exit ${physical} ${interface} ${table}"
-	    );
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );

 	if ( $pseudo ) {
-	    emit( "progress_message2 \"Optional Interface $table stopped\"" );
+	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
 	} else {
-	    emit( "progress_message2 \"Provider $table ($number) stopped\"" );
+	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
 	}

 	pop_indent;
@@ -1370,7 +1300,7 @@ sub add_an_rtrule1( $$$$$ ) {

    $priority = "pref $priority";

-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $persistent || $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";

    if ( $persistent ) {
@@ -1468,22 +1398,22 @@ sub add_a_route( ) {

    if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes,            qq(run_ip route replace $dest via $gateway dev $physical table $id);
-	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway dev $physical table $id) if $persistent;
+	    push @$routes,            qq(run_ip route add $dest via $gateway dev $physical table $id);
+	    push @$persistent_routes, qq(run_ip route add $dest via $gateway dev $physical table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} elsif ( $null ) {
-	    push @$routes,            qq(run_ip route replace $null $dest table $id);
-	    push @$persistent_routes, qq(run_ip route replace $null $dest table $id) if $persistent;
+	    push @$routes,            qq(run_ip route add $null $dest table $id);
+	    push @$persistent_routes, qq(run_ip route add $null $dest table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes,            qq(run_ip route replace $dest via $gateway table $id);
-	    push @$persistent_routes, qq(run_ip route replace $dest via $gateway table $id) if $persistent;
+	    push @$routes,            qq(run_ip route add $dest via $gateway table $id);
+	    push @$persistent_routes, qq(run_ip route add $dest via $gateway table $id) if $persistent;
 	    push @$routes,             q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
    } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes,            qq(run_ip route replace $dest dev $physical table $id);
-	push @$persistent_routes, qq(run_ip route replace $dest dev $physical table $id) if $persistent;
+	push @$routes,            qq(run_ip route add $dest dev $physical table $id);
+	push @$persistent_routes, qq(run_ip route add $dest dev $physical table $id) if $persistent;
 	push @$routes,             q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
    }

@@ -1585,17 +1515,16 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        while qt \$IP -6 route delete default table $table; do true; done",
-		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
-		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
 		    '    fi',
 		    '' );
 	}

 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit  ( '',
-		    "    while qt \$IP -$family route del default table $main; do",
+	    emit  ( "    while qt \$IP -$family route del default table $main; do",
 		    '        true',
 		    '    done',
 		    ''
@@ -1607,7 +1536,7 @@ sub finish_providers() {
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );

 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    [ -z "\${FALLBACK_ROUTE}\${g_fallback}" ] && restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -1634,7 +1563,7 @@ sub finish_providers() {
 	}

 	emit ( '#',
-	       '# Delete any default routes with metric 0 in the \'balance\' table',
+	       '# Delete any routes in the \'balance\' table',
 	       '#',
 	       "while qt \$IP -$family route del default table $balance; do",
 	       '    true',
@@ -1649,7 +1578,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}

@@ -1662,10 +1591,7 @@ sub finish_providers() {
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( '#',
-	      '# No balanced fallback routes - delete any routes with metric 0 from the \'default\' table',
-	      '#',
-	      "delete_default_routes $default",
+	emit( "delete_default_routes $default",
 	      ''
 	    );
    }
@@ -1710,7 +1636,7 @@ sub process_providers( $ ) {
    }

    if ( $providers ) {
-	fatal_error q(Either all 'fallback' providers must specify a weight or none of them can specify a weight) if $fallback && $metrics;
+	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;

 	my $fn = open_file( 'route_rules' );

@@ -1741,7 +1667,7 @@ sub process_providers( $ ) {

    add_a_provider( $providers{$_}, $tcdevices ) for @providers;

-    emithd << 'EOF';;
+    emit << 'EOF';;

 #
 # Enable an optional provider
@@ -1787,11 +1713,12 @@ EOF
    pop_indent;
    pop_indent;

-    emithd << 'EOF';;
+    emit << 'EOF';;
        *)
            startup_error "$g_interface is not an optional provider or interface"
            ;;
    esac
+
 }

 #
@@ -1854,7 +1781,7 @@ sub map_provider_to_interface() {

    my $haveoptional;

-    for my $providerref ( values %providers ) {
+    for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
 	if ( $providerref->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
@@ -1895,19 +1822,20 @@ sub setup_providers() {

 	start_providers;

-	setup_null_routing, emit '' if $config{NULL_ROUTE_RFC1918};
+	setup_null_routing if $config{NULL_ROUTE_RFC1918};

-	if ( @providers ) {
-	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
-	}
+	emit '';
+
+	emit "start_$providers{$_}->{what}_$_" for @providers;
+
+	emit '';

 	finish_providers;

 	emit "\nrun_ip route flush cache";

 	pop_indent;
-	emit 'fi';
+	emit "fi\n";

 	setup_route_marking if @routemarked_interfaces || @load_interfaces;
    } else {
@@ -1918,10 +1846,9 @@ sub setup_providers() {
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
 	}

-	emit "undo_routing";
+	emit "\nundo_routing";
 	emit "restore_default_route $config{USE_DEFAULT_RT}";

 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
@@ -1946,8 +1873,9 @@ sub setup_providers() {

 	pop_indent;

-	emit 'fi';
+	emit "fi\n";
    }
+
 }

 #
@@ -2017,7 +1945,7 @@ sub compile_updown() {
    }

    my @nonshared = ( grep $providers{$_}->{optional},
-		      values %provider_interfaces );
+		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );

    if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2196,19 +2124,23 @@ sub provider_realm( $ ) {
 }

 #
-# Perform processing related to optional interfaces. Returns true if there are optional interfaces.
-
+# This function is called by the compiler when it is generating the detect_configuration() function.
+# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
+# ..._IS_USABLE interface variables appropriately for the  optional interfaces
 #
-sub handle_optional_interfaces() {
+# Returns true if there were required or optional interfaces
+#
+sub handle_optional_interfaces( $ ) {

    my @interfaces;
    my $wildcards;
+
    #
    # First do the provider interfacess. Those that are real providers will never have wildcard physical
    # names but they might derive from wildcard interface entries. Optional interfaces which do not have
    # wildcard physical names are also included in the providers table.
    #
-    for my $providerref ( grep $_->{optional} , values %providers ) {
+    for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
 	push @interfaces, $providerref->{interface};
 	$wildcards ||= $providerref->{wildcard};
    }
@@ -2226,6 +2158,10 @@ sub handle_optional_interfaces() {

    if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
+	my $gencase     = shift;
+
+	verify_required_interfaces( $gencase );
+	emit '' if $gencase;

 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -2368,7 +2304,7 @@ sub handle_optional_interfaces() {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
-		  '        start|reload|restore)'
+		  '        start|reload|restore|refresh)'
 		);

 	    if ( $family == F_IPV4 ) {
@@ -2389,6 +2325,8 @@ sub handle_optional_interfaces() {

 	return 1;
    }
+
+    verify_required_interfaces( shift );
 }

 #
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,7 +96,6 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
    }

    emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
-	   '' ,
 	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );

    push @proxyarp, "$address $interface $external $haveroute";
@@ -155,7 +154,7 @@ sub setup_proxy_arp() {

 	emit '';

-	for my $interface ( keys %reset ) {
+	for my $interface ( sort keys %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -164,7 +163,7 @@ sub setup_proxy_arp() {
 	    }
 	}

-	for my $interface ( keys %set ) {
+	for my $interface ( sort keys %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -91,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {

    my $disposition = $action;
    my $exception_rule = '';
-
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
    my $level = '';

    if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
@@ -138,14 +138,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {

 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';

-	if ( $proto ne '-' ) {
-	    if ( $proto =~ s/:all$// ) {
-		fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
-	    } else {
-		$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
-	    }
-	}
-
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
@@ -207,9 +199,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
    expand_rule( $chainref ,
 		 $restriction ,
 		 '',
-		 do_proto( $proto, $ports, $sports ) . 
-		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 $rule,
 		 $source ,
 		 $dest ,
 		 '' ,
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -42,7 +42,7 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( process_tc setup_tc );
-our @EXPORT_OK = qw( initialize );
+our @EXPORT_OK = qw( process_tc_rule initialize );
 our $VERSION = 'MODULEVERSION';

 our %flow_keys = ( 'src'            => 1,
@@ -225,11 +225,11 @@ sub handle_in_bandwidth( $$$ ) {
    if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
-		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst drop\n" );
+		  "    police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
 	} else {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
 		  "    estimator $in_interval $in_decay basic \\",
-		  "    police avrate ${in_avrate}kbit drop\n" );
+		  "    police drop avrate ${in_avrate}kbit\n" );
 	}
    } else {
 	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {

 	    while ( @sportlist ) {
 		my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
-		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
+		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
 		$rule .= ' or' if @sportlist;
 	    }

@@ -1924,7 +1924,7 @@ sub process_traffic_shaping() {

 			my ( $options, $redopts ) = ( '', $tcref->{redopts} );

-			for my $option ( keys %validredoptions ) {
+			for my $option ( sort keys %validredoptions ) {
 			    my $type = $validredoptions{$option};

 			    if ( my $value = $redopts->{$option} ) {
@@ -1943,7 +1943,7 @@ sub process_traffic_shaping() {

 			my ( $options, $codelopts ) = ( '', $tcref->{codelopts} );

-			for my $option ( keys %validcodeloptions ) {
+			for my $option ( sort keys %validcodeloptions ) {
 			    my $type = $validcodeloptions{$option};

 			    if ( my $value = $codelopts->{$option} ) {
@@ -2277,10 +2277,9 @@ sub open_mangle_for_output( $ ) {
 	#
 	transfer_permissions( $fn, $fn1 );

-	if ( $family == F_IPV4 ) {
-	    print $mangle <<'EOF';
+	print $mangle <<'EOF';
 #
-# Shorewall -- /etc/shorewall/mangle
+# Shorewall version 4 - Mangle File
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
@@ -2290,32 +2289,13 @@ sub open_mangle_for_output( $ ) {
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##############################################################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
+####################################################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
+#                                                       PORT(S) PORT(S)
 EOF
-	} else {
-	    print $mangle <<'EOF';
-#
-# Shorewall6 -- /etc/shorewall6/mangle
-#
-# For information about entries in this file, type "man shorewall6-mangle"
-#
-# See http://shorewall.net/traffic_shaping.htm for additional information.
-# For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
-#
-# See http://shorewall.net/PacketMarking.html for a detailed description of
-# the Netfilter/Shorewall packet marking mechanism.
-#
-######################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
-EOF
-
-	}
    }

    return ( $mangle, $fn1 );
-
 }

 #
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tunnels.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
@@ -85,8 +85,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( ${zone}, ${fw} );
-		$outchainref = ensure_rules_chain( ${fw}, ${zone} );
+		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );

 		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  p => 50, @$source;
@@ -250,8 +250,8 @@ sub setup_tunnels() {

 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );

-	my $inchainref  = ensure_rules_chain( ${zone}, ${fw}   );
-	my $outchainref = ensure_rules_chain( ${fw},   ${zone} );
+	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );

 	$gateways = ALLIP if $gateways eq '-';

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,8 +90,9 @@ our @EXPORT = ( qw( NOTHING
 		    interface_is_optional
 		    interface_is_required
 		    find_interfaces_by_option
+		    find_interfaces_by_option1
 		    get_interface_option
-		    get_interface_origin
+                    get_interface_origin
 		    interface_has_option
 		    set_interface_option
 		    interface_zone
@@ -107,37 +108,55 @@ our @EXPORT = ( qw( NOTHING

 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
+
+#
+# IPSEC Option types
+#
+use constant { NOTHING    => 'NOTHING',
+	       NUMERIC    => '0x[\da-fA-F]+|\d+',
+	       NETWORK    => '\d+.\d+.\d+.\d+(\/\d+)?',
+	       IPSECPROTO => 'ah|esp|ipcomp',
+	       IPSECMODE  => 'tunnel|transport'
+	       };
+
+#
+# Option columns
+#
+use constant { IN_OUT     => 1,
+	       IN         => 2,
+	       OUT        => 3 };
+
 #
 # Zone Table.
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
 #     %zones{<zone1> => {name =>       <name>,
-#			 type =>       <zone type>	 FIREWALL, IP, IPSEC, BPORT;
-#			 complex =>    0|1
-#			 super	 =>    0|1
-#			 options =>    { in_out	 => < policy match string >
-#					 in	 => < policy match string >
-#					 out	 => < policy match string >
-#				       }
-#			 parents =>    [ <parents> ]	  Parents, Children and interfaces are listed by name
-#			 children =>   [ <children> ]
-#			 interfaces => { <interfaces1> => 1, ... }
-#			 bridge =>     <bridge>
-#			 hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
-#								   options => { <option1> => <value1>
-#										...
-#									      }
-#								   hosts   => [ <net1> , <net2> , ... ]
-#								   exclusions => [ <net1>, <net2>, ... ]
-#								   origin   => <where defined>
-#								 }
-#						 <interface2> => ...
-#					       }
-#					     ]
-#			}
-#	      <zone2> => ...
-#	    }
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#                        complex =>    0|1
+#                        super   =>    0|1
+#                        options =>    { in_out  => < policy match string >
+#                                        in      => < policy match string >
+#                                        out     => < policy match string >
+#                                      }
+#                        parents =>    [ <parents> ]      Parents, Children and interfaces are listed by name
+#                        children =>   [ <children> ]
+#                        interfaces => { <interfaces1> => 1, ... }
+#                        bridge =>     <bridge>
+#                        hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
+#                                                                  options => { <option1> => <value1>
+#                                                                               ...
+#                                                                             }
+#                                                                  hosts   => [ <net1> , <net2> , ... ]
+#                                                                  exclusions => [ <net1>, <net2>, ... ]
+#                                                                  origin   => <where defined>
+#                                                                }
+#                                                <interface2> => ...
+#                                              }
+#                                            ]
+#                       }
+#             <zone2> => ...
+#           }
 #
 #     $firewall_zone names the firewall zone.
 #
@@ -159,27 +178,27 @@ our %reservedName = ( all => 1,
 #
 #     @interfaces lists the interface names in the order that they appear in the interfaces file.
 #
-#     %interfaces { <interface1> => { name	  => <name of interface>
-#				      root	  => <name without trailing '+'>
-#				      options	  => { port => undef|1
-#						     { <option1> } => <val1> ,		#See %validinterfaceoptions
-#						       ...
-#						     }
-#				      zone	  => <zone name>
-#				      multizone	  => undef|1   #More than one zone interfaces through this interface
-#				      nets	  => <number of nets in interface/hosts records referring to this interface>
-#				      bridge	  => <bridge name> # Same as ->{name} if not a bridge port.
-#				      ports	  => <number of port on this bridge>
-#				      ipsec	  => undef|1 # Has an ipsec host group
-#				      broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
-#				      number	  => <ordinal position in the interfaces file>
-#				      physical	  => <physical interface name>
-#				      base	  => <shell variable base representing this interface>
-#				      wildcard	  => undef|1 # Wildcard Name
-#				      zones	  => { zone1 => 1, ... }
-#				      origin	  => <where defined>
-#				    }
-#		  }
+#     %interfaces { <interface1> => { name        => <name of interface>
+#                                     root        => <name without trailing '+'>
+#                                     options     => { port => undef|1
+#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
+#                                                      ...
+#                                                    }
+#                                     zone        => <zone name>
+#                                     multizone   => undef|1   #More than one zone interfaces through this interface
+#                                     nets        => <number of nets in interface/hosts records referring to this interface>
+#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
+#                                     ports       => <number of port on this bridge>
+#                                     ipsec       => undef|1 # Has an ipsec host group
+#                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#                                     number      => <ordinal position in the interfaces file>
+#                                     physical    => <physical interface name>
+#                                     base        => <shell variable base representing this interface>
+#                                     wildcard    => undef|1 # Wildcard Name
+#                                     zones       => { zone1 => 1, ... }
+#                                     origin      => <where defined>
+#                                   }
+#                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
@@ -202,26 +221,6 @@ our $zonemarkincr;
 our $zonemarklimit;
 our $loopback_interface;

-#
-# IPSEC Option types
-#
-use constant { NOTHING    => 'NOTHING',
-	       NUMERIC    => '0x[\da-fA-F]+|\d+',
-	       IPSECPROTO => 'ah|esp|ipcomp',
-	       IPSECMODE  => 'tunnel|transport'
-	     };
-
-sub NETWORK() {
-    $family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?';
-}
-
-#
-# Option columns
-#
-use constant { IN_OUT     => 1,
-	       IN         => 2,
-	       OUT        => 3 };
-
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -252,17 +251,6 @@ use constant { NO_UPDOWN   => 1,

 our %validinterfaceoptions;

-our %procinterfaceoptions=( accept_ra   => 1,
-			    arp_filter  => 1,
-			    arp_ignore  => 1,
-			    forward     => 1,
-			    logmartians => 1,
-			    proxyarp    => 1,
-			    proxyndp    => 1,
-			    routefilter => 1,
-			    sourceroute => 1,
-			  );
-
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -288,7 +276,19 @@ our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore =

 our %validhostoptions;

-our %validzoneoptions;
+our %validzoneoptions = ( mss            => NUMERIC,
+			  nomark         => NOTHING,
+			  blacklist      => NOTHING,
+			  dynamic_shared => NOTHING,
+			  strict         => NOTHING,
+			  next           => NOTHING,
+			  reqid          => NUMERIC,
+			  spi            => NUMERIC,
+			  proto          => IPSECPROTO,
+			  mode           => IPSECMODE,
+			 "tunnel-src"   => NETWORK,
+			 "tunnel-dst"   => NETWORK,
+		       );

 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
@@ -327,29 +327,15 @@ sub initialize( $$ ) {
    %mapbase = ();
    %mapbase1 = ();
    $baseseq = 0;
-    $minroot = undef;
+    $minroot = 0;
    $loopback_interface = '';

-    %validzoneoptions = ( mss            => NUMERIC,
-			  nomark         => NOTHING,
-			  blacklist      => NOTHING,
-			  dynamic_shared => NOTHING,
-			  strict         => NOTHING,
-			  next           => NOTHING,
-			  reqid          => NUMERIC,
-			  spi            => NUMERIC,
-			  proto          => IPSECPROTO,
-			  mode           => IPSECMODE,
-			 "tunnel-src"   => NETWORK,
-			 "tunnel-dst"   => NETWORK,
-		       );
-
    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
-				  dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
+				  dbl         => ENUM_IF_OPTION,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -373,9 +359,9 @@ sub initialize( $$ ) {
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
-				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST + IF_OPTION_WILDOK,
+				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
 				  unmanaged   => SIMPLE_IF_OPTION,
-				  wait        => NUMERIC_IF_OPTION,
+				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -400,7 +386,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
-				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
+				    dbl         => ENUM_IF_OPTION,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -412,18 +398,16 @@ sub initialize( $$ ) {
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER + IF_OPTION_WILDOK,
+				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => BINARY_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
-				    physical    => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				    unmanaged   => SIMPLE_IF_OPTION,
-				    upnp        => SIMPLE_IF_OPTION,
-				    upnpclient  => SIMPLE_IF_OPTION,
-				    wait        => NUMERIC_IF_OPTION,
+				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -711,40 +695,6 @@ sub haveipseczones() {
    0;
 }

-#
-# Returns 1 if the two interfaces passed are related
-#
-sub interface_match( $$ ) {
-    my ( $piface, $ciface ) = @_;
-
-    return 1 if $piface eq $ciface;
-
-    my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface};
-
-    return 1 if $piface eq $cifaceref->{bridge};
-    return 1 if $ciface eq $pifaceref->{bridge};
-
-    if ( defined $minroot ) {
-	if ( $piface =~ /\+$/ ) {
-	    my $root    = $pifaceref->{root};
-	    my $rlength = length( $root );
-	    while ( length( $ciface ) >= $rlength ) {
-		return 1 if $ciface eq $root;
-		chop $ciface;
-	    }
-	} elsif ( $ciface =~ /\+$/ ) {
-	    my $root    = $cifaceref->{root};
-	    my $rlength = length( $root );
-	    while ( length( $piface ) >= $rlength ) {
-		return 1 if $piface eq $root;
-		chop $piface;
-	    }
-	}
-    }
-
-    0;
-}
-
 #
 # Report about zones.
 #
@@ -763,10 +713,10 @@ sub zone_report()
 	my $printed = 0;

 	if ( $hostref ) {
-	    for my $type ( keys %$hostref ) {
+	    for my $type ( sort keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};

-		for my $interface ( keys %$interfaceref ) {
+		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};

@@ -782,7 +732,7 @@ sub zone_report()
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $iref->{physical}:[$grouplist]";
+				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -791,17 +741,6 @@ sub zone_report()
 	    }
 	}

-      PARENT:
-	for my $p ( @{$zoneref->{parents}} ) {
-	    for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) {
-		for my $ci ( keys( %{$zoneref->{interfaces}} ) ) {
-		    next PARENT if interface_match( $pi, $ci );
-		}
-	    }
-
-	    warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common";
-	}
-
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
@@ -827,10 +766,10 @@ sub dump_zone_contents() {
 	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};

 	if ( $hostref ) {
-	    for my $type ( keys %$hostref ) {
+	    for my $type ( sort keys %$hostref ) {
 		my $interfaceref = $hostref->{$type};

-		for my $interface ( keys %$interfaceref ) {
+		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};

@@ -1214,16 +1153,15 @@ sub process_interface( $$ ) {
    }

    my $wildcard = 0;
-    my $physwild = 0;
    my $root;

    if ( $interface =~ /\+$/ ) {
-	$wildcard = $physwild = 1; # Default physical name is the logical name
+	$wildcard = 1;
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;

-	if ( defined $minroot ) {
+	if ( $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
 	    $minroot = $len;
@@ -1269,6 +1207,8 @@ sub process_interface( $$ ) {
 	my %hostoptions = ( dynamic => 0 );

 	for my $option (split_list1 $options, 'option' ) {
+	    next if $option eq '-';
+
 	    ( $option, my $value ) = split /=/, $option;

 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
@@ -1305,6 +1245,7 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
@@ -1328,12 +1269,12 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
+		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
-		$options{logmartians} = 1 if $option eq 'routefilter' && $numval && ! $config{LOG_MARTIANS};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -1371,7 +1312,7 @@ sub process_interface( $$ ) {
 		    assert(0);
 		}
 	    } elsif ( $type == STRING_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless supplied $value;
+		fatal_error "The '$option' option requires a value" unless defined $value;

 		if ( $option eq 'physical' ) {
 		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
@@ -1379,9 +1320,7 @@ sub process_interface( $$ ) {

 		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );

-		    $physwild = ( $value =~ /\+$/ );
-		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $physwild;
-
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    $physical = $value;
 		} else {
 		    assert(0);
@@ -1409,14 +1348,6 @@ sub process_interface( $$ ) {
 	    $options{ignore} = 0;
 	}

-	for my $option ( keys %options ) {
-	    if ( $root ) {
-		warning_message( "The '$option' option is ignored when used with a wildcard physical name" ) if $physwild && $procinterfaceoptions{$option};
-	    } else {
-		warning_message( "The '$option' option is ignored when used with interface name '+'" ) unless $validinterfaceoptions{$option} & IF_OPTION_WILDOK;
-	    }
-	}
-
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
@@ -1475,7 +1406,6 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
-						   physwild   => $physwild, # Currently unused
 					         };

    $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1634,11 +1564,13 @@ sub known_interface($)

    my $iface = $interface;

-    if ( defined $minroot ) {
+    if ( $minroot ) {
 	#
 	# We have wildcard interfaces -- see if this interface matches one of their roots
 	#
-	while ( length $iface >= $minroot ) {
+	while ( length $iface > $minroot ) {
+	    chop $iface;
+
 	    if ( my $i = $roots{$iface} ) {
 		#
 		# Found one
@@ -1660,8 +1592,6 @@ sub known_interface($)
 		                              };
 		return $interfaceref;
 	    }
-
-	    chop $iface;
 	}
    }

@@ -1875,8 +1805,7 @@ sub find_interfaces_by_option( $;$ ) {
    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};

-	next unless $interfaceref->{root};                                   # Don't return '+' interface
-	next if $procinterfaceoptions{$option} && $interfaceref->{physwild}; # Ignore /proc options on wildcard interface
+	next unless $interfaceref->{root};

 	my $optionsref = $interfaceref->{options};
 	if ( $nonzero ) {
@@ -1891,6 +1820,35 @@ sub find_interfaces_by_option( $;$ ) {
    \@ints;
 }

+#
+# Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
+#
+# - All entries in %interfaces are searched.
+# - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
+#
+sub find_interfaces_by_option1( $ ) {
+    my $option = $_[0];
+    my @ints = ();
+    my $wild = 0;
+
+    for my $interface ( @interfaces ) {
+	my $interfaceref = $interfaces{$interface};
+
+	next unless defined $interfaceref->{physical};
+
+	my $optionsref = $interfaceref->{options};
+
+	if ( $optionsref && defined $optionsref->{$option} ) {
+	    $wild ||= $interfaceref->{wildcard};
+	    push @ints , $interface
+	}
+    }
+
+    return unless defined wantarray;
+
+    wantarray ? ( \@ints, $wild ) : \@ints;
+}
+
 #
 # Return the value of an option for an interface
 #
@@ -2021,7 +1979,6 @@ sub verify_required_interfaces( $ ) {

 	emit( "esac\n" );

-	$returnvalue = 1;
    }

    $interfaces = find_interfaces_by_option( 'required' );
@@ -2031,7 +1988,7 @@ sub verify_required_interfaces( $ ) {
 	if ( $generate_case ) {
 	    emit( 'case "$COMMAND" in' );
 	    push_indent;
-	    emit( 'start|reload|restore)' );
+	    emit( 'start|reload|restore|refresh)' );
 	    push_indent;
 	}

@@ -2067,7 +2024,7 @@ sub verify_required_interfaces( $ ) {
 	    emit( ';;' );
 	    pop_indent;
 	    pop_indent;
-	    emit( "esac\n" );
+	    emit( 'esac' );
 	}

 	$returnvalue = 1;
@@ -2261,9 +2218,9 @@ sub find_hosts_by_option( $ ) {
    }

    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sort keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec  = $host->{ipsec};
@@ -2291,9 +2248,9 @@ sub find_zone_hosts_by_option( $$ ) {
    my @hosts;

    unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sort keys %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sort keys %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -32,6 +32,7 @@
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
+#         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
@@ -39,10 +40,9 @@
 #         --shorewallrc=<path>        # Path to global shorewallrc file.
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
+#         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
-#    If the <filename> is omitted, then a 'check' operation is performed.
-#
 use strict;
 use FindBin;
 use lib "$FindBin::Bin";
@@ -62,6 +62,7 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --timestamp ]
    [ --debug ]
    [ --confess ]
+    [ --refresh=<chainlist> ]
    [ --log=<filename> ]
    [ --log-verbose={-1|0-2} ]
    [ --test ]
@@ -72,6 +73,7 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --shorewallrc=<pathname> ]
    [ --shorewallrc1=<pathname> ]
    [ --config_path=<path-list> ]
+    [ --inline ]
 _EOF_

 exit shift @_;
@@ -86,6 +88,7 @@ my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
 my $confess       = 0;
+my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
@@ -97,6 +100,7 @@ my $update        = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 my $shorewallrc1  = '';
+my $inline        = 0;

 Getopt::Long::Configure ('bundling');

@@ -111,6 +115,8 @@ my $result = GetOptions('h'               => \$help,
 			'timestamp'       => \$timestamp,
 			't'               => \$timestamp,
 		        'debug'           => \$debug,
+			'r=s'             => \$chains,
+			'refresh=s'       => \$chains,
 			'log=s'           => \$log,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
@@ -124,6 +130,7 @@ my $result = GetOptions('h'               => \$help,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
+			'inline'          => \$inline,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -138,6 +145,7 @@ compiler( script          => $ARGV[0] || '',
 	  timestamp       => $timestamp,
 	  debug           => $debug,
 	  export          => $export,
+	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
@@ -149,4 +157,5 @@ compiler( script          => $ARGV[0] || '',
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc,
 	  shorewallrc1    => $shorewallrc1,
+	  inline          => $inline,
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -38,11 +38,12 @@ fi
 #
 . /usr/share/shorewall/shorewallrc

-g_basedir=${SHAREDIR}/shorewall
+g_program=$PRODUCT
+g_sharedir="$SHAREDIR/shorewall"
+g_confdir="$CONFDIR/$PRODUCT"
+g_readrc=1

-. $g_basedir/lib.cli
-
-setup_product_environment
+. $g_sharedir/lib.cli

 CONFIG_PATH="$2"

--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1,4 +1,4 @@
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -32,7 +32,7 @@
 #	    down			Stop an optional interface
 #	    enable			Enable an optional interface
 #	    help			Show command syntax
-#	    reenable			Disable then enable an optional
+#	    reenable			Disable then nable an optional
 #					interface
 #	    refresh			Refresh the firewall
 #	    reload			Reload the firewall
@@ -349,7 +349,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 	case "$default_route" in
 	    *metric*)
 	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes or =Exact. Otherwise, we only replace the one with metric 0
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
@@ -369,7 +369,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 delete_default_routes() # $1 = table number
 {
    $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
-	qt $IP -$g_family route del $route table $1
+	qt $IP -$g_family route del $route
    done
 } 

@@ -421,7 +421,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 conditionally_flush_conntrack() {

    if [ -n "$g_purge" ]; then
-	if [ -n "$(mywhich conntrack)" ]; then
+	if [ -n $(mywhich conntrack) ]; then
            conntrack -F
 	else
            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
@@ -526,6 +526,13 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
    done

+    qt1 $g_tool -t rawpost -F
+    qt1 $g_tool -t rawpost    -X
+
+    for chain in POSTROUTING; do
+	qt1 $g_tool -t rawpost -P $chain ACCEPT
+    done
+
    qt1 $g_tool -t nat    -F
    qt1 $g_tool -t nat    -X

@@ -575,6 +582,9 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
 	    '*'mangle)
 		table=mangle
 		;;
@@ -899,7 +909,7 @@ detect_dynamic_gateway() { # $1 = interface
 #
 # Detect the gateway through an interface
 #
-detect_gateway() # $1 = interface $2 = table number
+detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
@@ -912,8 +922,6 @@ detect_gateway() # $1 = interface $2 = table number
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
-
-    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
@@ -1065,6 +1073,8 @@ clear_firewall() {
    run_iptables -F
    qt $IPTABLES -t raw -F

+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
    if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
@@ -1373,6 +1383,8 @@ clear_firewall() {
    run_iptables -F
    qt $IP6TABLES -t raw -F

+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
    run_clear_exit

    set_state "Cleared"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	395ea90cd7	Clear the firewall on Debian during systemd stop Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-15 13:01:24 -07:00
Tom Eastep	ce861dd0a3	Correctly handle expansion of option names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-15 11:47:54 -07:00
Tom Eastep	8fca17a0ef	Correct all+ handling in the policy file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-15 11:36:47 -07:00
Tom Eastep	63d7580219	Allow compact IPv6 addresses in IP6TABLES() rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-07 16:20:38 -08:00
Tom Eastep	1d1068ac74	Correct splitting of IP(6)TABLES options Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-07 16:20:26 -08:00
Tom Eastep	5bc724c268	Correct handling of safe-restart with SAVE_IPSETS Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-27 16:35:58 -08:00
Tom Eastep	c6fab61c3d	Remove redundent test Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 14:42:20 -08:00
Tom Eastep	03a9b92a14	Use 'ip -s xfrm' to dump the SPD and SAD Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:30:49 -08:00
Matt Darfeuille	b3b637d663	shorewall: Correct displaying of shorewall version Add the Product name variable to properly display the product name when the '-v' option is passed to the script. Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:30:16 -08:00
Tom Eastep	363679bb4c	Correct merge compatibility change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:29:50 -08:00
Tom Eastep	458c26c2d6	Exercise care when merging rules including -m multiport Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:29:36 -08:00
Tom Eastep	e229849c5b	Correct intra-zone handling in policies Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-19 09:12:14 -08:00