Add target files 5.2.4-base

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Update ipsets document
2020-03-24 10:05:34 -07:00 · 2020-03-21 14:37:59 -07:00 · 2020-03-16 11:34:35 -07:00 · 2020-03-15 11:04:20 -07:00 · 2020-03-15 09:02:46 -07:00 · 2020-03-10 14:18:52 -07:00
352 changed files with 4826 additions and 2456 deletions
--- a/Shorewall-core/INSTALL
+++ b/Shorewall-core/INSTALL
@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5

 ---------------------------------------------------------------------------

-Please see http://www.shorewall.net/Install.htm for installation
+Please see http://www.shorewall.org/Install.htm for installation
 instructions.


--- a/Shorewall-core/Shorewall-core-targetname
+++ b/Shorewall-core/Shorewall-core-targetname
@@ -0,0 +1 @@
+5.2.4-Beta1
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -1,10 +1,10 @@
 #!/bin/bash
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
 #     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at http://www.shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -109,6 +109,9 @@ if [ -z "$vendor" ]; then
 	    opensuse)
 		vendor=suse
 		;;
+	    alt|basealt|altlinux)
+		vendor=alt
+		;;
 	    *)
 		vendor="$ID"
 		;;
@@ -132,6 +135,8 @@ if [ -z "$vendor" ]; then
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
 		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
+	    elif [ -f /etc/altlinux-release ] ; then
+		params[HOST]=alt
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
+#     Shorewall Packet Filtering Firewall configuration program - V5.2
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at http://www.shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -74,6 +74,8 @@ unless ( defined $vendor ) {
 	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
 	    my $init = `ls -l /sbin/init`;
 	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
+	} elsif ( $id eq 'alt' || $id eq 'basealt' || $id eq 'altlinux' ) {
+	    $vendor = 'alt';
 	} else {
 	    $vendor = $id;
 	}
@@ -117,6 +119,9 @@ if ( defined $vendor ) {
 	} else {
 	    $rcfilename = 'shorewallrc.debian.sysvinit';
 	}
+    } elsif ( -f '/etc/altlinux-release' ){
+	$vendor = 'alt';
+	$rcfilename = 'shorewallrc.alt';
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -172,6 +172,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -180,6 +183,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
@@ -238,7 +243,7 @@ case "$HOST" in
    apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt|alt)
 	;;
    *)
 	fatal_error "Unknown HOST \"$HOST\""
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -2766,7 +2766,7 @@ determine_capabilities() {
 	g_tool=$(mywhich $tool)

 	if [ -z "$g_tool" ]; then
-	    fatal-error "No executable $tool binary can be found on your PATH"
+	    fatal_error "No executable $tool binary can be found on your PATH"
 	fi
    fi

@@ -3775,7 +3775,7 @@ ipcalc_command() {
    elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
-    elif [ $# -eq 0 ]; then
+    elif [ $# -eq 1 ]; then
 	missing_argument
    else
 	too_many_arguments $4
@@ -3864,7 +3864,7 @@ noiptrace_command() {
 verify_firewall_script() {
    if [ ! -f $g_firewall ]; then
 	echo "   ERROR: $g_product is not properly installed" >&2
-	if [ -L $g_firewall ]; then
+	if [ -h $g_firewall ]; then
 	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
@@ -4120,9 +4120,9 @@ start_command() {

 	if [ -x $g_firewall ]; then
 	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
-		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
+		run_it ${VARDIR}/${RESTOREFILE} restore
 	    else
-		run_it $g_firewall $g_debugging start
+		run_it $g_firewall start
 	    fi
 	    rc=$?
 	else
@@ -4256,7 +4256,7 @@ restart_command() {
    [ -n "$g_nolock" ] || mutex_on

    if [ -x $g_firewall ]; then
-	run_it $g_firewall $g_debugging $COMMAND
+	run_it $g_firewall $COMMAND
 	rc=$?
    else
 	error_message "$g_firewall is missing or is not executable"
@@ -4270,7 +4270,7 @@ restart_command() {

 run_command() {
    if [ -x $g_firewall ] ; then
-	run_it $g_firewall $g_debugging $@
+	run_it $g_firewall $@
    else
 	fatal_error "$g_firewall does not exist or is not executable"
    fi
@@ -4287,7 +4287,13 @@ ecko() {
 #
 usage() # $1 = exit status
 {
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "Usage: $(basename $0) [ -T ] [ -D ] [ -N ] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "   -T : Direct the generated script to produce a shell trace to standard error"
+    echo "   -D : Debug iptables commands"
+    echo "   -N : Don't take the master shorewall lock"
+    echo "   -q : Standard Shorewall verbosity control"
+    echo "   -v : Standard Shorewall verbosity control"
+    echo "   -t : Timestamp all messages"
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
@@ -4317,7 +4323,6 @@ usage() # $1 = exit status
 	echo "   iptrace <ip6tables match expression>"
    fi

-    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
@@ -4415,20 +4420,16 @@ usage() # $1 = exit status
 # here if that lib is loaded below.
 #
 shorewall_cli() {
-    g_debugging=
-
-    if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
-	g_debugging=$1
-	shift
-    fi
-
    g_nolock=
-
+    #
+    # We'll keep this around for a while so we don't break people's started scripts
+    #
    if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
 	g_nolock=nolock
 	shift
    fi

+    g_debugging=
    g_noroutes=
    g_purge=
    g_ipt_options="-nv"
@@ -4456,6 +4457,7 @@ shorewall_cli() {
    g_blacklistipset=
    g_disconnect=
    g_havemutex=
+    g_trace=

    VERBOSE=
    VERBOSITY=1
@@ -4587,6 +4589,17 @@ shorewall_cli() {
 			    finished=1
 			    option=
 			    ;;
+			T*)
+			    g_debugging=trace
+			    option=${option#T}
+			    ;;
+			D*)
+			    g_debugging=debug
+			    option=${option#D}
+			    ;;
+			N*)
+			    g_nolock=nolock
+			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -4639,7 +4652,7 @@ shorewall_cli() {
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
-	    run_it $g_firewall $g_debugging $COMMAND
+	    run_it $g_firewall $COMMAND
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
@@ -4648,7 +4661,7 @@ shorewall_cli() {
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
-	    run_it $g_firewall $g_debugging reset $@
+	    run_it $g_firewall reset $@
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
@@ -4661,7 +4674,7 @@ shorewall_cli() {
 	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it $g_firewall $g_debugging $@
+		run_it $g_firewall $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
@@ -4816,7 +4829,7 @@ shorewall_cli() {
 		    # It isn't a function visible to this script -- try
 		    # the compiled firewall
 		    #
-		    run_it $g_firewall $g_debugging call $@
+		    run_it $g_firewall call $@
 		fi
 	    else
 		missing_argument
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,9 +1,9 @@
 #
 # Shorewall 5.2 -- /usr/share/shorewall/lib.common
 #
-#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -92,18 +92,20 @@ startup_error() # $* = Error Message
 #
 run_it() {
    local script
-    local options
+    local options='-'

    export VARDIR

    script=$1
    shift

-    if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	options="$1 -"
-	shift;
+
+    if [ "$g_debugging" = debug ]; then
+	options='-D'
+    elif [ "$g_debugging" = trace ]; then
+	options='-T'
    else
-	options='-'
+	options='-';
    fi

    [ -n "$g_noroutes" ]   && options=${options}n
@@ -411,7 +413,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
    done

-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file helpers)

    if [ -f $modules -a -n "$moduledirectories" ]; then
 	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
@@ -419,7 +421,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
 	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir
 	    cp -f $modules ${VARDIR}/.modules
 	fi
    elif [ $savemoduleinfo = Yes ]; then
@@ -501,7 +503,7 @@ ip_network() {

 #
 # The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+# the popular light-weight Bourne shell derivatives do not support XOR ("^").
 #
 ip_broadcast() {
    local x
@@ -736,8 +738,8 @@ truncate() # $1 = length

 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
+# /sbin/shorewall program while holding mutual exclusion, you should pass -N as
+# the first argument. Example "shorewall -N refresh"
 #
 # This function uses the lockfile utility from procmail if it exists.
 # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
@@ -751,6 +753,8 @@ mutex_on()
    lockf=${LOCKFILE:=${VARDIR}/lock}
    local lockpid
    local lockd
+    local lockbin
+    local openwrt

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

@@ -760,29 +764,33 @@ mutex_on()

 	[ -d "$lockd" ] || mkdir -p "$lockd"

+	lockbin=$(mywhich lock)
+	[ -n "$lockbin" -a -h "$lockbin" ] && openwrt=Yes
+
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
 	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ $lockpid -eq $$ ]; then
-                return 0
-	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    elif [ -z "$openwrt" ]; then
+		if [ $lockpid -eq $$ ]; then
+                    fatal_error "Mutex_on confusion"
+		elif ! qt ps --pid ${lockpid}; then
+		    rm -f ${lockf}
+		    error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+		fi
 	    fi
 	fi

-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	if [ -n "$openwrt" ]; then
+	    lock ${lockf} || fatal_error "Can't lock ${lockf}"
+	    g_havemutex="lock -u ${lockf}"
+	elif qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} || fatal_error "Can't lock ${lockf}"
 	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
-	elif qt mywhich lock; then
-	    lock ${lockf}
-	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
-	    chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -60,7 +60,7 @@ mywhich() {
 remove_file() # $1 = file to remove
 {
    if [ -n "$1" ] ; then
-        if [ -f $1 -o -L $1 ] ; then
+        if [ -f $1 -o -h $1 ] ; then
            rm -f $1
            echo "$1 Removed"
        fi
@@ -84,7 +84,7 @@ remove_file_with_wildcard() # $1 = file with wildcard to remove
            if [ -d $f ] ; then
                rm -rf $f
                echo "$f Removed"
-            elif [ -f $f -o -L $f ] ; then
+            elif [ -f $f -o -h $f ] ; then
                rm -f $f
                echo "$f Removed"
            fi
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -21,9 +21,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg rep="norepeat">options</arg>

      <arg choice="plain"><option>add {</option></arg>
@@ -39,9 +36,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>allow</option></arg>
@@ -52,9 +46,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>blacklist</option></arg>
@@ -67,9 +58,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>call</option></arg>
@@ -106,9 +94,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg
@@ -118,9 +103,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>close</option><arg choice="req">
@@ -159,9 +141,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg rep="norepeat">options</arg>

      <arg choice="plain"><option>delete {</option></arg>
@@ -177,9 +156,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>disable</option></arg>
@@ -191,9 +167,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>drop</option></arg>
@@ -204,8 +177,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>dump</option></arg>
@@ -222,9 +193,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>enable</option></arg>
@@ -236,9 +204,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>export</option></arg>
@@ -252,9 +217,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>forget</option></arg>
@@ -265,8 +227,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>help</option></arg>
@@ -275,8 +235,6 @@
    <cmdsynopsis>
      <command>shorewall[-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg
@@ -286,8 +244,6 @@
    <cmdsynopsis>
      <command>shorewall[-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>ipcalc</option></arg>
@@ -304,8 +260,6 @@
    <cmdsynopsis>
      <command>shorewall[-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>iprange</option></arg>
@@ -317,8 +271,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>iptrace</option></arg>
@@ -330,9 +282,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>logdrop</option></arg>
@@ -343,8 +292,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>logwatch</option></arg>
@@ -357,9 +304,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>logreject</option></arg>
@@ -370,8 +314,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>noiptrace</option></arg>
@@ -394,9 +336,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>reenable</option></arg>
@@ -408,9 +347,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>reject</option></arg>
@@ -421,9 +357,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>reload</option></arg>
@@ -448,10 +381,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
      <arg choice="plain"><option>remote-getcaps</option></arg>

      <arg><option>-s</option></arg>
@@ -472,8 +401,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>remote-getrc</option></arg>
@@ -496,8 +423,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>remote-start</option></arg>
@@ -520,8 +445,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>remote-reload</option></arg>
@@ -544,8 +467,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>remote-restart</option></arg>
@@ -568,9 +489,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg
@@ -581,9 +499,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>restart</option></arg>
@@ -608,9 +523,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg
@@ -622,9 +534,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>run</option></arg>
@@ -637,9 +546,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>safe-restart</option></arg>
@@ -656,8 +562,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>safe-start</option></arg>
@@ -674,9 +578,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg
@@ -688,9 +589,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>savesets</option></arg>
@@ -699,8 +597,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -713,8 +609,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -735,8 +629,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -761,8 +653,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -774,8 +664,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -787,8 +675,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -800,8 +686,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -814,8 +698,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -827,8 +709,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -841,8 +721,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -853,8 +731,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="req"><option>show | list | ls </option></arg>
@@ -867,8 +743,7 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>options</arg>

@@ -892,9 +767,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg
@@ -904,8 +776,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><arg
@@ -915,9 +785,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>try</option></arg>
@@ -930,8 +797,6 @@
    <cmdsynopsis>
      <command>shorewall[6]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg choice="plain"><option>update</option></arg>
@@ -956,8 +821,6 @@
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
      <arg>options</arg>

      <arg
@@ -1025,16 +888,7 @@
  <refsect1>
    <title>Options</title>

-    <para>The <option>trace</option> and <option>debug</option> options are
-    used for debugging. See <ulink
-    url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
-
-    <para>The <option>nolock</option> option prevents the command from
-    attempting to acquire the Shorewall lockfile. It is useful if you need to
-    include <command>shorewall</command> commands in
-    <filename>/etc/shorewall/started</filename>.</para>
-
-    <para>Other <replaceable>options</replaceable> are:</para>
+    <para>The <replaceable>options</replaceable> are:</para>

    <variablelist>
      <varlistentry>
@@ -1141,7 +995,7 @@
          setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>

          <para>When no <replaceable>verbosity</replaceable> is specified,
          each instance of this option causes 1 to be added to the effective
@@ -1162,7 +1016,7 @@
          setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>

          <para>Each instance of this option causes 1 to be subtracted from
          the effective verbosity.</para>
@@ -1176,7 +1030,66 @@
          <para>Causes all progress messages to be timestamped.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>-T</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.4 to replace the earlier
+          <command>trace</command> keyword.. If the command invokes the
+          generated firewall script, the script's execution will be traced to
+          standard error.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.4 to replace the earlier debug keyword.
+          If the command invokes the generated firewall script, individual
+          invocations of the ip[6]tables utility will be used to configure the
+          ruleset rather than ip[6]tables-restore. This is useful for
+          diagnosing ip[6]tables-restore failures on a *COMMIT command.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
+
+    <note>
+      <para>Prior to Shorewall 5.2.4, the general syntax for a CLI command
+      was:</para>
+
+      <cmdsynopsis>
+        <arg><option>trace|debug</option></arg>
+
+        <arg><option>nolock</option></arg>
+
+        <arg><replaceable>options</replaceable></arg>
+
+        <arg choice="plain"><replaceable>command</replaceable></arg>
+
+        <arg><replaceable>command-options</replaceable></arg>
+
+        <arg><replaceable>command-arguments</replaceable></arg>
+      </cmdsynopsis>
+
+      <para>Examples:</para>
+
+      <programlisting>    shorewall debug -tv2 reload
+    shorewall trace check
+    shorewall nolock enable eth0</programlisting>
+
+      <para>In Shorewall 5.2.4 and later, those commands would be:</para>
+
+      <programlisting>    shorewall -Dtv2 reload
+    shorewall check -D
+    shorewall -N enable eth0</programlisting>
+
+      <para>While not shown in the command synopses at the top of this page,
+      the <option>nolock</option> keyword is still supported in Shorewall
+      5.2.4 and later, but is deprecated in favor of the -<option>N
+      </option>option.</para>
+    </note>
  </refsect1>

  <refsect1>
@@ -1199,7 +1112,7 @@
          defined in the <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))file.
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5))file.
          A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are host or network addresses.<caution>
              <para>The <command>add</command> command is not very robust. If
@@ -1214,11 +1127,12 @@
          <para>Beginning with Shorewall 4.5.9, the <emphasis
          role="bold">dynamic_shared</emphasis> zone option (<ulink
          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink
-          url="???">shorewall6-zones</ulink>(5)) allows a single ipset to
-          handle entries for multiple interfaces. When that option is
-          specified for a zone, the <command>add</command> command has the
-          alternative syntax in which the <replaceable>zone</replaceable> name
-          precedes the <replaceable>host-list</replaceable>.</para>
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
+          allows a single ipset to handle entries for multiple interfaces.
+          When that option is specified for a zone, the <command>add</command>
+          command has the alternative syntax in which the
+          <replaceable>zone</replaceable> name precedes the
+          <replaceable>host-list</replaceable>.</para>
        </listitem>
      </varlistentry>

@@ -1294,7 +1208,7 @@
        <term><emphasis role="bold">check</emphasis> [-<option>e</option>]
        [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
        [-<option>T</option>] [-<option>i</option>]
-        [<replaceable>directory</replaceable>]</term>
+        [-D][<replaceable>directory</replaceable>]</term>

        <listitem>
          <para>Not available with Shorewall[6]-lite.</para>
@@ -1332,7 +1246,11 @@
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
+
+          <para>The <emphasis role="bold">-D </emphasis>option was added in
+          Shoewall 5.2.4 and causes the compiler to write a large amount of
+          debugging information to standard output.</para>
        </listitem>
      </varlistentry>

@@ -1383,8 +1301,9 @@
      <varlistentry>
        <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
        [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
-        [-<option>T</option>] [-<option>i</option>] [<replaceable> directory
-        </replaceable>] [<replaceable> pathname</replaceable> ]</term>
+        [-<option>T</option>] [-<option>i</option>] [-D] [<replaceable>
+        directory </replaceable>] [<replaceable> pathname</replaceable>
+        ]</term>

        <listitem>
          <para>Not available with shorewall[6]-lite.</para>
@@ -1440,7 +1359,11 @@
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
+
+          <para>The <emphasis role="bold">-D </emphasis>option was added in
+          Shoewall 5.2.4 and causes the compiler to write a large amount of
+          debugging information to standard output.</para>
        </listitem>
      </varlistentry>

@@ -1458,7 +1381,7 @@
          defined in the <ulink
          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are a host or network address.</para>

@@ -1466,7 +1389,7 @@
          role="bold">dynamic_shared</emphasis> zone option (<ulink
          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
          <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
          allows a single ipset to handle entries for multiple interfaces.
          When that option is specified for a zone, the
          <command>delete</command> command has the alternative syntax in
@@ -1493,7 +1416,7 @@
          command removes any routes added from <ulink
          url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
          (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))and
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))and
          any traffic shaping configuration for the interface.</para>
        </listitem>
      </varlistentry>
@@ -1554,7 +1477,7 @@
          adds any route specified in <ulink
          url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
          (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))
          and installs the interface's traffic shaping configuration, if
          any.</para>
        </listitem>
@@ -1599,7 +1522,7 @@
          given then the file specified by RESTOREFILE in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
          assumed.</para>
        </listitem>
      </varlistentry>
@@ -1684,7 +1607,7 @@
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
          This command requires that the firewall be in the started state and
          that DYNAMIC_BLACKLIST=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1700,16 +1623,16 @@
          <para>Monitors the log file specified by the LOGFILE option in
          <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
-          and produces an audible alarm when new Shorewall messages are
-          logged. The <emphasis role="bold">-m</emphasis> option causes the
-          MAC address of each packet source to be displayed if that
-          information is available. The
-          <replaceable>refresh-interval</replaceable> specifies the time in
-          seconds between screen refreshes. You can enter a negative number by
-          preceding the number with "--" (e.g., <command>shorewall logwatch --
-          -30</command>). In this case, when a packet count changes, you will
-          be prompted to hit any key to resume screen refreshes.</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) and
+          produces an audible alarm when new Shorewall messages are logged.
+          The <emphasis role="bold">-m</emphasis> option causes the MAC
+          address of each packet source to be displayed if that information is
+          available. The <replaceable>refresh-interval</replaceable> specifies
+          the time in seconds between screen refreshes. You can enter a
+          negative number by preceding the number with "--" (e.g.,
+          <command>shorewall logwatch -- -30</command>). In this case, when a
+          packet count changes, you will be prompted to hit any key to resume
+          screen refreshes.</para>
        </listitem>
      </varlistentry>

@@ -1723,7 +1646,7 @@
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
          This command requires that the firewall be in the started state and
          that DYNAMIC_BLACKLIST=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1824,7 +1747,8 @@
        <term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
-        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
+        [-<option>C</option>] [-D] [ <replaceable>directory</replaceable>
+        ]</term>

        <listitem>
          <para>This command was re-implemented in Shorewall 5.0.0. The
@@ -1878,17 +1802,21 @@
                INLINE_MATCHES is set to Yes in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))..</para>
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))..</para>

                <para>The <option>-C</option> option was added in Shorewall
                4.6.5 and is only meaningful when AUTOMAKE=Yes in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                If an existing firewall script is used and if that script was
                the one that generated the current running configuration, then
                the running netfilter configuration will be reloaded as is so
                as to preserve the iptables packet and byte counters.</para>
+
+                <para>The <emphasis role="bold">-D </emphasis>option was added
+                in Shoewall 5.2.4 and causes the compiler to write a large
+                amount of debugging information to standard output.</para>
              </listitem>
            </varlistentry>

@@ -2006,7 +1934,7 @@
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5) (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>) is
          assumed. In that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
@@ -2071,8 +1999,9 @@
          Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
+          (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
          assumed. In that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
@@ -2104,7 +2033,7 @@
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>

@@ -2144,8 +2073,9 @@
          Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
+          (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
          assumed. In that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>
@@ -2177,7 +2107,11 @@
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <emphasis role="bold">-D </emphasis>option was added in
+          Shoewall 5.2.4 and causes the compiler to write a large amount of
+          debugging information to standard output.</para>
        </listitem>
      </varlistentry>

@@ -2204,7 +2138,8 @@
        <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
-        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
+        [-<option>C</option>] [-D] [ <replaceable>directory</replaceable>
+        ]</term>

        <listitem>
          <para>Beginning with Shorewall 5.0.0, this command performs a true
@@ -2264,6 +2199,10 @@
                the one that generated the current running configuration, then
                the running netfilter configuration will be reloaded as is so
                as to preserve the iptables packet and byte counters.</para>
+
+                <para>The <emphasis role="bold">-D </emphasis>option was added
+                in Shoewall 5.2.4 and causes the compiler to write a large
+                amount of debugging information to standard output.</para>
              </listitem>
            </varlistentry>

@@ -2304,7 +2243,7 @@
          restored from the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>

          <caution>
            <para>If your iptables ruleset depends on variables that are
@@ -2460,7 +2399,7 @@
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>

          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the iptables packet and byte counters to be saved along with
@@ -2477,7 +2416,7 @@
          the SAVE_IPSETS option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
          (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
          This command may be used to proactively save your ipset contents in
          the event that a system failure occurs prior to issuing a
          <command>stop</command> command.</para>
@@ -2645,7 +2584,7 @@
                accounting counters (<ulink
                url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>
                (5), <ulink
-                url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).</para>
+                url="/manpages/shorewall-accounting.html">shorewall6-accounting</ulink>(5)).</para>
              </listitem>
            </varlistentry>

@@ -2669,7 +2608,7 @@
                file specified by the LOGFILE option in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                The <emphasis role="bold">-m</emphasis> option causes the MAC
                address of each packet source to be displayed if that
                information is available.</para>
@@ -2831,8 +2770,8 @@
        <term><emphasis role="bold">start </emphasis><emphasis role="bold">
        </emphasis>[-<option>n</option>] [-<option>p</option>]
        [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
-        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
-        <replaceable>directory</replaceable> ]</term>
+        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [-D]
+        [ <replaceable>directory</replaceable> ]</term>

        <listitem>
          <para><variablelist>
@@ -2851,7 +2790,7 @@
                  in <ulink
                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                  (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
                  will be restored if that saved configuration exists and has
                  been modified more recently than the files in
                  /etc/shorewall. When <emphasis role="bold">-f</emphasis> is
@@ -2862,7 +2801,7 @@
                  option was added to <ulink
                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                  (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                  When LEGACY_FASTSTART=No, the modification times of files in
                  /etc/shorewall are compared with that of
                  /var/lib/shorewall/firewall (the compiled script that last
@@ -2881,7 +2820,7 @@
                  overriding the AUTOMAKE setting in <ulink
                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                  (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                  When both <option>-f</option> and <option>-c</option>are
                  present, the result is determined by the option that appears
                  last.</para>
@@ -2897,7 +2836,7 @@
                  INLINE_MATCHES is set to Yes in <ulink
                  url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
                  (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>

                  <para>The <option>-C</option> option was added in Shorewall
                  4.6.5 and is only meaningful when the <option>-f</option>
@@ -2906,6 +2845,11 @@
                  option was also specified in the <emphasis
                  role="bold">save</emphasis> command, then the packet and
                  byte counters will be restored.</para>
+
+                  <para>The <emphasis role="bold">-D </emphasis>option was
+                  added in Shoewall 5.2.4 and causes the compiler to write a
+                  large amount of debugging information to standard
+                  output.</para>
                </listitem>
              </varlistentry>

@@ -3216,30 +3160,38 @@
  <refsect1>
    <title>FILES</title>

-    <para>/etc/shorewall/</para>
+    <para>/etc/shorewall/*</para>

-    <para>/etc/shorewall6/</para>
+    <para>/etc/shorewall6/*</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

-    <para><ulink
-    url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
+    <simplelist>
+      <member><ulink
+      url="/starting_and_stopping_shorewall.htm">http://www.shorewall.org/starting_and_stopping_shorewall.htm</ulink>
+      - Describes operational aspects of Shorewall.</member>

-    <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
-    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
-    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
-    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
-    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
-    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
-    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
-    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
-    shorewall-zones(5)</para>
+      <member><ulink url="shorewall-files.html">shorewall-files(5)</ulink> -
+      Describes the various configuration files along with features and
+      conventions common to those files.</member>
+
+      <member><ulink url="shorewall-names.html">shorewall-names(5)</ulink> -
+      Describes naming of objects within a Shorewall configuration.</member>
+
+      <member><ulink
+      url="shorewall-addresses.html">shorewall-addresses(5)</ulink> -
+      Describes how to specify addresses within a Shorewall
+      configuration.</member>
+
+      <member><ulink
+      url="shorewall-exclusion.html">shorewall-exclusion(5)</ulink> -
+      Describes how to exclude certain hosts and/or networks from matching a
+      rule.</member>
+
+      <member><ulink url="shorewall-nesting.html">shorewall-nesting(5)</ulink>
+      - Describes how to nest one Shorewall zone inside another.</member>
+    </simplelist>
  </refsect1>
 </refentry>
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -1,11 +1,11 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.1
+#     Shorewall Packet Filtering Firewall Control Program - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at http://www.shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-core/shorewallrc.alt
+++ b/Shorewall-core/shorewallrc.alt
@@ -0,0 +1,25 @@
+#
+# ALT/BaseALT/ALTLinux Shorewall 5.2 rc file
+#
+BUILD=                                  #Default is to detect the build system
+HOST=alt
+PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
+PERLLIBDIR=${SHAREDIR}/perl5            #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                            #Directory where subsystem configurations are installed
+SBINDIR=/sbin                           #Directory where system administration programs are installed
+MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
+INITDIR=${CONFDIR}/rc.d/init.d          #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
+INITSOURCE=init.alt.sh                  #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                              #If non-zero, annotated configuration files are installed
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
+SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
+SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+DEFAULT_PAGER=/usr/bin/less             #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://www.shorewall.net
+#       Shorewall documentation is available at http://www.shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-core/wait4ifup
+++ b/Shorewall-core/wait4ifup
@@ -1,12 +1,12 @@
 #!/bin/sh
 #
-#     Shorewall interface helper utility - V4.2
+#     Shorewall interface helper utility - V5.2
 #
 #     (c) 2007,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file is installed in /usr/share/shorewall/wait4ifup
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at http://www.shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at http://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at http://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at http://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-init/init.alt.sh
+++ b/Shorewall-init/init.alt.sh
@@ -0,0 +1,150 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 09 91
+# description: Initialize the shorewall firewall at boot time
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop: $local_fs
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Initialize the shorewall firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+NAME="Shorewall-init firewall"
+PROG="shorewall-init"
+SHOREWALL="$SBINDIR/$PROG"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+LOCKFILE=/var/lock/subsys/shorewall-init
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+	. /etc/sysconfig/shorewall-init
+	if [ -z "$PRODUCTS" ]; then
+		echo "No PRODUCTS configured"
+		exit 6
+	fi
+else
+	echo "/etc/sysconfig/shorewall-init not found"
+	exit 6
+fi
+
+RETVAL=0
+
+# set the STATEDIR variable
+setstatedir() {
+	local statedir
+	if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+		statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+	fi
+
+	[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+
+	if [ -x ${STATEDIR}/firewall ]; then
+		return 0
+	elif [ $PRODUCT = shorewall ]; then
+		${SBINDIR}/shorewall compile
+	elif [ $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/shorewall -6 compile
+	else
+		return 1
+	fi
+}
+
+start() {
+	local PRODUCT
+	local STATEDIR
+
+	printf "Initializing \"Shorewall-based firewalls\": "
+
+	for PRODUCT in $PRODUCTS; do
+		if setstatedir; then
+			$STATEDIR/$PRODUCT/firewall ${OPTIONS} stop 2>&1 | "$LOGGER"
+			RETVAL=$?
+		else
+			RETVAL=6
+			break
+		fi
+	done
+
+	if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+		ipset -R < "$SAVE_IPSETS"
+	fi
+
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	local PRODUCT
+	local STATEDIR
+
+	printf "Clearing \"Shorewall-based firewalls\": "
+	for PRODUCT in $PRODUCTS; do
+		if setstatedir; then
+			${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | "$LOGGER"
+			RETVAL=$?
+		else
+			RETVAL=6
+			break
+		fi
+	done
+
+	if [ -n "$SAVE_IPSETS" ]; then
+		mkdir -p $(dirname "$SAVE_IPSETS")
+		if ipset -S > "${SAVE_IPSETS}.tmp"; then
+			grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+		else
+			rm -f "${SAVE_IPSETS}.tmp"
+		fi
+	fi
+
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart|reload|condrestart|condreload)
+	    # "Not implemented"
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    status "$PROG"
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -8,7 +8,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -1,5 +1,5 @@
 #!/bin/sh /etc/rc.common
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -7,7 +7,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -5,7 +5,7 @@
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -181,6 +181,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -191,6 +194,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/SuSE-release ]; then
@@ -253,6 +258,9 @@ case "$HOST" in
    openwrt)
 	echo "Installing Openwrt-specific configuration..."
 	;;
+    alt)
+	echo "Installing ALT-specific configuration...";
+	;;
    linux)
 	fatal_error "Shorewall-init is not supported on this system"
 	;;
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -1,12 +1,12 @@
 #!/bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
+#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called
 #	/etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #	This program is part of Shorewall.
 #
--- a/Shorewall-lite/Shorewall-lite-targetname
+++ b/Shorewall-lite/Shorewall-lite-targetname
@@ -0,0 +1 @@
+5.2.4-Beta1
--- a/Shorewall-lite/init.alt.sh
+++ b/Shorewall-lite/init.alt.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+#
+# Shorewall-Lite init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+#
+### BEGIN INIT INFO
+# Provides: shorewall-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: $time $named
+# Required-Stop:
+# Default-Start: 3 4 5
+# Default-Stop:  0 1 2 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Do not load RH compatibility interface.
+WITHOUT_RC_COMPAT=1
+
+# Source function library.
+. /etc/init.d/functions
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+NAME="Shorewall-Lite firewall"
+PROG="shorewall"
+SHOREWALL="$SBINDIR/$PROG -l"
+LOGGER="logger -i -t $PROG"
+
+# Get startup options (override default)
+OPTIONS=
+
+SourceIfNotEmpty $SYSCONFDIR/${PROG}-lite
+
+LOCKFILE="/var/lock/subsys/${PROG}-lite"
+RETVAL=0
+
+start() {
+	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
+	return $RETVAL
+}
+
+stop() {
+	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
+	return $RETVAL
+}
+
+restart() {
+	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+reload() {
+	action $"Reloadinging $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+clear() {
+	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
+	RETVAL=$?
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start)
+	    start
+	    ;;
+	stop)
+	    stop
+	    ;;
+	restart)
+	    restart
+	    ;;
+	reload)
+	    reload
+	    ;;
+	clear)
+	    clear
+	    ;;
+	condrestart)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condreload)
+	    if [ -e "$LOCKFILE" ]; then
+		restart
+	    fi
+	    ;;
+	condstop)
+	    if [ -e "$LOCKFILE" ]; then
+		stop
+	    fi
+	    ;;
+	status)
+	    "$SHOREWALL" status
+	     RETVAL=$?
+	    ;;
+	*)
+	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
+	    RETVAL=1
+esac
+
+exit $RETVAL
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -1,13 +1,13 @@
 #!/bin/sh /etc/rc.common
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -1,13 +1,13 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-lite/init.suse.sh
+++ b/Shorewall-lite/init.suse.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -8,7 +8,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -190,6 +190,9 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
+		    alt|basealt|altlinux)
+			BUILD=alt
+			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -198,6 +201,8 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
+	    elif [ -f /etc/altlinux-release ]; then
+		BUILD=alt
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f ${CONFDIR}/SuSE-release ]; then
@@ -266,6 +271,9 @@ case "$HOST" in
    openwrt)
 	echo "Installing OpenWRT-specific configuration..."
 	;;
+    alt)
+	echo "Installing ALT-specific configuration...";
+	;;
    linux)
 	;;
    *)
@@ -418,6 +426,11 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 if [ -f modules ]; then
    install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
    echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
+
+    for f in modules.*; do
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    done
 fi

 if [ -f helpers ]; then
@@ -425,11 +438,6 @@ if [ -f helpers ]; then
    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi

-for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-done
-
 #
 # Install the Man Pages
 #
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -3,7 +3,7 @@
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall-lite/manpages/shorewall-lite.conf.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.conf.xml
@@ -183,7 +183,7 @@
    <title>See ALSO</title>

    <para><ulink
-    url="http://www.shorewall.net/Documentation_Index.html">http://www.shorewall.net/Documentation_Index.html</ulink></para>
+    url="http://www.shorewall.org/Documentation_Index.html">http://www.shorewall.org/Documentation_Index.html</ulink></para>

    <para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
--- a/Shorewall-lite/shorewall-lite.conf
+++ b/Shorewall-lite/shorewall-lite.conf
@@ -8,7 +8,7 @@
 #  "man shorewall-lite.conf"
 #
 #  Manpage also online at
-#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
+#  http://www.shorewall.org/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -151,7 +151,7 @@ fi

 remove_file ${SBINDIR}/$PRODUCT

-if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
    if [ $HOST = openwrt ]; then
 	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
 	    /etc/init.d/$PRODUCT disable
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.FIN
+++ b/Shorewall/Actions/action.FIN
@@ -7,7 +7,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -27,7 +27,7 @@
 #                the IP address that are older than <duration> seconds.
 # Disposition  - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see http://www.shorewall.org/Events.html
 #
 ###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
@@ -114,8 +114,6 @@ if ( ( $targets{$action} || 0 ) & NATRULE ) {

 if ( $command & $RESET_CMD ) {
    require_capability 'MARK_ANYWHERE', '"reset"', 's';
-
-    print "Resetting....\n";
    
    my $mark = $globals{EVENT_MARK};
    #
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
@@ -6,7 +6,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Limit
+++ b/Shorewall/Actions/action.Limit
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Multicast
+++ b/Shorewall/Actions/action.Multicast
@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any rule generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see http://www.shorewall.org/Events.html
 #
 ###############################################################################
 #                        DO NOT REMOVE THE FOLLOWING LINE
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see http://www.shorewall.org/Events.html
 #

 DEFAULTS -,ACCEPT,src
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.allowBcast
+++ b/Shorewall/Actions/action.allowBcast
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.allowMcast
+++ b/Shorewall/Actions/action.allowMcast
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.allowinUPnP
+++ b/Shorewall/Actions/action.allowinUPnP
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.dropBcast
+++ b/Shorewall/Actions/action.dropBcast
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.dropBcasts
+++ b/Shorewall/Actions/action.dropBcasts
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.dropMcast
+++ b/Shorewall/Actions/action.dropMcast
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.dropNotSyn
+++ b/Shorewall/Actions/action.dropNotSyn
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.forwardUPnP
+++ b/Shorewall/Actions/action.forwardUPnP
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.mangletemplate
+++ b/Shorewall/Actions/action.mangletemplate
@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see http://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/mangle.
--- a/Shorewall/Actions/action.rejNotSyn
+++ b/Shorewall/Actions/action.rejNotSyn
@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/Actions/action.template
+++ b/Shorewall/Actions/action.template
@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see http://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/rules.
--- a/Shorewall/Contrib/swping
+++ b/Shorewall/Contrib/swping
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #
@@ -21,7 +21,7 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#  For information about this script, see  http://www.shorewall.net/MultiISP.html#swping.
+#  For information about this script, see  http://www.shorewall.org/MultiISP.html#swping.
 #
 ###########################################################################################
 #
--- a/Shorewall/Contrib/swping.init
+++ b/Shorewall/Contrib/swping.init
@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
--- a/Shorewall/INSTALL
+++ b/Shorewall/INSTALL
@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5

 ---------------------------------------------------------------------------

-Please see http://www.shorewall.net/Install.htm for installation
+Please see http://www.shorewall.org/Install.htm for installation
 instructions.


--- a/Shorewall/Macros/IPFS-swarm
+++ b/Shorewall/Macros/IPFS-swarm
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
+#
+# This macro handles IPFS data traffic (the connection to IPFS swarm).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     4001
--- a/Shorewall/Macros/macro.Bitcoin
+++ b/Shorewall/Macros/macro.Bitcoin
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Bitcoin
+#
+# Macro for handling Bitcoin P2P traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8333
--- a/Shorewall/Macros/macro.BitcoinRPC
+++ b/Shorewall/Macros/macro.BitcoinRPC
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRPC
+#
+# Macro for handling Bitcoin RPC traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	8332
--- a/Shorewall/Macros/macro.BitcoinRegtest
+++ b/Shorewall/Macros/macro.BitcoinRegtest
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRegtest
+#
+# Macro for handling Bitcoin P2P traffic (Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18444
--- a/Shorewall/Macros/macro.BitcoinTestnet
+++ b/Shorewall/Macros/macro.BitcoinTestnet
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnet
+#
+# Macro for handling Bitcoin P2P traffic (Testnet mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18333
--- a/Shorewall/Macros/macro.BitcoinTestnetRPC
+++ b/Shorewall/Macros/macro.BitcoinTestnetRPC
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnetRPC
+#
+# Macro for handling Bitcoin RPC traffic (Testnet and Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18332
--- a/Shorewall/Macros/macro.BitcoinZMQ
+++ b/Shorewall/Macros/macro.BitcoinZMQ
@@ -0,0 +1,9 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinZMQ
+#
+# Macro for handling Bitcoin ZMQ traffic
+# See https://github.com/bitcoin/bitcoin/blob/master/doc/zmq.md
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	28332
--- a/Shorewall/Macros/macro.Cockpit
+++ b/Shorewall/Macros/macro.Cockpit
@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Cockpit
+#
+# This macro handles Time protocol (RFC868).
+# Unless you are supporting extremely old hardware or software,
+# you shouldn't be using this.  NTP is a superior alternative.
+#
+#		By Eric Teeter
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	9090
--- a/Shorewall/Macros/macro.ONCRPC
+++ b/Shorewall/Macros/macro.ONCRPC
@@ -0,0 +1,8 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.ONCRPC
+#
+# This macro handles ONC RCP traffic (for rpcbind on Linux, etc).
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp,udp	111
--- a/Shorewall/Macros/macro.Tor
+++ b/Shorewall/Macros/macro.Tor
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.Tor
+#
+# Macro for handling Tor Onion Network traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9001	
--- a/Shorewall/Macros/macro.TorBrowserBundle
+++ b/Shorewall/Macros/macro.TorBrowserBundle
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorBrowserBundle
+#
+# Macro for handling Tor Onion Network traffic provided by Tor Browser Bundle
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9150
--- a/Shorewall/Macros/macro.TorControl
+++ b/Shorewall/Macros/macro.TorControl
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorControl
+#
+# Macro for handling Tor Controller Applications traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9051	
--- a/Shorewall/Macros/macro.TorDirectory
+++ b/Shorewall/Macros/macro.TorDirectory
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorDirectory
+#
+# Macro for handling Tor Directory traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9030
--- a/Shorewall/Macros/macro.TorSocks
+++ b/Shorewall/Macros/macro.TorSocks
@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorSocks
+#
+# Macro for handling Tor Socks Proxy traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9050	
--- a/Shorewall/Macros/macro.WUDO
+++ b/Shorewall/Macros/macro.WUDO
@@ -0,0 +1,9 @@
+
+# Shorewall -- /usr/share/shorewall/macro.WUDO
+#
+# This macro handles WUDO (Windows Update Delivery Optimization)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	7680
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -5,7 +5,7 @@
 #
 #     (c) 2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -201,6 +201,13 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    my $prerule = '';
    my $rule2 = 0;
    my $jump  = 0;
+    my $raw_matches = get_inline_matches(1);
+
+    if ( $raw_matches =~ s/^\s*+// ) {
+	$prerule = $raw_matches;
+    } else {
+	$rule .= $raw_matches;
+    }

    unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
@@ -242,9 +249,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    $rule .= do_nfacct( $_ );
 		}
 	    }
-	} elsif ( $action eq 'INLINE' ) {
-	    $rule .= get_inline_matches(1);
-	} else {
+	} elsif ( $action ne 'INLINE' ) {
 	    ( $action, my $cmd ) = split /:/, $action;

 	    if ( $cmd ) {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -1,12 +1,12 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.0
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -47,13 +47,13 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';

-our $export;
+our $export;          # True when compiling for export

-our $test;
+our $test;            # True when running regression tests

-our $family;
+our $family;          # IP address family (4 or 6)

-our $have_arptables;
+our $have_arptables;  # True if we have arptables rules

 #
 # Initilize the package-globals in the other modules
@@ -268,8 +268,10 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+	emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockeriso=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && g_dockerisostage=Yes' );
    }

    pop_indent;
@@ -379,10 +381,10 @@ sub generate_script_3() {
    save_progress_message 'Initializing...';

    if ( $export || $config{EXPORTMODULES} ) {
-	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
+	my $fn = find_file( 'helpers' );

 	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
-	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
+	    emit 'echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;

--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -162,6 +162,7 @@ our @EXPORT = qw(

 		 have_capability
 		 require_capability
+		 require_mangle_capability
 		 report_used_capabilities
 		 kernel_version

@@ -396,7 +397,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -465,7 +466,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 FLOW_FILTER     => 'Flow Classifier',
 		 FWMARK_RT_MASK  => 'fwmark route mask',
-		 MARK_ANYWHERE   => 'Mark in the filter table',
+		 MARK_ANYWHERE   => 'Mark in the filter and nat tables',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
@@ -523,13 +524,17 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
-
+#
+# Keeps track of which capabilities were used or required - Key is capability name
+#
 our %used;

 use constant {
               USED     => 1,
 	       REQUIRED => 2 };
-
+#
+# Common Protocols
+#
 use constant {
 	       ICMP                => 1,
 	       TCP                 => 6,
@@ -541,7 +546,7 @@ use constant {
 	       UDPLITE             => 136,
 	     };
 #
-# Optimization masks
+# Optimization masks (OPTIMIZE option)
 #
 use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
@@ -550,7 +555,9 @@ use constant {
               OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
 	     };
-
+#
+# Map helpers to protocols
+#
 our %helpers = ( amanda          => UDP,
 		 ftp             => TCP,
 		 irc             => TCP,
@@ -625,7 +632,7 @@ our %config_files = ( #accounting      => 1,
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
-# Directories to search for configuration files
+# Directories to search for configuration files (CONFIG_PATH option)
 #
 our @config_path;
 #
@@ -648,10 +655,12 @@ our %compiler_params;
 # Action parameters
 #
 our %actparams;
-our $parmsmodified;
-our $usedcaller;
-our $inline_matches;
-
+our $parmsmodified;          # True of the current action has modified its parameters
+our $usedcaller;             # True if $CALLER has been acceseed in the current action
+our $inline_matches;         # Inline matches from the current rule
+#
+# File handling
+#
 our $currentline;            # Current config file line image
 our $rawcurrentline;         # Current config file line with no variable expansion
 our $currentfile;            # File handle reference
@@ -669,6 +678,7 @@ our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
+our $ulogcount;              # Used to suppress duplicate warnings about ULOG support
 our $directive_callback;     # Function to call in compiler_directive

 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
@@ -722,18 +732,19 @@ our %converted = (
 #
 # Eliminated options
 #
-our %eliminated = ( LOGRATE          => 1,
-		    LOGBURST         => 1,
-		    EXPORTPARAMS     => 1,
-		    LEGACY_FASTSTART => 1,
-		    IPSECFILE        => 1,
-		    WIDE_TC_MARKS    => 1,
-		    HIGH_ROUTE_MARKS => 1,
-		    BLACKLISTNEWONLY => 1,
-		    CHAIN_SCRIPTS    => 1,
-                    MODULE_SUFFIX    => 1,
-                    MAPOLDACTIONS    => 1,
-		    INLINE_MATCHES   => 1,
+our %eliminated = ( LOGRATE	      => 1,
+		    LOGBURST	      => 1,
+		    EXPORTPARAMS      => 1,
+		    LEGACY_FASTSTART  => 1,
+		    IPSECFILE	      => 1,
+		    WIDE_TC_MARKS     => 1,
+		    HIGH_ROUTE_MARKS  => 1,
+		    BLACKLISTNEWONLY  => 1,
+		    CHAIN_SCRIPTS     => 1,
+		    MODULE_SUFFIX     => 1,
+		    MAPOLDACTIONS     => 1,
+		    INLINE_MATCHES    => 1,
+		    LOAD_HELPERS_ONLY => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -747,10 +758,11 @@ our $ifstack;
 #    [0] - Keyword (IF, ELSEIF, ELSE or ENDIF)
 #    [1] - True if the outermost IF evaluated to false
 #    [2] - True if the the last unterminated IF evaluated to false
+#    [3] = The line number of the directive
 #
 # From .shorewallrc
 #
-our ( %shorewallrc, %shorewallrc1 );
+our ( %shorewallrc, %shorewallrc1 ); # Shorewallrc setting from local system and from remote firewall respectively
 #
 # read_a_line options
 #
@@ -793,7 +805,7 @@ sub add_variables( \% );
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$$$) {
+sub initialize($;$$$) {
    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;

    if ( $family == F_IPV4 ) {
@@ -828,6 +840,7 @@ sub initialize( $;$$$) {
    $comment       = '';
    $sr_comment    = '';
    $warningcount  = 0;
+    $ulogcount     = 0;
    #
    # Misc Globals
    #
@@ -969,7 +982,6 @@ sub initialize( $;$$$) {
 	  OPTIMIZE_ACCOUNTING => undef,
 	  ACCOUNTING_TABLE => undef,
 	  DYNAMIC_BLACKLIST => undef,
-	  LOAD_HELPERS_ONLY => undef,
 	  REQUIRE_INTERFACE => undef,
 	  FORWARD_CLEAR_MARK => undef,
 	  COMPLETE => undef,
@@ -998,6 +1010,7 @@ sub initialize( $;$$$) {
 	  PERL_HASH_SEED => undef ,
 	  USE_NFLOG_SIZE => undef ,
 	  RENAME_COMBINED => undef ,
+	  DOCKER_BRIDGE => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1291,7 +1304,7 @@ sub initialize( $;$$$) {
    $compiletime =~ s/ +/ /g;
 }

-my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
+my @moabbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );

 sub add_ipset( $ ) {
    $ipsets{$_[0]} = 1;
@@ -1391,7 +1404,7 @@ sub info_message

    if ( $log ) {
 	@localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
    }

    if ( $confess ) {
@@ -1419,7 +1432,7 @@ sub warning_message

    if ( $log ) {
 	@localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
    }

    if ( $confess ) {
@@ -1544,7 +1557,7 @@ sub fatal_error	{

    if ( $log ) {
 	our @localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];

 	if ( $confess ) {
 	    print $log longmess( "   ERROR: @_$currentlineinfo\n" );
@@ -1567,6 +1580,9 @@ sub fatal_error	{
    }
 }

+#
+# This one is used for reporting syntax errors in embedded Perl code
+#
 sub fatal_error1 {
    handle_first_entry if $first_entry;

@@ -1574,7 +1590,7 @@ sub fatal_error1 {

    if ( $log ) {
 	our @localtime = localtime;
-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];

 	if ( $debug ) {
 	    print $log longmess( "   ERROR: @_\n" );
@@ -1684,7 +1700,7 @@ sub emit {

    if ( $script || $debug ) {
 	#
-	# 'compile' as opposed to 'check'
+	# 'compile' (as opposed to 'check') or debugging (CLI 'trace' command)
 	#
 	for ( @_ ) {
 	    unless ( /^\s*$/ ) {
@@ -1845,12 +1861,15 @@ sub progress_message {

 	    @localtime = localtime unless $havelocaltime;

-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log "${leading}${line}\n";
 	}
    }
 }

+#
+# This one doesn't compress out superfluous white space
+#
 sub progress_message_nocompress {
    my $havelocaltime = 0;

@@ -1864,7 +1883,7 @@ sub progress_message_nocompress {

 	@localtime = localtime unless $havelocaltime;

-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1885,7 +1904,7 @@ sub progress_message2 {

 	@localtime = localtime unless $havelocaltime;

-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1906,7 +1925,7 @@ sub progress_message3 {

 	@localtime = localtime unless $havelocaltime;

-	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -2077,7 +2096,7 @@ sub set_debug( $$ ) {
 #
 sub find_file($)
 {
-    my ( $filename, $nosearch ) = @_;
+    my ( $filename ) = @_;

    return $filename if $filename =~ '/';

@@ -2094,8 +2113,12 @@ sub find_file($)
    "$config_path[0]$filename";
 }

+#
+# Search the CONFIG_PATH for a file that is writable. Ignore directories where sample/default files are installed,
+# because users have a bad habit of including those in the CONFIG_PATH
+#
 sub find_writable_file($) {
-    my ( $filename, $nosearch ) = @_;
+    my ( $filename ) = @_;

    return $filename if $filename =~ '/';

@@ -2117,6 +2140,9 @@ sub supplied( $ ) {
    defined $val && $val ne '';
 }

+#
+# This one is used for determining if an action argument has been passed (excludes '-')
+#
 sub passed( $ ) {
    my $val = shift;

@@ -2135,7 +2161,7 @@ sub split_list( $$;$ ) {
 }

 #
-# This version handles parenthetical list elements with embedded commas. It removes the parentheses
+# This version handles parenthetical list elements containing embedded commas. It removes the parentheses
 #
 sub split_list1( $$;$ ) {
    my ($list, $type, $keepparens ) = @_;
@@ -2519,7 +2545,7 @@ sub split_line2( $$;$$$ ) {
 }

 #
-# Same as above, only it splits the raw current line
+# Same as above, only it splits the raw current line (line prior to variable expansion)
 #
 sub split_rawline2( $$;$$$ ) {
    my $savecurrentline = $currentline;
@@ -2529,6 +2555,10 @@ sub split_rawline2( $$;$$$ ) {
    # Delete trailing comment
    #
    $currentline =~ s/\s*#.*//;
+    #
+    # Convert ${...} to $...
+    #
+    $currentline =~ s/\$\{(.*?)\}/\$$1/g;

    my @result = &split_line2( @_ );

@@ -2623,6 +2653,7 @@ sub do_open_file( $ ) {
 # - Maximum value allowed in ?FORMAT directives
 # - ?COMMENT allowed in this file
 # - Ignore ?COMMENT in ths file
+# - Default file format
 #
 sub open_file( $;$$$$ ) {
    my ( $fname, $mf, $ca, $nc, $cf ) = @_;
@@ -2715,7 +2746,7 @@ sub clear_currentfilename() {
 }

 #
-# Process an ?IF, ?ELSIF, ?ELSE or ?END directive
+# Utility functions for processing compiler directives
 #

 #
@@ -2742,7 +2773,7 @@ sub directive_warning( $$$$ ) {

 	if ( $log ) {
 	    @localtime = localtime;
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   WARNING: $_[0]\n";
 	}

@@ -2767,7 +2798,7 @@ sub directive_info( $$$$ ) {

 	if ( $log ) {
 	    @localtime = localtime;
-	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	    printf $log '%s %2d %02d:%02d:%02d ', $moabbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   INFO: $_[0]\n";
 	}

@@ -2829,7 +2860,7 @@ sub evaluate_expression( $$$$ ) {
    }

    #                         $1      $2   $3                     -     $4
-    while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $expression =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);

 	if ( $var =~ /^\d+$/ ) {
@@ -2846,7 +2877,7 @@ sub evaluate_expression( $$$$ ) {

    if ( $chain ) {
 	#                         $1      $2   $3                     -     $4
-	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+	while ( $expression =~ m( ^(.*?) \@(\{)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
@@ -2857,7 +2888,7 @@ sub evaluate_expression( $$$$ ) {
    }

    #                         $1      $2   $3      -     $4
-    while ( $expression =~ m( ^(.*?) __({)? (\w+) (?(2)}) (.*)$ )x ) {
+    while ( $expression =~ m( ^(.*?) __(\{)? (\w+) (?(2)}) (.*)$ )x ) {
 	my ( $first, $cap, $rest ) = ( $1, $3, $4);

 	if ( exists $capdesc{$cap} ) {
@@ -3519,7 +3550,7 @@ sub shorewall {
 # We do this processing in read_a_line() rather than in the higher-level routines because
 # Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement
 # until we get back to the caller of read_a_line(), we could issue error messages about parsing and
-# running scripts in the file before we'd even indicated that we are processing it.
+# running scripts in the file before we'd even reported that we are processing it.
 #
 sub first_entry( $ ) {
    $first_entry = shift;
@@ -3696,6 +3727,7 @@ sub push_action_params( $$$$$$ ) {
 # Return:
 #   1 if the popped parameters were modified
 #   2 if the action used @CALLER
+#   3 if both
 #
 sub pop_action_params( $ ) {
    my $oldparms       = shift;
@@ -3706,6 +3738,10 @@ sub pop_action_params( $ ) {
    $return;
 }

+#
+# This is called when a DEFAULTS line is found in an action body. It supplies default values
+# for those paramaters that were not passed, or that were passed as '-'.
+#
 sub default_action_params {
    my $action = shift;
    my ( $val, $i );
@@ -3719,6 +3755,9 @@ sub default_action_params {
    fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
 }

+#
+# This function allows embedded Perl in actions to retreive the action paramaters
+#
 sub get_action_params( $ ) {
    my $num = shift;

@@ -3734,6 +3773,9 @@ sub get_action_params( $ ) {
    @return;
 }

+#
+# Helper for A_* actions
+#
 sub setup_audit_action( $ ) {
    my ( $action ) = @_;

@@ -3753,26 +3795,44 @@ sub get_action_logging() {
    @actparams{ 'loglevel', 'logtag' };
 }

+#
+# Allow embedded Perl in Actions to get the name of the action chain
+#
 sub get_action_chain() {
    $actparams{0};
 }

+#
+# Get the action name from an action file
+#
 sub get_action_chain_name() {
    $actparams{chain};
 }
-
+#
+# This allows an action to make subsequent log messages refer to the invoker of the action rather than the 
+# action itself
+#
 sub set_action_name_to_caller() {
    $actparams{chain} = $actparams{caller};
 }

+#
+# Get the current action's disposition
+#
 sub get_action_disposition() {
    $actparams{disposition};
 }

+#
+# Set the current action disposition for subsequent logging
+#
 sub set_action_disposition($) {
    $actparams{disposition} = $_[0];
 }

+#
+# Alter the value of one of the current actions parameters
+#
 sub set_action_param( $$ ) {
    my $i = shift;

@@ -3787,7 +3847,7 @@ sub expand_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
    my $chain = $actparams{chain};
    #                         $1      $2   $3                   -     $4
-    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $$lineref =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {

 	my ( $first, $var, $rest ) = ( $1, $3, $4);

@@ -3826,7 +3886,7 @@ sub expand_variables( \$ ) {
 	#
 	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
-	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+	while ( $$lineref =~ m( ^(.*?) \@(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    my $val = $var ? $actparams{$var} : $actparams{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
@@ -3839,10 +3899,13 @@ sub expand_variables( \$ ) {
    }
 }

+#
+# Expand variables from shorewallrc in the current passed line
+#
 sub expand_shorewallrc_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
    #                         $1      $2   $3                  -     $4
-    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $$lineref =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {

 	my ( $first, $var, $rest ) = ( $1, $3, $4);

@@ -3882,7 +3945,7 @@ sub handle_first_entry() {
 #   - Handle embedded SHELL and PERL scripts
 #   - Expand shell variables from %params and %ENV.
 #   - Handle INCLUDE <filename>
-#   - Handle ?IF, ?ELSE, ?ENDIF
+#   - Handle ?SECTION
 #

 sub read_a_line($) {
@@ -4005,18 +4068,23 @@ sub read_a_line($) {
    }
 }

+#
+# Process the passed shorewallrc file, populating %shorewallrc
+#
 sub process_shorewallrc( $$ ) {
    my ( $shorewallrc , $product ) = @_;

    $shorewallrc{PRODUCT} = $product;
+    $variables{PRODUCT}   = $product;

    if ( open_file $shorewallrc ) {
-	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
+	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK | EXPAND_VARIABLES ) ) {
 	    if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 		my ($var, $val) = ($1, $2);
 		$val = $1 if $val =~ /^\"([^\"]*)\"$/;
 		expand_shorewallrc_variables($val) if supplied $val;
 		$shorewallrc{$var} = $val;
+		$variables{$var}   = $val;
 	    } else {
 		fatal_error "Unrecognized shorewallrc entry";
 	    }
@@ -4025,6 +4093,12 @@ sub process_shorewallrc( $$ ) {
 	fatal_error "Failed to open $shorewallrc: $!";
    }

+    #
+    # Older files may contain VARDIR= rather than VARLIB= to specify the directory
+    # where each product maintains its own state directory. This was confusing,
+    # because in the shell context, VARDIR points to the current product's state
+    # directory.
+    #
    if ( supplied $shorewallrc{VARDIR} ) {
 	if ( ! supplied $shorewallrc{VARLIB} ) {
 	    $shorewallrc{VARLIB} =  $shorewallrc{VARDIR};
@@ -4087,12 +4161,19 @@ sub default_yes_no ( $$;$ ) {
    $result;
 }

+#
+# This one is used for options that are supported by IPv4 but not IPv6. It issues a
+# warning message if the option is specified in shorewall6.conf.
+#
 sub default_yes_no_ipv4 ( $$ ) {
    my ( $var, $val ) = @_;
    default_yes_no( $var, $val );
    warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV6 && $config{$var};
 }

+#
+# This function handles options that have a numeric value.
+#
 sub numeric_option( $$$ ) {
    my ( $option, $default, $min ) = @_;

@@ -4110,6 +4191,9 @@ sub numeric_option( $$$ ) {
    $config{$option} = $val;
 }

+#
+# Returns a 32-bit value with the low order n bits set, where n is the passed argument.
+#
 sub make_mask( $ ) {
    0xffffffff >> ( 32 - $_[0] );
 }
@@ -4210,6 +4294,10 @@ sub validate_level( $;$ ) {
 	if ( $value =~ /^(NFLOG|ULOG)$/ ) {
 	    my $olevel  = $value;

+	    if ( $value eq 'ULOG' ) {
+		warning_message "ULOG is deprecated in favor of NFLOG. Support for ULOG will be removed in a future release" unless $ulogcount++;
+	    }
+
 	    if ( $qualifier =~ /^[(](.*)[)]$/ ) {
 		my @options = split /,/, $1;
 		my $prefix  = lc $olevel;
@@ -4285,7 +4373,7 @@ sub default_log_level( $$ ) {
 }

 #
-# Check a tri-valued variable
+# Check a tri-valued option ("on", "of" and "keep")
 #
 sub check_trivalue( $$ ) {
    my ( $var, $default) = @_;
@@ -4367,7 +4455,7 @@ sub load_kernel_modules( ) {
 	push @moduledirectories, $_ if -d $_;
    }

-    if ( $moduleloader &&  @moduledirectories && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
+    if ( $moduleloader &&  @moduledirectories && open_file( 'helpers' ) ) {
 	my %loadedmodules;

 	$loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' );
@@ -4421,7 +4509,8 @@ sub determine_kernelversion() {
 }

 #
-# Capability Reporting and detection.
+# Capability Reporting and detection. Each of the following functions detect the
+# availability of the related capability.
 #
 sub Nat_Enabled() {
    qt1( "$iptables $iptablesw -t nat -L -n" );
@@ -4516,7 +4605,11 @@ sub New_Conntrack_Match() {
 }

 sub Old_Conntrack_Match() {
-    ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+    if ( $family == F_IPV4 ) {
+	! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+    } else {
+	! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst ::1" );
+    }
 }

 sub Multiport() {
@@ -5136,7 +5229,7 @@ sub have_capability( $;$ ) {

    $setting = $capabilities{ $capability } = detect_capability( $capability ) unless defined $setting;

-    $used{$capability} = $required ? 2 : 1 if $setting;
+    $used{$capability} = $required ? REQUIRED : USED if $setting;

    $setting;
 }
@@ -5165,111 +5258,6 @@ sub determine_capabilities() {
 	    qt1( "$iptables $iptablesw -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;

    $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
-
-    unless ( $config{ LOAD_HELPERS_ONLY } ) {
-	#
-	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
-	# functions but it ensures that %detect_capability is initialized properly.
-	#
-	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
-	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
-	$capabilities{NAT_INPUT_CHAIN} = detect_capability( 'NAT_INPUT_CHAIN' );
-	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
-
-	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
-	    $capabilities{NEW_CONNTRACK_MATCH} = detect_capability( 'NEW_CONNTRACK_MATCH' );
-	    $capabilities{OLD_CONNTRACK_MATCH} = detect_capability( 'OLD_CONNTRACK_MATCH' );
-	} else {
-	    $capabilities{NEW_CONNTRACK_MATCH} = '';
-	    $capabilities{OLD_CONNTRACK_MATCH} = '';
-	}
-
-	$capabilities{ MULTIPORT } = detect_capability( 'MULTIPORT' );
-	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' );
-	$capabilities{EMULTIPORT}   = detect_capability( 'EMULTIPORT' );
-	$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );
-
-	if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {
-	    $capabilities{PHYSDEV_BRIDGE} = detect_capability( 'PHYSDEV_BRIDGE' );
-	} else {
-	    $capabilities{PHYSDEV_BRIDGE} = '';
-	}
-
-	$capabilities{IPRANGE_MATCH}   = detect_capability( 'IPRANGE_MATCH' );
-	$capabilities{RECENT_MATCH}    = detect_capability( 'RECENT_MATCH' );
-	$capabilities{REAP_OPTION}     = detect_capability( 'REAP_OPTION' );
-	$capabilities{OWNER_MATCH}     = detect_capability( 'OWNER_MATCH' );
-	$capabilities{OWNER_NAME_MATCH}
-                                       = detect_capability( 'OWNER_NAME_MATCH' );
-	$capabilities{CONNMARK_MATCH}  = detect_capability( 'CONNMARK_MATCH' );
-	$capabilities{XCONNMARK_MATCH} = detect_capability( 'XCONNMARK_MATCH' );
-	$capabilities{IPP2P_MATCH}     = detect_capability( 'IPP2P_MATCH' );
-	$capabilities{OLD_IPP2P_MATCH} = detect_capability( 'OLD_IPP2P_MATCH' );
-	$capabilities{LENGTH_MATCH}    = detect_capability( 'LENGTH_MATCH' );
-	$capabilities{ENHANCED_REJECT} = detect_capability( 'ENHANCED_REJECT' );
-	$capabilities{COMMENTS}        = detect_capability( 'COMMENTS' );
-	$capabilities{OLD_HL_MATCH}    = detect_capability( 'OLD_HL_MATCH' );
-	$capabilities{HASHLIMIT_MATCH} = detect_capability( 'HASHLIMIT_MATCH' );
-	$capabilities{MARK}            = detect_capability( 'MARK' );
-	$capabilities{XMARK}           = detect_capability( 'XMARK' );
-	$capabilities{EXMARK}          = detect_capability( 'EXMARK' );
-	$capabilities{CONNMARK}        = detect_capability( 'CONNMARK' );
-	$capabilities{XCONNMARK}       = detect_capability( 'XCONNMARK' );
-	$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
-	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
-	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
-	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
-	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
-	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
-	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
-	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
-	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
-	$capabilities{REALM_MATCH}     = detect_capability( 'REALM_MATCH' );
-	$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
-	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
-	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
-	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
-	$capabilities{ULOG_TARGET}     = detect_capability( 'ULOG_TARGET' );
-	$capabilities{NFLOG_TARGET}    = detect_capability( 'NFLOG_TARGET' );
-	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
-	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
-	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
-	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
-	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
-	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
-	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
-	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
-	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
-	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
-	$capabilities{BASIC_FILTER}    = detect_capability( 'BASIC_FILTER' );
-	$capabilities{BASIC_EMATCH}    = detect_capability( 'BASIC_EMATCH' );
-	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
-	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
-	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
-	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
-	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
-	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
-	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
-	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
-	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
-	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
-	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
-	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
-	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
-	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
-	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
-	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
-	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
-	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
-	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
-	$capabilities{RESTORE_WAIT_OPTION}
-				       = detect_capability( 'RESTORE_WAIT_OPTION' );
-
-	unless ( have_capability 'CT_TARGET' ) {
-	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
-	}
-
-    }
 }

 #
@@ -5281,6 +5269,16 @@ sub require_capability( $$$ ) {
    fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability, 1;
 }

+sub require_mangle_capability( $$$ ) {
+    my ( $capability, $description, $singular ) = @_;
+
+    if ( $config{MANGLE_ENABLED} ) {
+	&require_capability( @_ );
+    } else {
+	fatal_error "$description " . ( $singular ?  'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{PRODUCT}.conf";
+    }
+}
+
 #
 # Return Kernel Version
 #
@@ -5333,6 +5331,9 @@ sub ensure_config_path() {
    }

    if ( $shorewall_dir ) {
+	#
+	# A directory has been specified -- place it at the front of the CONFIG_PATH
+	#
 	$shorewall_dir = getcwd if $shorewall_dir =~ m|^(\./*)+$|;
 	$shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|;
 	unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0];
@@ -5367,7 +5368,8 @@ sub conditional_quote( $ ) {
 }

 #
-# Update the shorewall[6].conf file. Save the current file with a .bak suffix.
+# 'update' default values are sometimes different from the normal defaut value, to provide
+# backward compatibility.
 #
 sub update_default($$) {
    my ( $var, $val ) = @_;
@@ -5388,6 +5390,9 @@ sub transfer_permissions( $$ ) {
    }
 }

+#
+# Update the shorewall[6].conf file. Save the current file with a .bak suffix.
+#
 sub update_config_file( $ ) {
    my ( $annotate ) = @_;

@@ -5452,6 +5457,7 @@ sub update_config_file( $ ) {
    update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
    update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
    update_default( 'LOGLIMIT',              '' );
+    update_default( 'AUTOMAKE',              'No' );

    if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
@@ -5459,7 +5465,7 @@ sub update_config_file( $ ) {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
    }

-    for ( qw/DROP_DEFAULT REJECT_DEFAULT/ ) {
+    for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
 	my $policy = $config{ $_ };

 	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
@@ -5786,7 +5792,7 @@ sub unsupported_yes_no_warning( $ ) {
 }

 #
-# Process the params file
+# Process the params file. Actually processing is done by the 'getparams' program in $LIBEXECDIR/shorewall/.
 #
 sub get_params( $ ) {
    my $export = $_[0];
@@ -5921,7 +5927,7 @@ sub get_params( $ ) {
 		#
 		delete $params{$_};
 	    } else {
-		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' ) {
+		unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' || $_ eq 'SW_CONFDIR' ) {
 		    fatal_error "The variable name $_ is reserved and may not be set in the params file"
 			if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
 		}
@@ -6256,11 +6262,6 @@ sub get_configuration( $$$ ) {

    unshift @INC, @config_path;

-    #
-    # get_capabilities requires that the true settings of these options be established
-    #
-    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
-
    if ( ! $export && $> == 0 ) {
 	get_capabilities($have_capabilities);
    }
@@ -6313,8 +6314,6 @@ sub get_configuration( $$$ ) {
 	$capabilities{$_}    = 0 for grep /_HELPER/ , keys %capabilities;
    }

-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
    #
    # Now initialize the used capabilities hash
    #
@@ -6571,6 +6570,9 @@ sub get_configuration( $$$ ) {
 	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
 	require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
 	require_capability( 'ADDRTYPE', '  DOCKER=Yes', 's' );
+	default( 'DOCKER_BRIDGE' , 'docker0' );
+    } elsif ( $family == F_IPV6 ) {
+	warning_message( "DOCKER_BRIDGE=$val ignored by shorewall6" ) if supplied( $val = $config{DOCKER_BRIDGE} );
    }

    if ( supplied( $val = $config{RESTART} ) ) {
@@ -6599,7 +6601,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
    default_yes_no 'USE_NFLOG_SIZE'             , '';

-    if ( ( $val = $config{AUTOMAKE} ) !~ /^[Rr]ecursive$/ ) {
+    if ( ( $val = ( $config{AUTOMAKE} || '' ) ) !~ /^[Rr]ecursive$/ ) {
 	default_yes_no( 'AUTOMAKE' , '' ) unless $val && $val =~ /^\d{1,2}$/;
    }

@@ -6624,6 +6626,7 @@ sub get_configuration( $$$ ) {
    if ( supplied $config{ACCOUNTING_TABLE} ) {
 	my $value = $config{ACCOUNTING_TABLE};
 	fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
+	fatal_error "ACCOUNTING_TABLE=mangle not allowed with MANGLE_ENABLED=No" if $value eq 'mangle' and ! $config{MANGLE_ENABLED};
    } else {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }
@@ -6699,7 +6702,7 @@ sub get_configuration( $$$ ) {

    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';

-    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
+    require_mangle_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

    numeric_option 'TC_BITS'         , 8, 0;
    numeric_option 'MASK_BITS'       , 8, 0;
@@ -6943,7 +6946,7 @@ sub get_configuration( $$$ ) {

    if ( $config{TC_ENABLED} ) {
 	fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
-	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
+	require_mangle_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
    }

    if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
@@ -6960,9 +6963,7 @@ sub get_configuration( $$$ ) {
    }

    default 'RESTOREFILE'           , 'restore';
-
    default 'DROP_DEFAULT'          , 'none';
-
    default 'REJECT_DEFAULT'        , 'none';
    default 'BLACKLIST_DEFAULT'     , 'none';
    default 'QUEUE_DEFAULT'         , 'none';
@@ -7026,9 +7027,9 @@ sub get_configuration( $$$ ) {
    }

    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
-    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
-    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
+    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's'                 ) if $config{MACLIST_TTL};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's'        ) if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'             ) if $config{TC_ENABLED};

    if ( $config{WARNOLDCAPVERSION} ) {
 	if ( $capabilities{CAPVERSION} ) {
@@ -7052,8 +7053,6 @@ sub get_configuration( $$$ ) {
    }

    convert_to_version_5_2 if $update;
-
-    cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY};
 }

 #
@@ -7192,6 +7191,9 @@ sub generate_aux_config() {
    finalize_aux_config;
 }

+#
+# Generate a report of the fwmark layout
+#
 sub dump_mark_layout() {
    sub dumpout( $$$$$ ) {
 	my ( $name, $bits, $min, $max, $mask ) = @_;
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -66,6 +66,9 @@ sub initialize( $ ) {
    $family = shift;
 }

+#
+# Warn that the tos file is no longer supported
+#
 sub process_tos() {

   if ( my $fn = open_file 'tos' ) {
@@ -94,7 +97,7 @@ sub setup_ecn()
    if ( my $fn = open_file 'ecn' ) {

 	first_entry( sub { progress_message2 "$doing $fn...";
-			   require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
+			   require_mangle_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
 			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
 		       } );

@@ -145,6 +148,9 @@ sub setup_ecn()
    }
 }

+#
+# Add a logging rule followed by a jump
+#
 sub add_rule_pair( $$$$$ ) {
    my ($chainref , $predicate , $target , $level, $tag ) = @_;

@@ -329,7 +335,7 @@ sub convert_blacklist() {
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
-# Please see http://shorewall.net/blacklisting_support.htm for additional
+# Please see http://shorewall.org/blacklisting_support.htm for additional
 # information.
 #
 ###################################################################################################################################################################################################
@@ -402,6 +408,9 @@ EOF
    }
 }

+#
+# Convert a routestopped file into an equivalent stoppedrules file
+#
 sub convert_routestopped() {

    if ( my $fn = open_file 'routestopped' ) {
@@ -425,9 +434,9 @@ sub convert_routestopped() {
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+# http://www.shorewall.org/manpages/shorewall-stoppedrules.html
 #
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# See http://shorewall.org/starting_and_stopping_shorewall.htm for additional
 # information.
 #
 ###############################################################################
@@ -662,21 +671,28 @@ sub process_stoppedrules() {
    $result;
 }

+#
+# Generate the rules required when DOCKER=Yes
+#
 sub create_docker_rules() {
+    my $bridge = $config{DOCKER_BRIDGE};
+
    add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );

    my $chainref = $filter_table->{FORWARD};

-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
-    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
+    add_commands( $chainref, '[ -n "$g_dockeringress" ]  && echo "-A FORWARD -j DOCKER-INGRESS" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockeruser" ]     && echo "-A FORWARD -j DOCKER-USER" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockeriso" ]      && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );

-    if ( my $dockerref = known_interface('docker0') ) {
+    if ( my $dockerref = known_interface( $bridge ) ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
-	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
-	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
-	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
-	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
+	add_ijump( $chainref, j => 'DOCKER', o => $bridge );
+	add_ijump( $chainref, j => 'ACCEPT', o => $bridge , state_imatch 'ESTABLISHED,RELATED' );
+	add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => "! $bridge" );
+	add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => $bridge ) if $dockerref->{options}{routeback};
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );

@@ -693,6 +709,9 @@ sub create_docker_rules() {

 sub setup_mss();

+#
+# Add rules generated by .conf options and interface options
+#
 sub add_common_rules ( $ ) {
    my ( $upgrade ) = @_;
    my $interface;
@@ -810,7 +829,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );

 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -1273,6 +1292,13 @@ my %maclist_targets = ( ACCEPT => { target => 'RETURN' , mangle => 1 } ,
 			REJECT => { target => 'reject' , mangle => 0 } ,
 			DROP   => { target => 'DROP' ,   mangle => 1 } );

+#
+# Create rules generated by the 'maclist' option and by entries in the maclist file.
+#
+# The function is called twice. The first call passes '1' and causes the maclist file
+# to be processed. The second call passes '2' and generates the jumps for 'maclist'
+# interfaces.
+#
 sub setup_mac_lists( $ ) {

    my $phase = $_[0];
@@ -1714,9 +1740,9 @@ sub add_interface_jumps {
 	    add_ijump( $filter_table->{input_chain $bridge },
 		       j => $inputref ,
 		       imatch_source_dev( $interface, 1 )
-		    ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
+		) unless $input_jump_added{$interface}   || ! use_interface_chain( $interface, 'use_input_chain' );

-	    unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
+	    unless ( $output_jump_added{$interface} || ! use_interface_chain( $interface, 'use_output_chain') ) {
 		add_ijump( $filter_table->{output_chain $bridge} ,
 			   j => $outputref ,
 			   imatch_dest_dev( $interface, 1 ) )
@@ -1725,10 +1751,10 @@ sub add_interface_jumps {
 	} else {
 	    add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};

-	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++;
-	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref )     && ! $input_jump_added{$interface}++;
+	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref )         && ! $forward_jump_added{$interface}++;
+	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_interface_chain( $interface, 'use_input_chain' ) && ! $input_jump_added{$interface}++;

-	    if ( use_output_chain $interface, $outputref ) {
+	    if ( use_interface_chain( $interface, 'use_output_chain' ) ) {
 		add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++;
 	    }
 	}
@@ -1917,7 +1943,7 @@ sub add_output_jumps( $$$$$$$$ ) {
    my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
    my @zone_interfaces   = keys %{zone_interfaces( $zone )};

-    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
+    if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
@@ -2051,7 +2077,7 @@ sub add_input_jumps( $$$$$$$$$ ) {
    my @source            = imatch_source_net $net;
    my @ipsec_in_match    = match_ipsec_in  $zone , $hostref;

-    if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
+    if ( @vservers || use_interface_chain( $interface, 'use_input_chain' ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 	#
 	# - There are vserver zones (so INPUT will have multiple destinations; or
 	# - We must use the interface input chain; or
@@ -2444,6 +2470,9 @@ sub generate_matrix() {
    }
 }

+#
+# Generate MSS rules
+#
 sub setup_mss( ) {
    my $clampmss = $config{CLAMPMSS};
    my $option;
@@ -2505,6 +2534,7 @@ sub compile_stop_firewall( $$$$ ) {
    my $input   = $filter_table->{INPUT};
    my $output  = $filter_table->{OUTPUT};
    my $forward = $filter_table->{FORWARD};
+    my $absentminded = $config{ ADMINISABSENTMINDED };

    emit <<'EOF';
 #
@@ -2512,7 +2542,7 @@ sub compile_stop_firewall( $$$$ ) {
 #
 stop_firewall() {
 EOF
-    $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
+    $output->{policy} = 'ACCEPT' if $absentminded;

    if ( $family == F_IPV4 ) {
 	emit <<'EOF';
@@ -2671,7 +2701,7 @@ EOF
    #
    create_docker_rules if $config{DOCKER};

-    if ( $config{ADMINISABSENTMINDED} ) {
+    if ( $absentminded ) {
 	add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
    }

@@ -2680,7 +2710,7 @@ EOF
 	add_ijump $input, j => 'ACCEPT', d => IPv6_LINKLOCAL;
 	add_ijump $input, j => 'ACCEPT', d => IPv6_MULTICAST;

-	unless ( $config{ADMINISABSENTMINDED} ) {
+	unless ( $absentminded ) {
 	    add_ijump $output, j => 'ACCEPT', d => IPv6_LINKLOCAL;
 	    add_ijump $output, j => 'ACCEPT', d => IPv6_MULTICAST;
 	}
@@ -2694,12 +2724,25 @@ EOF
    
    process_stoppedrules;

+    if ( $family == F_IPV6 ) {
+	my $chain = new_action_chain( 'filter', 'AllowICMPs' );
+
+	for my $type ( 1, 2, 3, 4, 130, 131, 132, 133, 134, 135, 136, 137, 141, 142, 143, 148, 149, 151, 152, 153 ) {
+	    add_ijump( $chain, j => 'ACCEPT', p => IPv6_ICMP . " --icmpv6-type $type" );
+	}
+
+	for $chain ( $input, $output, $forward ) {
+	    next if $chain eq $output && $absentminded;
+	    add_ijump( $chain, j => 'AllowICMPs', p => IPv6_ICMP );
+	}
+    }
+
    if ( have_capability 'IFACE_MATCH' ) {
 	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';
-	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED};
+	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $absentminded;
    } else {
 	add_ijump $input,  j => 'ACCEPT', i => loopback_interface;
-	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED};
+	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $absentminded;
    }

    my $interfaces = find_interfaces_by_option 'dhcp';
@@ -2709,7 +2752,7 @@ EOF

 	for my $interface ( @$interfaces ) {
 	    add_ijump $input,  j => 'ACCEPT', p => "udp --dport $ports", imatch_source_dev( $interface );
-	    add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $config{ADMINISABSENTMINDED};
+	    add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $absentminded;
 	    #
 	    # This might be a bridge
 	    #
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -90,7 +90,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
    #
    # Handle early matches
    #
-    if ( $inlinematches =~ s/s*\+// ) {
+    if ( $inlinematches =~ s/^s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
    }
@@ -316,9 +316,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 				fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;

 				$addr = $1;
+				$addr =~ s/\]-\[/-/;

 				if ( $addr =~ /^(.+)-(.+)$/ ) {
-				    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $addr, 0;
@@ -561,7 +561,7 @@ sub open_snat_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
+# See http://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	} else {
 	    print $snat <<'EOF';
@@ -570,7 +570,7 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
-# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
+# See http://shorewall.org/manpages6/shorewall6-snat.html for additional information
 EOF
 	}

@@ -930,7 +930,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {

 		if ( $server =~ /^\[(.+)\]$/ ) {
 		    $server = $1;
-		    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $server =~ /]-\[/;
+		    $server =~ s/\]-\[/-/;
 		    assert( $server =~ /^(.+)-(.+)$/ );
 		    ( $addr1, $addr2 ) = ( $1, $2 );
 		}
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -60,25 +60,63 @@ our @routemarked_providers;
 our %routemarked_interfaces;
 our @routemarked_interfaces;
 our %provider_interfaces;
-our @load_interfaces;
+our @load_providers;

-our $balancing;
-our $fallback;
-our $balanced_providers;
-our $fallback_providers;
-our $metrics;
-our $first_default_route;
-our $first_fallback_route;
-our $maxload;
-our $tproxies;
+our $balancing;               # True, if there are balanced providers
+our $fallback;                # True, if there are fallback providers
+our $balanced_providers;      # Count of balanced providers
+our $fallback_providers;      # Count of fallback providers
+our $metrics;                 # True, if using statistical balancing
+our $first_default_route;     # True, until we generate the first 'via' clause for balanced providers
+our $first_fallback_route;    # True, until we generate the first 'via' clause for fallback providers
+our $maxload;                 # Sum of 'load' values
+our $tproxies;                # Count of tproxy providers

-our %providers;
+our %providers;               # Provider table
+#
+# %provider_table { <provider> => { provider	      => <provider name>,
+#				    number	      => <provider number>,
+#				    id		      => <name> or <number> depending on USE_RT_NAMES,
+#				    rawmark	      => <specified mark value>,
+#				    mark	      => <mark, in hex>,
+#				    interface	      => <logical interface>,
+#				    physical	      => <physical interface>,
+#				    optional	      => {0|1},
+#				    wildcard	      => <from interface>,
+#				    gateway	      => <gateway>,
+#				    gatewaycase	      => { 'detect', 'none', or 'specified' },
+#				    shared	      => <true, if multiple providers through this interface>,
+#				    copy	      => <contents of the COPY column>,
+#				    balance	      => <balance count>,
+#				    pref	      => <route rules preference (priority) value>,
+#				    mtu		      => <mtu>,
+#				    noautosrc	      => {0|1} based on [no]autosrc setting,
+#				    track	      => {0|1} based on 'track' setting,
+#				    loose	      => {0|1} based on 'loose' setting,
+#				    duplicate	      => <contents of the DUPLICATE column>,
+#				    address	      => If {shared} above, then the local IP address.
+#							 Otherwise, the value of the 'src' option,
+#				    mac		      => Mac address of gateway, if {shared} above,
+#				    tproxy	      => {0|1},
+#				    load	      => <load % for statistical balancing>,
+#				    pseudo	      => {0|1}. 1 means this is an optional interface and not
+#							 a real provider,
+#				    what	      => 'provider' or 'interface' depending on {pseudo} above,
+#				    hostroute	      => {0|1} based on [no]hostroute setting,
+#				    rules	      => ( <routing rules> ),
+#				    persistent_rules  => ( <persistent routing rules> ),
+#				    routes	      => ( <routes> ),
+#				    persistent_routes => ( <persistent routes> ),
+#				    persistent	      => {0|1} depending on 'persistent' setting,
+#				    routedests	      => { <subnet> => 1 , ... }, (used for duplicate destination detection),
+#				    origin	      => <filename and linenumber where provider/interface defined>
+#		   }

-our @providers;
+our @providers;    # Provider names. Only declared names are included in this array. 

-our $family;
+our $family;       # Address family

-our $lastmark;
+our $lastmark;     # Highest assigned mark

 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };

@@ -99,7 +137,7 @@ sub initialize( $ ) {
    %routemarked_interfaces = ();
    @routemarked_interfaces = ();
    %provider_interfaces    = ();
-    @load_interfaces        = ();
+    @load_providers         = ();
    $balancing              = 0;
    $balanced_providers     = 0;
    $fallback_providers     = 0;
@@ -132,7 +170,6 @@ sub setup_route_marking() {
    #
    # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
    #
-
    if ( $config{ZERO_MARKS} ) {
 	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
    }
@@ -163,8 +200,8 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";

 		if ( have_ipsec ) {
-		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
-			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    if ( have_capability( 'MARK_ANYWHERE' ) && ( my $chainref = $filter_table->{forward_chain($interface)} ) ) {
+			add_ijump_extended $chainref, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
 			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    }
@@ -185,16 +222,16 @@ sub setup_route_marking() {
 	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
    }

-    if ( @load_interfaces ) {
+    if ( @load_providers ) {
 	my $chainref1 = new_chain 'mangle', 'balance';
 	my @match;

 	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
 	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";

-	for my $physical ( @load_interfaces ) {
+	for my $provider ( @load_providers ) {

-	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
+	    my $chainref2 = new_chain( 'mangle', load_chain( $provider ) );

 	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );

@@ -446,7 +483,7 @@ sub process_a_provider( $ ) {
    fatal_error 'NAME must be specified' if $table eq '-';

    unless ( $pseudo ) {
-	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
+	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[A-Za-z][\w]*$/;

 	my $num = numeric_value $number;

@@ -557,7 +594,7 @@ sub process_a_provider( $ ) {
    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
-		require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
+		require_mangle_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
 		$track = 1;
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
@@ -636,6 +673,7 @@ sub process_a_provider( $ ) {
    }

    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
+    fatal_error "An interface supporting multiple providers may not be optional" if $shared && $optional;

    unless ( $pseudo ) {
 	if ( $local ) {
@@ -676,8 +714,7 @@ sub process_a_provider( $ ) {
    $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;

    if ( $mark ne '-' ) {
-
-	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
+	require_mangle_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );

 	if ( $tproxy && ! $local ) {
 	    $val = $globals{TPROXY_MARK};
@@ -779,7 +816,7 @@ sub process_a_provider( $ ) {
 	push @routemarked_providers, $providers{$table};
    }

-    push @load_interfaces, $physical if $load;
+    push @load_providers, $table if $load;

    push @providers, $table;

@@ -941,8 +978,9 @@ sub add_a_provider( $$ ) {
 	}
    }

-    emit( "echo $load > \${VARDIR}/${physical}_load",
-	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;
+    emit( "echo $load > \${VARDIR}/${table}_load",
+	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${table}_mark",
+	  "echo $physical > \${VARDIR}/${table}_interface" ) if $load;

    emit( '',
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
@@ -1097,7 +1135,7 @@ CEOF
 	    $weight = 1;
 	}

-	emit ( "distribute_load $maxload @load_interfaces" ) if $load;
+	emit ( "distribute_load $maxload @load_providers" ) if $load;

 	unless ( $shared ) {
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
@@ -1142,14 +1180,14 @@ CEOF
 	emit "fi\n";

 	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
+	    my $variable = get_interface_address( $interface );

-	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
+	    emit( "echo $variable > \${VARDIR}/${physical}.address" );
 	}

 	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
+	    my $variable = get_interface_gateway( $interface );
+	    emit( qq(echo "$variable" > \${VARDIR}/${physical}.gateway\n) );
 	}
    } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -1244,7 +1282,7 @@ CEOF
 	}

 	emit ( '',
-	       "distribute_load $maxload @load_interfaces" ) if $load;
+	       "distribute_load $maxload @load_providers" ) if $load;

 	if ( $persistent ) {
 	    emit ( '',
@@ -1615,7 +1653,7 @@ sub finish_providers() {
 	emit(   'fi',
 		'' );
    } else {
-	if ( ( $fallback || @load_interfaces ) && $config{USE_DEFAULT_RT} ) {
+	if ( ( $fallback || @load_providers ) && $config{USE_DEFAULT_RT} ) {
 	    emit  ( q(#),
 		    q(# Delete any default routes in the 'main' table),
 		    q(#),
@@ -1909,24 +1947,24 @@ sub setup_providers() {
 	pop_indent;
 	emit 'fi';

-	setup_route_marking if @routemarked_interfaces || @load_interfaces;
+	setup_route_marking if @routemarked_interfaces || @load_providers;
    } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";

 	push_indent;

+	emit "undo_routing";
+	emit "restore_default_route $config{USE_DEFAULT_RT}";
+
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
 	}

-	emit "undo_routing";
-	emit "restore_default_route $config{USE_DEFAULT_RT}";
-
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};

 	if ( $config{NULL_ROUTE_RFC1918} ) {
+	    emit '';
 	    setup_null_routing;
 	    emit "\nrun_ip route flush cache" unless $standard_routes;
 	}
@@ -2285,22 +2323,22 @@ sub handle_optional_interfaces() {
 		emit( 'fi' );

 		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    my $variable = interface_address( $interface );
+		    my $variable = get_interface_address( $interface );

 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != $variable ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}

 		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-		    my $variable = interface_gateway( $interface );
+		    my $variable = get_interface_gateway( $interface );

 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"$variable\" ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
@@ -2485,7 +2523,7 @@ sub handle_stickiness( $ ) {
 	}
    }

-    if ( @routemarked_providers || @load_interfaces ) {
+    if ( @routemarked_providers || @load_providers ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
    }
@@ -2493,9 +2531,9 @@ sub handle_stickiness( $ ) {

 sub setup_load_distribution() {
    emit ( '',
-	   "distribute_load $maxload @load_interfaces" ,
+	   "distribute_load $maxload @load_providers" ,
 	   ''
-	 ) if @load_interfaces;
+	 ) if @load_providers;
 }

 1;
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -70,6 +70,13 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {

    my $zone;
    my $restriction = PREROUTE_RESTRICT;
+    my $raw_matches = get_inline_matches(0);
+    my $prerule = '';
+
+    if ( $raw_matches =~ /^s*+/ ) {
+	$prerule = $raw_matches;
+	$raw_matches = '';
+    }

    if ( $chainref ) {
 	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
@@ -206,10 +213,11 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {

    expand_rule( $chainref ,
 		 $restriction ,
-		 '',
+		 $prerule,
 		 do_proto( $proto, $ports, $sports ) . 
 		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 do_condition( $switch , $chainref->{name} ) .
+		 $raw_matches ,
 		 $source ,
 		 $dest ,
 		 '' ,
@@ -316,7 +324,7 @@ sub setup_conntrack($) {
 				     { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
 		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line2( 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, undef, undef, 1 );
 		}

 		$empty = 0;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -292,6 +292,8 @@ our $mangle;

 our $sticky;

+our $excludefw;
+
 our $divertref; # DIVERT chain

 our %validstates = ( NEW                => 0,
@@ -365,6 +367,10 @@ sub initialize( $ ) {
    #
    %actions           = ();
    #
+    # Count of 'all[+]=' encountered
+    #
+    $excludefw         = 0;
+    #
    # Action variants actually used. Key is <action>:<loglevel>:<tag>:<caller>:<params>; value is corresponding chain name
    #
    %usedactions       = ();
@@ -605,8 +611,8 @@ sub process_policy_actions( $$$ ) {
 #
 # Verify an NFQUEUE specification and return the appropriate ip[6]tables target
 #
-sub handle_nfqueue( $$ ) {
-    my ($params, $allow_bypass ) = @_;
+sub handle_nfqueue( $ ) {
+    my ($params) = @_;
    my ( $action, $bypass, $fanout );
    my ( $queue1, $queue2, $queuenum1, $queuenum2 );

@@ -619,7 +625,6 @@ sub handle_nfqueue( $$ ) {

 	if ( supplied $queue ) {
 	    if ( $queue eq 'bypass' ) {
-		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
 		return 'NFQUEUE --queue-bypass';
 	    }
@@ -647,7 +652,6 @@ sub handle_nfqueue( $$ ) {

    if ( supplied $bypass ) {
 	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
-	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;

 	$bypass =' --queue-bypass';
    } else {
@@ -672,14 +676,42 @@ sub process_a_policy1($$$$$$$) {

    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;

-    my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
+    my $clientwild = ( "\L$client" =~ /^all(\+)?(?:!(.+))?$/ );
+    my $clientexclude;
+    my %clientexcluded;

-    $intrazone  ||= $clientwild && $1;
+    if ( $clientwild ) {
+	$intrazone ||= $1;
+
+	if ( $clientexclude = $2 ) {
+	    for my $client ( split_list( $clientexclude, 'zone' ) ) {
+		fatal_error "Undefined zone ($client)" unless defined_zone( $client );
+		$clientexcluded{$client} = 1;
+	    }
+
+	    $client = 'all';
+	}
+    }

    fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );

-    my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
-    $intrazone   ||= ( $serverwild && $1 );
+    my $serverwild = ( "\L$server" =~ /^all(\+)?(?:!(.+))?/ );
+    my $serverexclude;
+    my %serverexcluded;
+
+
+    if ( $serverwild ) {
+	$intrazone ||= $1;
+
+	if ( $serverexclude = $2 ) {
+	    for my $server ( split_list( $serverexclude, 'zone' ) ) {
+		fatal_error "Undefined zone ($server)" unless defined_zone( $server );
+		$serverexcluded{$server} = 1;
+	    }
+
+	    $server = 'all';
+	}
+    }

    fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );

@@ -687,7 +719,13 @@ sub process_a_policy1($$$$$$$) {

    require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;

-    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    my ( $policy, $pactions );
+
+    if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+	( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+    } else {
+	( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    }

    fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;

@@ -702,9 +740,7 @@ sub process_a_policy1($$$$$$$) {
    my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );

    if ( defined $queue ) {
-	$policy = handle_nfqueue( $queue,
-				  0 # Don't allow 'bypass'
-	    );
+	$policy = handle_nfqueue( $queue );
    } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -762,20 +798,20 @@ sub process_a_policy1($$$$$$$) {

    if ( $clientwild ) {
 	if ( $serverwild ) {
-	    for my $zone ( @zonelist ) {
-		for my $zone1 ( @zonelist ) {
+	    for my $zone ( grep( ! $clientexcluded{$_}, @zonelist ) ) {
+		for my $zone1 ( grep( ! $serverexcluded{zone}, @zonelist ) ) {
 		    set_policy_chain $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
-	    for my $zone ( all_zones ) {
+	    for my $zone ( grep( ! $clientexcluded{$_}, all_zones ) ) {
 		set_policy_chain $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
-	for my $zone ( @zonelist ) {
+	for my $zone ( grep( ! $serverexcluded{$_}, @zonelist ) ) {
 	    set_policy_chain $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
@@ -802,11 +838,15 @@ sub process_a_policy() {

    my ( $intrazone, $clientlist, $serverlist );

-    if ( $clientlist = ( $clients =~ /,/ ) ) {
+    if ( $clients =~ /^all(\+)?!/ ) {
+	$intrazone = $1;
+    } elsif ( $clientlist = ( $clients =~ /,/ ) ) {
 	$intrazone = ( $clients =~ s/\+$// );
    }

-    if ( $serverlist = ( $servers =~ /,/ ) ) {
+    if ( $servers =~ /^all(\+)?!/ ) {
+	$intrazone = $1;
+    } elsif ( $serverlist = ( $servers =~ /,/ ) ) {
 	$intrazone ||= ( $servers =~ s/\+$// );
    }	

@@ -816,12 +856,14 @@ sub process_a_policy() {

    if ( $clientlist || $serverlist ) {
 	for my $client ( split_list( $clients, 'zone' ) ) {
+	    fatal_error "'all' is not allowed in a source zone list" if $clientlist && $client =~ /^all\b/;
 	    for my $server ( split_list( $servers, 'zone' ) ) {
+		fatal_error "'all' is not allowed in a destination zone list" if $serverlist && $server =~ /^all\b/;
 		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
 	    }
 	}
    } else {
-	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
+	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, $intrazone );
    }
 }

@@ -1564,8 +1606,8 @@ sub merge_levels ($$) {

    return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;

-    my @supparts = split /:/, $superior;
-    my @subparts = split /:/, $subordinate;
+    my @supparts = split_list2( $superior ,    'Action' );
+    my @subparts = split_list2( $subordinate , 'Action' );

    my $subparts = @subparts;

@@ -2609,7 +2651,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    # Handle early matches
    #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
    }
@@ -2658,9 +2700,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$macro_nest_level--;
 	goto EXIT;
    } elsif ( $actiontype & NFQ ) {
-	$action = handle_nfqueue( $param,
-				  1 # Allow 'bypass'
-	    );
+	$action = handle_nfqueue( $param );
    } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
@@ -2781,7 +2821,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	      LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,

 	      HELPER => sub { 
-		  fatal_error "HELPER requires require that the helper be specified in the HELPER column" if $helper eq '-';
+		  fatal_error "HELPER requires that a helper be specified in the HELPER column" if $helper eq '-';
 		  fatal_error "HELPER rules may only appear in the NEW section" unless $section == NEW_SECTION;
 		  $action = ''; } ,

@@ -3137,13 +3177,14 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    if ( $actiontype & ( NATRULE | NONAT ) && ! ( $actiontype & NATONLY ) ) {
 	#
 	# Either a DNAT, REDIRECT or ACCEPT+ rule or an Action with NAT;
-	# don't apply rate limiting twice
 	#
 	$rule .= join( '',
 		       do_proto($proto, $ports, $sports),
+		       do_ratelimit( $ratelimit, 'ACCEPT' ),
 		       do_user( $user ) ,
 		       do_test( $mark , $globals{TC_MASK} ) ,
 		       do_connlimit( $connlimit ),
+		       do_ratelimit( $ratelimit, 'ACCEPT' ),
 		       do_time( $time ) ,
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
@@ -3239,12 +3280,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#   - the destination IP will be the server IP   ($dest)  -- also done above
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
+	#   - don't apply rate limiting twice
 	#
 	unless ( $actiontype & NATONLY ) {
 	    $rule = join( '',
 			  $matches,
 			  do_proto( $proto, $ports, $sports ),
-			  do_ratelimit( $ratelimit, 'ACCEPT' ),
 			  do_user $user,
 			  do_test( $mark , $globals{TC_MASK} ),
 			  do_condition( $condition , $chain ),
@@ -3658,6 +3699,7 @@ sub next_section() {
 #
 sub build_zone_list( $$$\$\$ ) {
    my ($fw, $input, $which, $intrazoneref, $wildref ) = @_;
+    my $original_input = $input;
    my $any = ( $input =~ s/^any/all/ );
    my $exclude;
    my $rest;
@@ -3686,9 +3728,25 @@ sub build_zone_list( $$$\$\$ ) {
 	    if ( $input eq 'all+' ) {
 		$$intrazoneref = 1;
 	    } elsif ( ( $input eq 'all+-' ) || ( $input eq 'all-+' ) ) {
+		unless ( $excludefw++ ) {
+		    if ( $any ) {
+			warning_message "$original_input is deprecated in favor of 'any+!\$FW'";
+		    } else {
+			warning_message "$original_input is deprecated in favor of 'all+!\$FW'";
+		    }
+		}
+
 		$$intrazoneref = 1;
 		$exclude{$fw} = 1;
 	    } elsif ( $input eq 'all-' ) {
+		unless ( $excludefw++ ) {
+		    if ( $any ) {
+			warning_message "any- is deprecated in favor of 'any!\$FW'";
+		    } else {
+			warning_message "all- is deprecated in favor of 'all!\$FW'" unless $excludefw++;
+		    }
+		}
+
 		$exclude{$fw} = 1;
 	    } else {
 		fatal_error "Invalid $which ($input)";
@@ -4077,6 +4135,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	O => OUTPUT,
 	T => POSTROUTING,
 	R => REALPREROUTING,
+	NP => REALPREROUTING,
+	NI => REALINPUT,
+	NO => REALOUTPUT,
+	NT => REALPOSTROUTING
 	);

    my %chainlabels = ( 1  => 'PREROUTING',
@@ -4085,14 +4147,17 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 			8  => 'OUTPUT',
 			16 => 'POSTROUTING' );

-    my %chainnames = ( 1   => 'tcpre',
-		       2   => 'tcin',
-		       4   => 'tcfor',
-		       8   => 'tcout',
-		       16  => 'tcpost',
-		       32  => 'sticky',
-		       64  => 'sticko',
-		       128 => 'PREROUTING',
+    my %chainnames = ( 1    => 'tcpre',
+		       2    => 'tcin',
+		       4    => 'tcfor',
+		       8    => 'tcout',
+		       16   => 'tcpost',
+		       32   => 'sticky',
+		       64   => 'sticko',
+		       128  => 'PREROUTING',
+		       256  => 'INPUT',
+		       512  => 'OUTPUT',
+		       1024 => 'POSTROUTING',
 	);

    my $inchain        = defined $chainref;
@@ -4116,6 +4181,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
    my $actiontype;
    my $commandref;
    my $prerule        = '';
+    my $table          = 'mangle';
+    my $tabletype      = MANGLE_TABLE;
    #
    # Subroutine for handling MARK and CONNMARK. We use an enclosure so as to keep visibility of the
    # function's local variables without making them static. process_mangle_rule1() is called
@@ -4157,7 +4224,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {

 	    $option ||= ( $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' );

-	    my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} );
+	    my $chainref = ensure_chain( $table, $chain = $chainnames{$chain} );

 	    $restriction |= $chainref->{restriction};

@@ -4476,7 +4543,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
-		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
+		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & $tabletype;
 		$target        = $params;
 		$usergenerated = 1;
 	    },
@@ -4492,7 +4559,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
-		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
+		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & $tabletype;
 		$target        = $params;
 		$usergenerated = 1;
 	    },
@@ -4564,7 +4631,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {

 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING | REALPREROUTING | REALINPUT | REALOUTPUT | REALPOSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -4600,7 +4667,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {

 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
+	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING | REALPREROUTING | REALINPUT | REALOUTPUT | REALPOSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -4846,6 +4913,14 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	fatal_error "A chain designator may not be specified in an action body" if $inaction;
 	my $temp = $designators{$designator};
 	fatal_error "Invalid chain designator ( $designator )" unless $temp;
+
+	if ( $designator =~ /^N/ ) {
+	    fatal_error "Only MARK, CONNMARK, SAVE and RESTORE may be used in the nat table" unless $cmd =~ /^(?:(?:(?:CONN)MARK)|SAVE|RESTORE)[(]?/;
+	    require_capability('MARK_ANYWHERE', "The $designator designator", 's');
+	    $table = 'nat';
+	    $tabletype = NAT_TABLE;
+	}
+
 	$designator = $temp;
    }

@@ -4871,19 +4946,28 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
    #
    # Handle early matches
    #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
    }

    if ( $source ne '-' ) {
 	if ( $source eq $fw ) {
-	    fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator != OUTPUT;
-	    $chain = OUTPUT;
+	    if ( $designator ) {
+		fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' unless $designator & ( OUTPUT | REALOUTPUT );
+		$chain = $designator;
+	    } else {
+		$chain = OUTPUT;
+	    }
+
 	    $source = '-';
 	} elsif ( $source =~ s/^($fw):// ) {
-	    fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator != OUTPUT;
-	    $chain = OUTPUT;
+	    if ( $designator ) {
+		fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' unless $designator & ( OUTPUT | REALOUTPUT );
+		$chain = $designator;
+	    } else {
+		$chain = OUTPUT;
+	    }
 	}
    }

@@ -4953,11 +5037,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	} else {
 	    $resolve_chain->();
 	    fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
-	    unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
+	    unless ( $chain & ( OUTPUT | POSTROUTING | REALOUTPUT | REALPOSTROUTING ) ) {
 		fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
 	    }

-	    $chainref = ensure_chain( 'mangle', $chainnames{$chain} );
+	    $chainref = ensure_chain( $table, $chainnames{$chain} );
 	}

 	$restriction |= $chainref->{restriction};
@@ -5547,6 +5631,15 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $chainref = $interface ? ensure_chain('nat',  $pre_nat ? snat_chain $interface : masq_chain $interface) : $nat_table->{INPUT};
 	}

+	if ( $chainref->{complete} ) {
+	    if ( $interface ) {
+		warning_message( "Interface $interface entry generated no $toolname rule" );
+	    } else {
+		warning_message( "Entry generated no $toolname rule" );
+	    }
+	    next;
+	}
+
 	$baserule .= do_condition( $condition , $chainref->{name} );
 	#
 	# Handle IPSEC options, if any
@@ -5674,9 +5767,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			    fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;

 			    $addr = $1;
+			    $addr =~ s/\]-\[/-/;

 			    if ( $addr =~ /^(.+)-(.+)$/ ) {
-				fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $addr, 0;
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -10,7 +10,7 @@
 #     Modified by Tom Eastep for integration into the Shorewall distribution
 #     published under GPL Version 2#
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -2284,11 +2284,11 @@ sub open_mangle_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
-# See http://shorewall.net/traffic_shaping.htm for additional information.
+# See http://shorewall.org/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
+# http://shorewall.org/MultiISP.html
 #
-# See http://shorewall.net/PacketMarking.html for a detailed description of
+# See http://shorewall.org/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##############################################################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
@@ -2300,11 +2300,11 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-mangle"
 #
-# See http://shorewall.net/traffic_shaping.htm for additional information.
+# See http://shorewall.org/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
+# http://shorewall.org/MultiISP.html
 #
-# See http://shorewall.net/PacketMarking.html for a detailed description of
+# See http://shorewall.org/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ######################################################################################################################################################################
@@ -2455,7 +2455,7 @@ sub setup_tc( $ ) {
 		}
 	    }
 	} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
-	    warning_message "The tcrules file is no longer supported -- use '$product update' to convert $fn to an equivalent 'mangle' file";
+	    warning_message "The tcrules file is no longer supported -- use '$shorewallrc{product} update' to convert $fn to an equivalent 'mangle' file";
 	}

 	if ( my $fn = open_file( 'mangle', 1, 1 ) ) {
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -4,7 +4,7 @@
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -3,9 +3,9 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at http://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -222,6 +222,9 @@ use constant { IN_OUT     => 1,
 	       IN         => 2,
 	       OUT        => 3 };

+#
+# Zone types
+#
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -231,6 +234,9 @@ use constant { FIREWALL => 1,
 	       LOCAL    => 64,
 	   };

+#
+# Interface option classification
+#
 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
 	       ENUM_IF_OPTION     => 3,
@@ -247,11 +253,17 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };

+#
+# 'ignore' option flags
+#
 use constant { NO_UPDOWN   => 1, 
 	       NO_SFILTER  => 2 };

 our %validinterfaceoptions;

+#
+# Interface options that are implemented in /proc
+#
 our %procinterfaceoptions=( accept_ra   => 1,
 			    arp_filter  => 1,
 			    arp_ignore  => 1,
@@ -263,6 +275,9 @@ our %procinterfaceoptions=( accept_ra   => 1,
 			    sourceroute => 1,
 			  );

+#
+# Options that are not allowed with unmanaged interfaces
+#
 our %prohibitunmanaged = (
 			  blacklist      => 1,
 			  bridge         => 1,
@@ -281,10 +296,15 @@ our %prohibitunmanaged = (
 			  upnp           => 1,
 			  upnpclient     => 1,
 			 );
-
+#
+# Default values for options that admit an optional value
+#
 our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 , ignore => 3, routeback => 1 );

-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
+#
+# Maximum value for options that accept a range of values
+#
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 300 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );

 our %validhostoptions;

@@ -701,7 +721,7 @@ sub determine_zones()
 }

 #
-# Return true of we have any ipsec zones
+# Return true If we have any ipsec zones
 #
 sub haveipseczones() {
    for my $zoneref ( values %zones ) {
@@ -872,6 +892,9 @@ sub single_interface( $ ) {
    @keys == 1 ? $keys[0] : '';
 }

+#
+# This function adds an interface:network pair to a zone
+#
 sub add_group_to_zone($$$$$$)
 {
    my ($zone, $type, $interface, $networks, $options, $inherit_options) = @_;
@@ -976,6 +999,9 @@ sub find_zone( $ ) {
    $zoneref;
 }

+#
+# Access functions for zone members
+#
 sub zone_type( $ ) {
    find_zone( $_[0] )->{type};
 }
@@ -990,26 +1016,44 @@ sub zone_mark( $ ) {
    $zoneref->{mark};
 }

+#
+# Returns the zone table entry for the passed zone name
+#
 sub defined_zone( $ ) {
    $zones{$_[0]};
 }

+#
+# Returns a list of all defined zones
+#
 sub all_zones() {
    @zones;
 }

+#
+# Returns a list of zones in the firewall itself (the firewall zone and vserver zones)
+#
 sub on_firewall_zones() {
   grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }

+#
+# Returns a list of zones excluding the firewall and vserver zones
+#
 sub off_firewall_zones() {
   grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }

+#
+# Returns a list of zones excluding the firewall zones
+#
 sub non_firewall_zones() {
   grep ( ! ( $zones{$_}{type} & FIREWALL ) ,  @zones );
 }

+#
+# Returns the list of zones that don't contain sub-zones
+#
 sub all_parent_zones() {
    #
    # Although the firewall zone is technically a parent zone, we let the caller decide
@@ -1018,22 +1062,37 @@ sub all_parent_zones() {
    grep ( ! @{$zones{$_}{parents}} , off_firewall_zones );
 }

+#
+# Returns a list of complex zones (ipsec or with multiple interface:subnets)
+#
 sub complex_zones() {
    grep( $zones{$_}{complex} , @zones );
 }

+#
+# Returns a list of vserver zones
+#
 sub vserver_zones() {
    grep ( $zones{$_}{type} & VSERVER, @zones );
 }

+#
+# Returns the name of the firewall zone
+#
 sub firewall_zone() {
    $firewall_zone;
 }

+#
+# Returns a list of loopback zones
+#
 sub loopback_zones() {
    @loopback_zones;
 }

+#
+# Returns a list of local zones
+#
 sub local_zones() {
    @local_zones;
 }
@@ -1182,7 +1241,7 @@ sub process_interface( $$ ) {
    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;

    if ( supplied $port ) {
-	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
+	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.org/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
 	fatal_error "Your iptables is not recent enough to support bridge ports" unless $globals{KLUDGEFREE};

--- a/Show More
+++ b/Show More