Be sure that mutex is released when exiting

Signed-off-by: Tom Eastep <teastep@shorewall.net> # Conflicts: # Shorewall/lib.cli-std
Correct typo - synparms -> synparams
2018-03-01 08:47:48 -08:00 · 2018-02-21 11:53:39 -08:00 · 2018-02-19 10:30:41 -08:00 · 2018-02-14 12:01:29 -08:00 · 2018-02-10 13:25:45 -08:00 · 2018-02-10 10:38:45 -08:00
126 changed files with 2241 additions and 3813 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-#     Shorewall Packet Filtering Firewall configuration program - V5.2
+#     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
 #     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
@@ -109,9 +109,6 @@ if [ -z "$vendor" ]; then
 	    opensuse)
 		vendor=suse
 		;;
-	    alt|basealt|altlinux)
-		vendor=alt
-		;;
 	    *)
 		vendor="$ID"
 		;;
@@ -135,8 +132,6 @@ if [ -z "$vendor" ]; then
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
 		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
-	    elif [ -f /etc/altlinux-release ] ; then
-		params[HOST]=alt
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     Shorewall Packet Filtering Firewall configuration program - V5.2
+#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -74,8 +74,6 @@ unless ( defined $vendor ) {
 	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
 	    my $init = `ls -l /sbin/init`;
 	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
-	} elsif ( $id eq 'alt' || $id eq 'basealt' || $id eq 'altlinux' ) {
-	    $vendor = 'alt';
 	} else {
 	    $vendor = $id;
 	}
@@ -119,9 +117,6 @@ if ( defined $vendor ) {
 	} else {
 	    $rcfilename = 'shorewallrc.debian.sysvinit';
 	}
-    } elsif ( -f '/etc/altlinux-release' ){
-	$vendor = 'alt';
-	$rcfilename = 'shorewallrc.alt';
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -172,9 +172,6 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
-		    alt|basealt|altlinux)
-			BUILD=alt
-			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -183,8 +180,6 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
-	    elif [ -f /etc/altlinux-release ]; then
-		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
@@ -243,7 +238,7 @@ case "$HOST" in
    apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt|alt)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
    *)
 	fatal_error "Unknown HOST \"$HOST\""
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.base
+# Shorewall 5.1 -- /usr/share/shorewall/lib.base
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.cli
+# Shorewall 5.1 -- /usr/share/shorewall/lib.cli.
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=50200
+SHOREWALL_CAPVERSION=50112

 if [ -z "$g_basedir" ]; then
    #
@@ -87,8 +87,6 @@ showchain() # $1 = name of chain
 #
 validate_restorefile() # $* = label
 {
-    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
-
    case $RESTOREFILE in
 	*/*)
 	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
@@ -417,9 +415,9 @@ resolve_arptables() {
 savesets() {
    local supported

-    supported=$(run_it $g_firewall help | fgrep savesets )
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )

-    [ -n "$supported" ] && run_it $g_firewall savesets ${g_restorepath}-ipsets 
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
 }

 #
@@ -428,9 +426,9 @@ savesets() {
 savesets1() {
    local supported

-    supported=$(run_it $g_firewall help | fgrep savesets )
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )

-    [ -n "$supported" ] && run_it $g_firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }

 #
@@ -441,9 +439,9 @@ do_save() {
    local arptables
    status=0

-    if [ -f $g_firewall ]; then
+    if [ -f ${VARDIR}/firewall ]; then
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    cp -f $g_firewall $g_restorepath
+	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod 700 $g_restorepath
 	    chmod 600 ${g_restorepath}-iptables
@@ -455,7 +453,7 @@ do_save() {
 	    status=1
 	fi
    else
-	echo "   ERROR: $g_firewall does not exist" >&2
+	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
 	status=1
    fi

@@ -1191,32 +1189,6 @@ show_ipsec_command() {
    show_ipsec
 }

-show_saves_command() {
-    local f
-    local fn
-    local mtime
-
-    echo "$g_product $SHOREWALL_VERSION Saves at $g_hostname - $(date)"
-    echo "Saved snapshots are:"
-    echo
-
-    for f in ${VARDIR}/*-iptables; do
-	case $f in
-	    *\**)
-	        ;;
-	    *)
-		fn=$(basename $f)
-		fn=${fn%-iptables}
-		mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
-		[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
-		echo "   $mtime ${fn%-iptables}"
-		;;
-	esac
-    done
-
-    echo
-}
-
 #
 # Show Command Executor
 #
@@ -1438,17 +1410,6 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
-        rc)
-            shift
-	    [ $# -gt 1 ] && too_many_arguments $2
-            if [ -n "$1" -a -d "$1" ]; then
-                cat $1/shorewallrc
-            elif [ -n "$g_basedir" -a -d "$g_basedir" ]; then
-                cat $g_basedir/shorewallrc
-            else
-                fatal_error "Can not determine the location of the shorewallrc file."
-            fi
-            ;;
 	policies)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
@@ -1517,10 +1478,6 @@ show_command() {
 	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
-	saves)
-	    [ $# -gt 1 ] && too_many_arguments $2
-	    show_saves_command
-	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -2766,7 +2723,7 @@ determine_capabilities() {
 	g_tool=$(mywhich $tool)

 	if [ -z "$g_tool" ]; then
-	    fatal_error "No executable $tool binary can be found on your PATH"
+	    fatal-error "No executable $tool binary can be found on your PATH"
 	fi
    fi

@@ -2810,6 +2767,7 @@ determine_capabilities() {
    LENGTH_MATCH=
    CLASSIFY_TARGET=
    ENHANCED_REJECT=
+    USEPKTTYPE=
    KLUDGEFREE=
    MARK=
    XMARK=
@@ -3156,6 +3114,7 @@ determine_capabilities() {
 	fi
    fi

+    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
    qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
@@ -3269,6 +3228,7 @@ report_capabilities_unsorted() {
 	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
 	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
    fi
+    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
    report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
    report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
    report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
@@ -3385,6 +3345,8 @@ report_capabilities() {
 	report_capabilities_unsorted | sort
    fi

+    [ -n "$PKTTYPE" ] || USEPKTTYPE=
+
 }

 report_capabilities_unsorted1() {
@@ -3401,6 +3363,7 @@ report_capabilities_unsorted1() {
    report_capability1 CONNTRACK_MATCH
    report_capability1 NEW_CONNTRACK_MATCH
    report_capability1 OLD_CONNTRACK_MATCH
+    report_capability1 USEPKTTYPE
    report_capability1 POLICY_MATCH
    report_capability1 PHYSDEV_MATCH
    report_capability1 PHYSDEV_BRIDGE
@@ -3775,7 +3738,7 @@ ipcalc_command() {
    elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
-    elif [ $# -eq 1 ]; then
+    elif [ $# -eq 0 ]; then
 	missing_argument
    else
 	too_many_arguments $4
@@ -3821,7 +3784,7 @@ iprange_command() {
 }

 ipdecimal_command() {
-    if [ $# -eq 1 ]; then
+    if [ $# eq 1 ]; then
 	missing_argument
    else
 	[ $# -eq 2 ] || too_many_arguments $3
@@ -3864,7 +3827,7 @@ noiptrace_command() {
 verify_firewall_script() {
    if [ ! -f $g_firewall ]; then
 	echo "   ERROR: $g_product is not properly installed" >&2
-	if [ -h $g_firewall ]; then
+	if [ -L $g_firewall ]; then
 	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
@@ -3964,7 +3927,7 @@ get_config() {

    ensure_config_path

-    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf

    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

@@ -4118,15 +4081,15 @@ start_command() {
 	rc=0
 	[ -n "$g_nolock" ] || mutex_on

-	if [ -x $g_firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+	if [ -x ${VARDIR}/firewall ]; then
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
-		run_it $g_firewall $g_debugging start
+		run_it ${VARDIR}/firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
-	    error_message "$g_firewall is missing or is not executable"
+	    error_message "${VARDIR}/firewall is missing or is not executable"
 	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4255,11 +4218,11 @@ restart_command() {

    [ -n "$g_nolock" ] || mutex_on

-    if [ -x $g_firewall ]; then
-	run_it $g_firewall $g_debugging $COMMAND
+    if [ -x ${VARDIR}/firewall ]; then
+	run_it ${VARDIR}/firewall $g_debugging $COMMAND
 	rc=$?
    else
-	error_message "$g_firewall is missing or is not executable"
+	error_message "${VARDIR}/firewall is missing or is not executable"
 	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi
@@ -4269,10 +4232,10 @@ restart_command() {
 }

 run_command() {
-    if [ -x $g_firewall ] ; then
-	run_it $g_firewall $g_debugging $@
+    if [ -x ${VARDIR}/firewall ] ; then
+	run_it ${VARDIR}/firewall $g_debugging $@
    else
-	fatal_error "$g_firewall does not exist or is not executable"
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }

@@ -4330,6 +4293,7 @@ usage() # $1 = exit status

    echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   reenable <interface>"
+    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."

    if [ -n "$g_lite" ]; then
@@ -4339,11 +4303,9 @@ usage() # $1 = exit status
    fi

    if [ -z "$g_lite" ]; then
-	echo "   remote-getrc [ -T ] [ -c ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
-	echo "   remote-getcaps [ -T ] [ -R ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
-	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
-	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
-	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
    fi

    echo "   reset [ <chain> ... ]"
@@ -4386,9 +4348,7 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] nfacct"
    echo "   [ show | list | ls ] opens"
    echo "   [ show | list | ls ] policies"
-    echo "   [ show | list | ls ] rc"
    echo "   [ show | list | ls ] routing"
-    echo "   [ show | list | ls ] saves"
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
@@ -4437,6 +4397,7 @@ shorewall_cli() {
    g_use_verbosity=
    g_debug=
    g_export=
+    g_refreshchains=:none:
    g_confess=
    g_update=
    g_annotate=
@@ -4661,7 +4622,7 @@ shorewall_cli() {
 	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it $g_firewall $g_debugging $@
+		run_it ${VARDIR}/firewall $g_debugging $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.common
+# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -419,7 +419,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
 	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir
+	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
 	    cp -f $modules ${VARDIR}/.modules
 	fi
    elif [ $savemoduleinfo = Yes ]; then
@@ -501,7 +501,7 @@ ip_network() {

 #
 # The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives do not support XOR ("^").
+# the popular light-weight Bourne shell derivatives don't support XOR ("^").
 #
 ip_broadcast() {
    local x
@@ -751,8 +751,6 @@ mutex_on()
    lockf=${LOCKFILE:=${VARDIR}/lock}
    local lockpid
    local lockd
-    local lockbin
-    local openwrt

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

@@ -762,33 +760,29 @@ mutex_on()

 	[ -d "$lockd" ] || mkdir -p "$lockd"

-	lockbin=$(mywhich lock)
-	[ -n "$lockbin" -a -h "$lockbin" ] && openwrt=Yes
-
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
 	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ -z "$openwrt" ]; then
-		if [ $lockpid -eq $$ ]; then
-                    fatal_error "Mutex_on confusion"
-		elif ! qt ps --pid ${lockpid}; then
-		    rm -f ${lockf}
-		    error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
-		fi
+	    elif [ $lockpid -eq $$ ]; then
+                return 0
+	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
 	fi

-	if [ -n "$openwrt" ]; then
-	    lock ${lockf} || fatal_error "Can't lock ${lockf}"
-	    g_havemutex="lock -u ${lockf}"
-	elif qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} || fatal_error "Can't lock ${lockf}"
+	if qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
 	    g_havemutex="rm -f ${lockf}"
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
+	elif qt mywhich lock; then
+	    lock ${lockf}
+	    g_havemutex="lock -u ${lockf} && rm -f ${lockf}"
+	    chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.core
+# Shorewall 5.1 -- /usr/share/shorewall/lib.core
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-core/lib.installer
+++ b/Shorewall-core/lib.installer
@@ -1,5 +1,6 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
+#
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-core/lib.uninstaller
+++ b/Shorewall-core/lib.uninstaller
@@ -1,5 +1,6 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
+#
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
@@ -60,7 +61,7 @@ mywhich() {
 remove_file() # $1 = file to remove
 {
    if [ -n "$1" ] ; then
-        if [ -f $1 -o -h $1 ] ; then
+        if [ -f $1 -o -L $1 ] ; then
            rm -f $1
            echo "$1 Removed"
        fi
@@ -84,7 +85,7 @@ remove_file_with_wildcard() # $1 = file with wildcard to remove
            if [ -d $f ] ; then
                rm -rf $f
                echo "$f Removed"
-            elif [ -f $f -o -h $f ] ; then
+            elif [ -f $f -o -L $f ] ; then
                rm -f $f
                echo "$f Removed"
            fi
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -405,6 +405,20 @@
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>options</arg>
+
+      <arg
+      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
+      <replaceable>directory</replaceable> </arg><arg
+      rep="repeat"><replaceable>chain</replaceable></arg></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall[6][-lite]</command>

@@ -445,54 +459,6 @@
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
-      <arg choice="plain"><option>remote-getcaps</option></arg>
-
-      <arg><option>-s</option></arg>
-
-      <arg><option>-R</option></arg>
-
-      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
-
-      <arg><option>-T</option></arg>
-
-      <arg><option>-i</option></arg>
-
-      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-
-      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
-      <arg choice="plain"><option>remote-getrc</option></arg>
-
-      <arg><option>-s</option></arg>
-
-      <arg><option>-c</option></arg>
-
-      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
-
-      <arg><option>-T</option></arg>
-
-      <arg><option>-i</option></arg>
-
-      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-
-      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
-    </cmdsynopsis>
-
    <cmdsynopsis>
      <command>shorewall[6]</command>

@@ -847,7 +813,7 @@

      <arg choice="req"><option>show | list | ls </option></arg>

-      <arg choice="plain"><option>saves</option></arg>
+      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -1350,7 +1316,7 @@
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -1807,6 +1773,63 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
+        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
+        </option><replaceable>directory</replaceable> ] [
+        <replaceable>chain</replaceable>... ]</term>
+
+        <listitem>
+          <para>Not available with Shorewall[6]-lite.</para>
+
+          <para>All steps performed by <command>restart</command> are
+          performed by <command>refresh</command> with the exception that
+          <command>refresh</command> only recreates the chains specified in
+          the command while <command>restart</command> recreates the entire
+          Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
+          the static blacklisting chain <emphasis
+          role="bold">blacklst</emphasis> is assumed.</para>
+
+          <para>The listed chains are assumed to be in the filter table. You
+          can refresh chains in other tables by prefixing the chain name with
+          the table name followed by ":" (e.g., nat:net_dnat). Chain names
+          which follow are assumed to be in that table until the end of the
+          list or until an entry in the list names another table. Built-in
+          chains such as FORWARD may not be refreshed.</para>
+
+          <para>The <option>-n</option> option was added in Shorewall 4.5.3
+          causes Shorewall to avoid updating the routing table(s).</para>
+
+          <para>The <option>-d</option> option was added in Shorewall 4.5.3
+          causes the compiler to run under the Perl debugger.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
+
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>The <option>-D</option> option was added in Shorewall 4.5.3
+          and causes Shorewall to look in the given
+          <emphasis>directory</emphasis> first for configuration files.</para>
+
+          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
+
+          <para>The <emphasis role="bold">refresh</emphasis> command has
+          slightly different behavior. When no chain name is given to the
+          <emphasis role="bold">refresh</emphasis> command, the mangle table
+          is refreshed along with the blacklist chain (if any). This allows
+          you to modify <filename>/etc/shorewall/tcrules </filename>and
+          install the changes using <emphasis
+          role="bold">refresh</emphasis>.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">reject</emphasis><replaceable>
        address</replaceable></term>
@@ -1918,57 +1941,6 @@
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">remote-getcaps</emphasis>
-        [-<option>R</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [ [ -D ]
-        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable> ]</term>
-
-        <listitem>
-          <para>Added in Shoreall 5.2.0, this command executes <emphasis
-          role="bold">shorewall[6]-lite show capabilities -f &gt;
-          /var/lib/shorewall[6]-lite/capabilities</emphasis> on the remote
-          <replaceable>system</replaceable> via ssh then the generated file is
-          copied to <replaceable>directory</replaceable> on the local system.
-          If no <replaceable>directory</replaceable> is given, the current
-          working directory is assumed.</para>
-
-          <para>if <emphasis role="bold">-R</emphasis> is included, the remote
-          shorewallrc file is also copied to
-          <replaceable>directory</replaceable>.</para>
-
-          <para>If <option>-r</option> is included, it specifies that the root
-          user on <replaceable>system</replaceable> is named
-          <replaceable>root-user-name</replaceable> rather than "root".</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">remote-getrc</emphasis>
-        [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [ [ -D ]
-        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable> ]</term>
-
-        <listitem>
-          <para>Added in Shoreall 5.2.0, this command copies the shorewallrc
-          file from the remote <replaceable>system</replaceable> to
-          <replaceable>directory</replaceable> on the local system. If no
-          <replaceable>directory</replaceable> is given, the current working
-          directory is assumed.</para>
-
-          <para>if <emphasis role="bold">-c</emphasis> is included, the remote
-          capabilities are also copied to
-          <replaceable>directory</replaceable>, as is done by the
-          <command>remote-getcaps</command> command.</para>
-
-          <para>If <option>-r</option> is included, it specifies that the root
-          user on <replaceable>system</replaceable> is named
-          <replaceable>root-user-name</replaceable> rather than "root".</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">remote-start</emphasis>
        [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
@@ -2020,9 +1992,9 @@
          role="bold">shorewall-lite save</emphasis> via ssh.</para>

          <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall[6]-lite show capabilities -f
-          &gt; /var/lib/shorewall[6]-lite/capabilities</emphasis> is executed
-          via ssh then the generated file is copied to
+          command <emphasis role="bold">shorewall-lite show capabilities -f
+          &gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
+          ssh then the generated file is copied to
          <replaceable>directory</replaceable> using scp. This step is
          performed before the configuration is compiled.</para>

@@ -2033,6 +2005,13 @@
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
+
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -2451,11 +2430,11 @@
        <replaceable>filename</replaceable> ]</term>

        <listitem>
-          <para>Creates a snapshot of the currently running firewall. The
-          dynamic blacklist is stored in /var/lib/shorewall/save. The state of
-          the firewall is stored in
+          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
+          The state of the firewall is stored in
          /var/lib/shorewall/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall restore</emphasis> command. If
+          <emphasis role="bold">shorewall restore</emphasis> and <emphasis
+          role="bold">shorewall -f start</emphasis> commands. If
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
@@ -2758,15 +2737,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">rc</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.2.0. Displays the contents of
-                $SHAREDIR/shorewall/shorewallrc.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term>[-<option>c</option>]<emphasis role="bold">
              routing</emphasis></term>
@@ -2792,20 +2762,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term>saves</term>
-
-              <listitem>
-                <para>Added in Shorewall 5.2.0. Lists snapshots created by the
-                <command>save</command> command. Each snapshot is listed with
-                the date and time when it was taken. If there is a snapshot
-                with the name specified in the RESTOREFILE option in <ulink
-                url="shorewall.conf.html">shorewall.conf(5</ulink>), that
-                snapshot is listed as the <emphasis>default</emphasis>
-                snapshot for the <command>restore</command> command.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>

@@ -2965,7 +2921,7 @@
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -3216,38 +3172,30 @@
  <refsect1>
    <title>FILES</title>

-    <para>/etc/shorewall/*</para>
+    <para>/etc/shorewall/</para>

-    <para>/etc/shorewall6/*</para>
+    <para>/etc/shorewall6/</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

-    <simplelist>
-      <member><ulink
-      url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink>
-      - Describes operational aspects of Shorewall.</member>
+    <para><ulink
+    url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>

-      <member><ulink url="shorewall-files.html">shorewall-files(5)</ulink> -
-      Describes the various configuration files along with features and
-      conventions common to those files.</member>
-
-      <member><ulink url="shorewall-names.html">shorewall-names(5)</ulink> -
-      Describes naming of objects within a Shorewall configuration.</member>
-
-      <member><ulink
-      url="shorewall-addresses.html">shorewall-addresses(5)</ulink> -
-      Describes how to specify addresses within a Shorewall
-      configuration.</member>
-
-      <member><ulink
-      url="shorewall-exclusion.html">shorewall-exclusion(5)</ulink> -
-      Describes how to exclude certain hosts and/or networks from matching a
-      rule.</member>
-
-      <member><ulink url="shorewall-nesting.html">shorewall-nesting(5)</ulink>
-      - Describes how to nest one Shorewall zone inside another.</member>
-    </simplelist>
+    <para>shorewall-accounting(5), shorewall-actions(5),
+    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
+    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
+    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
+    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
+    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
+    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
+    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
+    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall-core/shorewall
+++ b/Shorewall-core/shorewall
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.2
+#     Shorewall Packet Filtering Firewall Control Program - V5.1
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
--- a/Shorewall-core/shorewallrc.alt
+++ b/Shorewall-core/shorewallrc.alt
@@ -1,25 +0,0 @@
-#
-# ALT/BaseALT/ALTLinux Shorewall 5.2 rc file
-#
-BUILD=                                  #Default is to detect the build system
-HOST=alt
-PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
-PERLLIBDIR=${SHAREDIR}/perl5            #Directory to install Shorewall Perl module directory
-CONFDIR=/etc                            #Directory where subsystem configurations are installed
-SBINDIR=/sbin                           #Directory where system administration programs are installed
-MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
-INITDIR=${CONFDIR}/rc.d/init.d          #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
-INITSOURCE=init.alt.sh                  #Name of the distributed file to be installed as the SysV init script
-ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
-SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
-SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
-SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
-SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
-SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib                         #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
-DEFAULT_PAGER=/usr/bin/less             #Pager to use if none specified in shorewall[6].conf
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.2 rc file
+# Apple OS X Shorewall 5.0 rc file
 #
 BUILD=apple
 HOST=apple
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.2 rc file
+# Arch Linux Shorewall 5.0 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.2 rc file
+# Cygwin Shorewall 5.0 rc file
 #
 BUILD=cygwin
 HOST=cygwin
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.2 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -13,9 +13,9 @@ MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-empty, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd	#Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+ANNOTATED=				#If non-zero, annotated configuration files are installed
+SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.2 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.2 rc file
+# Default Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,5 +1,5 @@
 #
-# OpenWRT/LEDE Shorewall 5.2 rc file
+# OpenWRT Shorewall 5.0 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.2 rc file
+# RedHat/FedoraShorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat
--- a/Shorewall-core/shorewallrc.sandbox
+++ b/Shorewall-core/shorewallrc.sandbox
@@ -1,28 +0,0 @@
-#
-# Shorewall 5.2 rc file for installing into a Sandbox
-#
-BUILD=                                       # Default is to detect the build system
-HOST=linux
-INSTALLDIR=				     # Set this to the directory where you want Shorewall installed
-PREFIX=${INSTALLDIR}/usr		     # Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share		     # Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share		     # Directory for executable scripts.	
-PERLLIBDIR=${PREFIX}/share/shorewall	     # Directory to install Shorewall Perl module directory	
-CONFDIR=${INSTALLDIR}/etc		     # Directory where subsystem configurations are installed				
-SBINDIR=${INSTALLDIR}/sbin		     # Directory where system administration programs are installed			
-MANDIR=		     			     # Leave empty
-INITDIR=				     # Leave empty				     				
-INITSOURCE=				     # Leave empty
-INITFILE=				     # Leave empty
-AUXINITSOURCE=				     # Leave empty
-AUXINITFILE=				     # Leave empty
-SERVICEDIR=				     # Leave empty
-SERVICEFILE=    			     # Leave empty
-SYSCONFFILE=				     # Leave empty
-SYSCONFDIR=				     # Leave empty			
-SPARSE=					     # Leave empty			
-ANNOTATED=				     # If non-empty, annotated configuration files are installed				
-VARLIB=${INSTALLDIR}/var/lib		     # Directory where product variable data is stored.				
-VARDIR=${VARLIB}/$PRODUCT		     # Directory where product variable data is stored.		
-DEFAULT_PAGER=/usr/bin/less		     # Pager to use if none specified in shorewall[6].conf
-SANDBOX=Yes				     # Indicates SANDBOX installation
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.2 rc file
+# Slackware Shorewall 5.0 rc file
 #
 BUILD=slackware
 HOST=slackware
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.2 rc file
+# SuSE Shorewall 5.0 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse
--- a/Shorewall-core/wait4ifup
+++ b/Shorewall-core/wait4ifup
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall interface helper utility - V5.2
+#     Shorewall interface helper utility - V4.2
 #
 #     (c) 2007,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-init/init.alt.sh
+++ b/Shorewall-init/init.alt.sh
@@ -1,150 +0,0 @@
-#!/bin/sh
-#
-# Shorewall init script
-#
-# chkconfig: - 09 91
-# description: Initialize the shorewall firewall at boot time
-#
-### BEGIN INIT INFO
-# Provides: shorewall-init
-# Required-Start: $local_fs
-# Required-Stop: $local_fs
-# Default-Start: 3 4 5
-# Default-Stop:  0 1 2 6
-# Short-Description: Initialize the shorewall firewall at boot time
-# Description:       Place the firewall in a safe state at boot time
-#                    prior to bringing up the network.
-### END INIT INFO
-
-# Do not load RH compatibility interface.
-WITHOUT_RC_COMPAT=1
-
-# Source function library.
-. /etc/init.d/functions
-
-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-NAME="Shorewall-init firewall"
-PROG="shorewall-init"
-SHOREWALL="$SBINDIR/$PROG"
-LOGGER="logger -i -t $PROG"
-
-# Get startup options (override default)
-OPTIONS=
-
-LOCKFILE=/var/lock/subsys/shorewall-init
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]; then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]; then
-		echo "No PRODUCTS configured"
-		exit 6
-	fi
-else
-	echo "/etc/sysconfig/shorewall-init not found"
-	exit 6
-fi
-
-RETVAL=0
-
-# set the STATEDIR variable
-setstatedir() {
-	local statedir
-	if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
-		statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
-	fi
-
-	[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-
-	if [ -x ${STATEDIR}/firewall ]; then
-		return 0
-	elif [ $PRODUCT = shorewall ]; then
-		${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-		${SBINDIR}/shorewall -6 compile
-	else
-		return 1
-	fi
-}
-
-start() {
-	local PRODUCT
-	local STATEDIR
-
-	printf "Initializing \"Shorewall-based firewalls\": "
-
-	for PRODUCT in $PRODUCTS; do
-		if setstatedir; then
-			$STATEDIR/$PRODUCT/firewall ${OPTIONS} stop 2>&1 | "$LOGGER"
-			RETVAL=$?
-		else
-			RETVAL=6
-			break
-		fi
-	done
-
-	if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-		ipset -R < "$SAVE_IPSETS"
-	fi
-
-	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
-	return $RETVAL
-}
-
-stop() {
-	local PRODUCT
-	local STATEDIR
-
-	printf "Clearing \"Shorewall-based firewalls\": "
-	for PRODUCT in $PRODUCTS; do
-		if setstatedir; then
-			${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | "$LOGGER"
-			RETVAL=$?
-		else
-			RETVAL=6
-			break
-		fi
-	done
-
-	if [ -n "$SAVE_IPSETS" ]; then
-		mkdir -p $(dirname "$SAVE_IPSETS")
-		if ipset -S > "${SAVE_IPSETS}.tmp"; then
-			grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-		else
-			rm -f "${SAVE_IPSETS}.tmp"
-		fi
-	fi
-
-	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
-	return $RETVAL
-}
-
-# See how we were called.
-case "$1" in
-	start)
-	    start
-	    ;;
-	stop)
-	    stop
-	    ;;
-	restart|reload|condrestart|condreload)
-	    # "Not implemented"
-	    ;;
-	condstop)
-	    if [ -e "$LOCKFILE" ]; then
-		stop
-	    fi
-	    ;;
-	status)
-	    status "$PROG"
-	     RETVAL=$?
-	    ;;
-	*)
-	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|condrestart|condstop|status}"
-	    RETVAL=1
-esac
-
-exit $RETVAL
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -1,5 +1,5 @@
 #!/bin/sh /etc/rc.common
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -181,9 +181,6 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
-		    alt|basealt|altlinux)
-			BUILD=alt
-			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -194,8 +191,6 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
-	    elif [ -f /etc/altlinux-release ]; then
-		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/SuSE-release ]; then
@@ -258,9 +253,6 @@ case "$HOST" in
    openwrt)
 	echo "Installing Openwrt-specific configuration..."
 	;;
-    alt)
-	echo "Installing ALT-specific configuration...";
-	;;
    linux)
 	fatal_error "Shorewall-init is not supported on this system"
 	;;
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -1,5 +1,5 @@
 #!/bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-lite/init.alt.sh
+++ b/Shorewall-lite/init.alt.sh
@@ -1,117 +0,0 @@
-#!/bin/sh
-#
-# Shorewall-Lite init script
-#
-# chkconfig: - 28 90
-# description: Packet filtering firewall
-#
-### BEGIN INIT INFO
-# Provides: shorewall-lite
-# Required-Start: $local_fs $remote_fs $syslog $network
-# Should-Start: $time $named
-# Required-Stop:
-# Default-Start: 3 4 5
-# Default-Stop:  0 1 2 6
-# Short-Description: Packet filtering firewall
-# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
-#              Netfilter (iptables) based firewall
-### END INIT INFO
-
-# Do not load RH compatibility interface.
-WITHOUT_RC_COMPAT=1
-
-# Source function library.
-. /etc/init.d/functions
-
-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
-NAME="Shorewall-Lite firewall"
-PROG="shorewall"
-SHOREWALL="$SBINDIR/$PROG -l"
-LOGGER="logger -i -t $PROG"
-
-# Get startup options (override default)
-OPTIONS=
-
-SourceIfNotEmpty $SYSCONFDIR/${PROG}-lite
-
-LOCKFILE="/var/lock/subsys/${PROG}-lite"
-RETVAL=0
-
-start() {
-	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
-	return $RETVAL
-}
-
-stop() {
-	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
-	return $RETVAL
-}
-
-restart() {
-	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	return $RETVAL
-}
-
-reload() {
-	action $"Reloadinging $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	return $RETVAL
-}
-
-clear() {
-	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
-	RETVAL=$?
-	return $RETVAL
-}
-
-# See how we were called.
-case "$1" in
-	start)
-	    start
-	    ;;
-	stop)
-	    stop
-	    ;;
-	restart)
-	    restart
-	    ;;
-	reload)
-	    reload
-	    ;;
-	clear)
-	    clear
-	    ;;
-	condrestart)
-	    if [ -e "$LOCKFILE" ]; then
-		restart
-	    fi
-	    ;;
-	condreload)
-	    if [ -e "$LOCKFILE" ]; then
-		restart
-	    fi
-	    ;;
-	condstop)
-	    if [ -e "$LOCKFILE" ]; then
-		stop
-	    fi
-	    ;;
-	status)
-	    "$SHOREWALL" status
-	     RETVAL=$?
-	    ;;
-	*)
-	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
-	    RETVAL=1
-esac
-
-exit $RETVAL
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-lite/init.suse.sh
+++ b/Shorewall-lite/init.suse.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -190,9 +190,6 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
-		    alt|basealt|altlinux)
-			BUILD=alt
-			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -201,8 +198,6 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
-	    elif [ -f /etc/altlinux-release ]; then
-		BUILD=alt
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f ${CONFDIR}/SuSE-release ]; then
@@ -271,9 +266,6 @@ case "$HOST" in
    openwrt)
 	echo "Installing OpenWRT-specific configuration..."
 	;;
-    alt)
-	echo "Installing ALT-specific configuration...";
-	;;
    linux)
 	;;
    *)
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -151,7 +151,7 @@ fi

 remove_file ${SBINDIR}/$PRODUCT

-if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
    if [ $HOST = openwrt ]; then
 	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
 	    /etc/init.d/$PRODUCT disable
--- a/Shorewall/Actions/action.A_AllowICMPs.deprecated
+++ b/Shorewall/Actions/action.A_AllowICMPs.deprecated
@@ -0,0 +1,9 @@
+#
+# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
+#
+# This action A_ACCEPTs needed ICMP types
+#
+###############################################################################
+#ACTION		SOURCE		DEST	PROTO		DPORT
+
+AllowICMPs(A_ACCEPT)
--- a/Shorewall/Actions/action.A_Drop.deprecated
+++ b/Shorewall/Actions/action.A_Drop.deprecated
@@ -0,0 +1,57 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_Drop
+#
+# The audited default DROP common rules
+#
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+#
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
+###############################################################################
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Special Handling for Auth
+#
+Auth(A_DROP)
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
+# Don't log broadcasts and multicasts
+#
+dropBcast(audit)
+dropMcast(audit)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+dropInvalid(audit)
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_DROP)
+A_DropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+A_DropDNSrep
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
@@ -0,0 +1,54 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_Reject
+#
+# The audited default REJECT action common rules
+#
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
+###############################################################################
+#ACTION		SOURCE	DEST	PROTO
+#
+# Count packets that come through here
+#
+COUNT
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
+# Drop Broadcasts and multicasts so they don't clutter up the log
+# (these must *not* be rejected).
+#
+dropBcast(audit)
+dropMcast(audit)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid(audit)
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_REJECT)
+A_DropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+A_DropDNSrep
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -0,0 +1,84 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Drop
+#
+# The former default DROP common rules. Use of this action is now deprecated
+#
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# The action accepts six optional parameters:
+#
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing special
+#     with them.
+# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+#
+###############################################################################
+?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
+    ?else
+        ?error The first parameter to Drop must be 'audit' or '-'
+    ?endif
+?else
+DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
+?endif
+
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Special Handling for Auth
+#
+?if passed(@2)
+Auth(@2)
+?endif
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
+# Don't log broadcasts or multicasts
+#
+Broadcast(DROP,@1)
+Multicast(DROP,@1)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+Invalid(DROP,@1)
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(@3)
+DropUPnP(@6)
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+NotSyn(DROP,@1)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DropDNSrep(@5)
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
    #
    # if the event is armed, remove it and perform the action
    #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
 } elsif ( $command & $UPDATE_CMD ) {
    perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -0,0 +1,85 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Reject
+#
+# The former default REJECT action common rules. Use of this action is deprecated.
+#
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# The action accepts six optional parameters:
+#
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing
+#     special with them.
+# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+###############################################################################
+?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
+    ?else
+	?error The first parameter to Reject must be 'audit' or '-'
+    ?endif
+?else
+DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
+?endif
+
+#ACTION		SOURCE	DEST	PROTO
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Special handling for Auth
+#
+?if passed(@2)
+Auth(@2)
+?endif
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+Broadcast(DROP,@1)
+Multicast(DROP,@1)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+Invalid(DROP,@1)
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(@3)
+DropUPnP(@6)
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+NotSyn(DROP,@1)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DropDNSrep(@5)
--- a/Shorewall/Contrib/swping
+++ b/Shorewall/Contrib/swping
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V5.2
+#     Shorewall WAN Interface monitor - V4.4
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #
--- a/Shorewall/Contrib/swping.init
+++ b/Shorewall/Contrib/swping.init
@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V5.2
+#     Shorewall WAN Interface monitor - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Macros/IPFS-swarm
+++ b/Shorewall/Macros/IPFS-swarm
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
-#
-# This macro handles IPFS data traffic (the connection to IPFS swarm).
-#
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
-
-PARAM   -       -       tcp     4001
--- a/Shorewall/Macros/macro.Cockpit
+++ b/Shorewall/Macros/macro.Cockpit
@@ -1,12 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Cockpit
-#
-# This macro handles Time protocol (RFC868).
-# Unless you are supporting extremely old hardware or software,
-# you shouldn't be using this.  NTP is a superior alternative.
-#
-#		By Eric Teeter
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	9090
--- a/Shorewall/Macros/macro.IPFS-API
+++ b/Shorewall/Macros/macro.IPFS-API
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.IPFS-API
-#
-# This macro handles IPFS API port (commands for the IPFS daemon).
-#
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
-
-PARAM   -       -       tcp     5001
--- a/Shorewall/Macros/macro.IPFS-gateway
+++ b/Shorewall/Macros/macro.IPFS-gateway
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.IPFS-gateway
-#
-# This macro handles the IPFS gateway to HTTP.
-#
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
-
-PARAM   -       -       tcp     8080
--- a/Shorewall/Macros/macro.IPFS-swarm
+++ b/Shorewall/Macros/macro.IPFS-swarm
@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
-#
-# This macro handles IPFS data traffic (the connection to IPFS swarm).
-#
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
-
-PARAM   -       -       tcp     4001
--- a/Shorewall/Macros/macro.SNMPTrap.deprecated
+++ b/Shorewall/Macros/macro.SNMPTrap.deprecated
@@ -0,0 +1,9 @@
+#
+# Shorewall - /usr/share/shorewall/macro.SNMPtrap
+#
+# This macro deprecated by SNMPtrap.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+SNMPtrap
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -282,7 +282,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {

 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_chain ( $config{ACCOUNTING_TABLE}, 'accountout' ) ,
+			    ensure_rules_chain ( 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $prerule ,
 			    $rule ,
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -153,9 +153,6 @@ our %EXPORT_TAGS = (
 				       STICKY
 				       STICKO
 				       REALPREROUTING
-				       REALINPUT
-				       REALOUTPUT
-				       REALPOSTROUTING
 				       ACTIONCHAIN

 				       unreachable_warning
@@ -175,12 +172,6 @@ our %EXPORT_TAGS = (
 				       related_chain
 				       invalid_chain
 				       untracked_chain
-				       rules_log
-				       blacklist_log
-				       established_log
-				       related_log
-				       invalid_log
-				       untracked_log
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -428,7 +419,7 @@ our $VERSION = 'MODULEVERSION';
 #      Established     - ^<z1-z2>
 #      Related         - +<z1-z2>
 #      Invalid         - _<z1-z2>
-#      Untracked       - =<z1-z2>
+#      Untracked       - &<z1-z2>
 #
 our %chain_table;
 our $raw_table;
@@ -493,19 +484,16 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 # Mangle Table allowed chains enumeration
 #
 use constant {
-    PREROUTING      => 1,        #Actually tcpre
-    INPUT           => 2,        #Actually tcin
-    FORWARD         => 4,        #Actually tcfor
-    OUTPUT          => 8,        #Actually tcout
-    POSTROUTING     => 16,       #Actually tcpost
-    STICKY          => 32,
-    STICKO          => 64,
-    REALPREROUTING  => 128,
-    REALINPUT       => 256,
-    REALOUTPUT      => 512,
-    REALPOSTROUTING => 1024,
-    ALLCHAINS       => 2047,
-    ACTIONCHAIN     => 2048,
+    PREROUTING     => 1,        #Actually tcpre
+    INPUT          => 2,        #Actually tcin
+    FORWARD        => 4,        #Actually tcfor
+    OUTPUT         => 8,        #Actually tcout
+    POSTROUTING    => 16,       #Actually tcpost
+    ALLCHAINS      => 31,
+    STICKY         => 32,
+    STICKO         => 64,
+    REALPREROUTING => 128,
+    ACTIONCHAIN    => 256,
 };

 #
@@ -2275,57 +2263,7 @@ sub invalid_chain($$) {
 # Name of the untracked chain between an ordered pair of zones
 #
 sub untracked_chain($$) {
-    '=' . &rules_chain(@_);
-}
-
-#
-# Logname for chains between an ordered pair of zones
-#
-sub rules_log( $$ ) {
-    my $logchain = $config{LOG_ZONE};
-
-    if ( $logchain eq 'both' ) {
-	join "$config{ZONE2ZONE}", @_;
-    } elsif ( $logchain eq 'src' ) {
-	$_[0];
-    } else {
-	$_[1];
-    }
-}
-
-#
-# Log name of the blacklist chain between an ordered pair of zones
-#
-sub blacklist_log($$) {
-    &rules_log(@_) . '~';
-}
-
-#
-# Log name of the established chain between an ordered pair of zones
-#
-sub established_log($$) {
-    '^' . &rules_log(@_)
-}
-
-#
-# Log name of the related chain between an ordered pair of zones
-#
-sub related_log($$) {
-    '+' . &rules_log(@_);
-}
-
-#
-# Log name of the invalid chain between an ordered pair of zones
-#
-sub invalid_log($$) {
-    '_' . &rules_log(@_);
-}
-
-#
-# Name of the untracked chain between an ordered pair of zones
-#
-sub untracked_log($$) {
-    '&' . &rules_log(@_);
+    '&' . &rules_chain(@_);
 }

 #
@@ -2647,14 +2585,13 @@ sub reserved_name( $ ) {
 #
 # Create a new chain and return a reference to it.
 #
-sub new_chain($$;$)
+sub new_chain($$)
 {
-    my ($table, $chain, $logchain) = @_;
+    my ($table, $chain) = @_;

    assert( $chain_table{$table} && ! ( $chain_table{$table}{$chain} || $builtin_target{ $chain } ) );

    my $chainref = { name           => $chain,
-		     logname        => $logchain || $chain,
 		     rules          => [],
 		     table          => $table,
 		     loglevel       => '',
@@ -2675,7 +2612,7 @@ sub new_chain($$;$)
 #
 # Find a chain
 #
-sub find_chain($$;$) {
+sub find_chain($$) {
    my ($table, $chain) = @_;

    assert( $table && $chain && $chain_table{$table} );
@@ -2686,7 +2623,7 @@ sub find_chain($$;$) {
 #
 # Create a chain if it doesn't exist already
 #
-sub ensure_chain($$;$)
+sub ensure_chain($$)
 {
    &find_chain( @_ ) || &new_chain( @_ );
 }
@@ -3340,20 +3277,10 @@ sub initialize_chain_table($) {
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
-	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS           ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
-	$chainref = new_standard_chain( 'DOCKER-USER'   );
-	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER              ] && cat ${VARDIR}/.filter_DOCKER-USER      >&3' );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION         ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
-	$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' );
-	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' );
-	$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-2' );
-	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2 >&3' );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS   ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
    }

    my $ruleref = transform_rule( $globals{LOGLIMIT} );
@@ -3996,7 +3923,7 @@ sub optimize_level8( $$$ ) {
 					'',      # Origin
 					1 );     # Recalculate digests of modified chains

-		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
+		    unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
 			#
 			# For simple use of the BLACKLIST section, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
@@ -4579,21 +4506,15 @@ sub valid_tables() {

 sub optimize_ruleset() {

-    my $optimize = $config{OPTIMIZE};
-
    for my $table ( valid_tables ) {

 	my $tableref = $chain_table{$table};
 	my $passes   = 0;
+	my $optimize = $config{OPTIMIZE};

 	$passes = optimize_level4(  $table, $tableref )           if $optimize & 4;
-	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16;
-
-	my $savepasses = $passes;
-
 	$passes = optimize_level8(  $table, $tableref , $passes ) if $optimize & 8;
-
-	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16 && $passes > $savepasses + 1;
+	$passes = optimize_level16( $table, $tableref , $passes ) if $optimize & 16;

 	progress_message "  Table $table Optimized -- Passes = $passes";
 	progress_message '';
@@ -4707,7 +4628,7 @@ sub logchain( $$$$$$ ) {
 	log_irule_limit(
 		       $loglevel ,
 		       $logchainref ,
-		       $chainref->{logname} ,
+		       $chainref->{name} ,
 		       $disposition ,
 		       [] ,
 		       $logtag,
@@ -5303,8 +5224,8 @@ sub do_imac( $ ) {
 #
 sub verify_mark( $ ) {
    my $mark  = $_[0];
-    my $limit = $config{TC_EXPERT} ? $globals{TPROXY_MARK} + 1 : $globals{EXCLUSION_MASK};
-    my $mask  = $config{TC_EXPERT} ? $globals{TPROXY_MARK}     : $globals{TC_MASK};
+    my $limit = $globals{EXCLUSION_MASK};
+    my $mask  = $globals{TC_MASK};
    my $value = numeric_value( $mark );

    fatal_error "Invalid Mark or Mask value ($mark)"
@@ -5388,91 +5309,69 @@ sub do_ratelimit( $$ ) {

    fatal_error "Rate Limiting not available with $action" if $norate{$action};

-    my @rates = split_list3 $rates, 'rate';
+    my @rates = split_list $rates, 'rate';

    if ( @rates == 2 ) {
-	$rates[0] = 's:' . $rates[0] unless $rates[0] =~ /^s:/;
-	$rates[1] = 'd:' . $rates[1] unless $rates[1] =~ /^d:/;
+	$rates[0] = 's:' . $rates[0];
+	$rates[1] = 'd:' . $rates[1];
    } elsif ( @rates > 2 ) {
 	fatal error "Only two rates may be specified";
    }
+
    my $limit = '';

    for my $rate ( @rates ) {
 	#
 	# "-m hashlimit" match for the passed LIMIT/BURST
 	#
-	my $mode;
-	my $match;
-	my $units;
+	if ( $rate =~ /^([sd]):{1,2}/ ) {
+	    require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';

-	#                  1          2            34                  5     6              78    9  10                       11
-	if ( $rate =~ /^(?:([sd])(?:\/(\d+))?:)?(?:(([A-Za-z]\w*)?(?:\((\d+),(\d+)\))?:)|:)?((\d+)(\/(sec|min|hour|day))?)(?::(\d+))?$/ ) {
-	    fatal_error "Invalid Rate ($8)" unless $8;
+	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
+	    my $units;

-	    if ( $1 ) {
-		require_capability( 'HASHLIMIT_MATCH' , 'Per-ip rate limiting', 's' );
-		$mode = $1 eq 's' ? 'srcip' : 'dstip';
-	    }
-
-	    if ( $mode || $2 || $4 || $5 ) {
-		$limit .= '-m hashlimit ';
-		$match  = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
+	    $limit .= "-m hashlimit ";
+	    
+	    if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+		fatal_error "Invalid Rate ($3)" unless $4;
+		fatal_error "Invalid Burst ($7)" unless $7;
+		$limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
+		$limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
+		$limit .= ' --hashlimit-mode ';
+		$units = $6;
+	    } elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) {
+		fatal_error "Invalid Rate ($3)" unless $4;
+		$limit .= "--$match $3 --hashlimit-name ";
+		$limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
+		$limit .= ' --hashlimit-mode ';
+		$units = $6;
 	    } else {
-		$limit .= '-m limit ';
-		$match  = 'limit';
+		fatal_error "Invalid rate ($rate)";
 	    }

-	    $limit .= "--$match $7 ";
+	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';

-	    if ( supplied $11 ) {
-		fatal_error "Invalid Burst ($11)" unless $11;
-		$limit .= $match eq 'limit' ? "--limit-burst $11 " : "--hashlimit-burst $11 ";
-	    }
+	    if ( $units && $units ne 'sec' ) {
+		my $expire = 60000; # 1 minute in milliseconds

+		if ( $units ne 'min' ) {
+		    $expire *= 60; #At least an hour
+		    $expire *= 24 if $units eq 'day';
+		}

-	    if ( $mode || $4 ) {
-		require_capability( 'HASHLIMIT_MATCH', 'Specifying a table name', 's' );
-		$limit .= "--hashlimit-name ";
-		$limit .= $4 ? $4 : 'shorewall' . $hashlimitset++;
-	    }
-
-	    if ( supplied $2 ) {
-		my $vlsm = numeric_value($2);
-		fatal_error "Invalid VLSM ($2)" unless $vlsm and $vlsm <= ( $family == F_IPV4 ? VLSMv4 : VLSMv6 );
-		$limit .= $mode eq 'srcip' ? " --hashlimit-srcmask $vlsm" : " --hashlimit-dstmask $vlsm";
-	    }
-
-	    if ( supplied $5 ) {
-		require_capability( 'HASHLIMIT_MATCH', 'Specifying hash table size', 's' );
-		my ( $htsize, $max ) = ( numeric_value($5), numeric_value($6) );
-
-		fatal_error "Invalid hash table buckets ($5)"               unless $htsize;
-		fatal_error "Invalid hash max entries($6)"                  unless $max;
-		fatal_error "Hash max entries must be > hash table buckets" unless $max > $htsize;
-
-		$limit .= " --hashlimit-htable-size $htsize --hashlimit-htable-max $max";
-	    }
-
-	    if ( $mode ) {
-		$limit .= " --hashlimit-mode $mode";
-		$units = $10;
+		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
 	} else {
-	    fatal_error "Invalid rate ($rate)";
-	}
-
-	if ( $units && $units ne 'sec' ) {
-	    my $expire = 60000; # 1 minute in milliseconds
-
-	    if ( $units ne 'min' ) {
-		$expire *= 60; #At least an hour
-		$expire *= 24 if $units eq 'day';
+	    if ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
+		fatal_error "Invalid Rate ($1)" unless $2;
+		fatal_error "Invalid Burst ($5)" unless $5;
+		$limit = "-m limit --limit $1 --limit-burst $5 ";
+	    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+		fatal_error "Invalid Rate (${1}${2})" unless $1;
+		$limit = "-m limit --limit $rate ";
+	    } else {
+		fatal_error "Invalid rate ($rate)";
 	    }
-
-	    $limit .= " --hashlimit-htable-expire $expire ";
-	} else {
-	    $limit .= ' ';
 	}
    }

@@ -5857,7 +5756,7 @@ sub do_condition( $$ ) {

    $chain =~ s/[^\w-]//g;
    #                          $1    $2      -     $3
-    while ( $condition =~ m( ^(.*?) @(\{)?(?:0|chain)(?(2)}) (.*)$ )x ) {
+    while ( $condition =~ m( ^(.*?) @({)?(?:0|chain)(?(2)}) (.*)$ )x ) {
 	$condition = join( '', $1, $chain, $3 );
    }

@@ -5906,48 +5805,36 @@ sub do_nfacct( $ ) {
 # Match Source Interface
 #
 sub match_source_dev( $;$ ) {
-    my ( $interface, $nodev ) = @_;
-    my $invert       =  ( $interface =~ s/^!// ) ? '! ' : '';
+    my ( $interface, $nodev ) = @_;;
    my $interfaceref =  known_interface( $interface );
    $interface = $interfaceref->{physical} if $interfaceref;
-
-    if ( $interface eq '+' ) {
-	fatal_error "Invalid interface (!+)" if $invert;
-	return '';
-    }
-
+    return '' if $interface eq '+';
    if ( $interfaceref && $interfaceref->{options}{port} ) {
 	if ( $nodev ) {
-	    "${invert}-m physdev --physdev-in $interface ";
+	    "-m physdev --physdev-in $interface ";
 	} else {
 	    my $bridgeref = find_interface $interfaceref->{bridge};
-	    "-i $bridgeref->{physical} ${invert}-m physdev --physdev-in $interface ";
+	    "-i $bridgeref->{physical} -m physdev --physdev-in $interface ";
 	}
    } else {
-	"${invert}-i $interface ";
+	"-i $interface ";
    }
 }

 sub imatch_source_dev( $;$ ) {
-    my ( $interface, $nodev ) = @_;
-    my $invert       =  ( $interface =~ s/^!// ) ? '! ' : '';
+    my ( $interface, $nodev ) = @_;;
    my $interfaceref =  known_interface( $interface );
    $interface = $interfaceref->{physical} if $interfaceref;
-
-    if ( $interface eq '+' ) {
-	fatal_error "Invalid interface (!+)" if $invert;
-	return ();
-    }
-
+    return () if $interface eq '+';
    if ( $interfaceref && $interfaceref->{options}{port} ) {
 	if ( $nodev ) {
-	    ( physdev => "${invert}--physdev-in $interface" );
+	    ( physdev => "--physdev-in $interface" );
 	} else {
 	    my $bridgeref = find_interface $interfaceref->{bridge};
-	    ( i => $bridgeref->{physical}, physdev => "${invert}--physdev-in $interface" );
+	    ( i => $bridgeref->{physical}, physdev => "--physdev-in $interface" );
 	}
    } else {
-	( i => $invert . $interface );
+	( i => $interface );
    }
 }

@@ -5955,66 +5842,54 @@ sub imatch_source_dev( $;$ ) {
 # Match Dest device
 #
 sub match_dest_dev( $;$ ) {
-    my ( $interface, $nodev ) = @_;
+    my ( $interface, $nodev ) = @_;;
    my $interfaceref =  known_interface( $interface );
-    my $invert       =  ( $interface =~ s/^!// ) ? '! ' : '';
    $interface = $interfaceref->{physical} if $interfaceref;
-
-    if ( $interface eq '+' ) {
-	fatal_error "Invalid interface (!+)" if $invert;
-	return '';
-    }
-
+    return '' if $interface eq '+';
    if ( $interfaceref && $interfaceref->{options}{port} ) {
 	if ( $nodev ) {
 	    if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
-		"${invert}-m physdev --physdev-is-bridged --physdev-out $interface ";
+		"-m physdev --physdev-is-bridged --physdev-out $interface ";
 	    } else {
-		"${invert}-m physdev --physdev-out $interface ";
+		"-m physdev --physdev-out $interface ";
 	    }
 	} else {
 	    my $bridgeref = find_interface $interfaceref->{bridge};

 	    if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
-		"-o $bridgeref->{physical} ${invert}-m physdev --physdev-is-bridged --physdev-out $interface ";
+		"-o $bridgeref->{physical} -m physdev --physdev-is-bridged --physdev-out $interface ";
 	    } else {
-		"-o $bridgeref->{physical} ${invert}-m physdev --physdev-out $interface ";
+		"-o $bridgeref->{physical} -m physdev --physdev-out $interface ";
 	    }
 	}
    } else {
-	"${invert}-o $interface ";
+	"-o $interface ";
    }
 }

 sub imatch_dest_dev( $;$ ) {
-    my ( $interface, $nodev ) = @_;
-    my $invert       =  ( $interface =~ s/^!// ) ? '!' : '';
+    my ( $interface, $nodev ) = @_;;
    my $interfaceref =  known_interface( $interface );
    $interface = $interfaceref->{physical} if $interfaceref;
-
-    if ( $interface eq '+' ) {
-	fatal_error "Invalid interface (!+)" if $invert;
-	return ();
-    }
-
+    return () if $interface eq '+';
    if ( $interfaceref && $interfaceref->{options}{port} ) {
 	if ( $nodev ) {
 	    if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
-		( physdev => "${invert}--physdev-is-bridged --physdev-out $interface" );
+		( physdev => "--physdev-is-bridged --physdev-out $interface" );
 	    } else {
-		( physdev => "${invert}--physdev-out $interface" );
+		( physdev => "--physdev-out $interface" );
 	    }
 	} else {
 	    my $bridgeref = find_interface $interfaceref->{bridge};

 	    if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
-		( o => $bridgeref->{physical}, physdev => "${invert}--physdev-is-bridged --physdev-out $interface" );
+		( o => $bridgeref->{physical}, physdev => "--physdev-is-bridged --physdev-out $interface" );
 	    } else {
-		( o => $bridgeref->{physical}, physdev => "${invert}--physdev-out $interface" );
+		( o => $bridgeref->{physical}, physdev => "--physdev-out $interface" );
 	    }
 	}
    } else {
-	( o => $invert . $interface );
+	( o => $interface );
    }
 }

@@ -6932,13 +6807,13 @@ sub log_irule_limit( $$$$$$$$@ ) {
 sub log_rule( $$$$ ) {
    my ( $level, $chainref, $disposition, $matches ) = @_;

-    log_rule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
+    log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGLIMIT}, '', 'add', $matches;
 }

 sub log_irule( $$$;@ ) {
    my ( $level, $chainref, $disposition, @matches ) = @_;

-    log_irule_limit $level, $chainref, $chainref->{logname} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
+    log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
 }

 #
@@ -7159,17 +7034,14 @@ sub interface_address( $ ) {
 #
 sub get_interface_address ( $;$ ) {
    my ( $logical, $provider ) = @_;
+
    my $interface = get_physical( $logical );
    my $variable = interface_address( $interface );
+    my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';

    $global_variables |= ALL_COMMANDS;

-    if ( $interface eq loopback_interface ) {
-	$interfaceaddr{$interface} = "$variable=" . loopback_address;
-    } else {
-	my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
-	$interfaceaddr{$interface} = "$variable=\$($function $interface)\n";
-    }
+    $interfaceaddr{$interface} = "$variable=\$($function $interface)\n";

    set_interface_option( $logical, 'used_address_variable', 1 ) unless $provider;

@@ -7630,11 +7502,6 @@ sub verify_source_interface( $$$$ ) {
    my ( $iiface, $restriction, $table, $chainref ) = @_;

    my $rule = '';
-    my $oiiface = $iiface;
-    #
-    # Ignore exclusion for now
-    #
-    $iiface =~ s/^!//;

    fatal_error "Unknown Interface ($iiface)" unless known_interface $iiface;

@@ -7664,7 +7531,7 @@ sub verify_source_interface( $$$$ ) {
 	}

 	$chainref->{restricted} |= $restriction;
-	$rule .= match_source_dev( $oiiface );
+	$rule .= match_source_dev( $iiface );
    }

    $rule;
@@ -7759,11 +7626,6 @@ sub verify_dest_interface( $$$$ ) {
    my ( $diface, $restriction, $chainref, $iiface ) = @_;

    my $rule = '';
-    my $odiface = $diface;
-    #
-    # Ignore exclusion for now
-    #
-    $diface =~ s/^!//;

    fatal_error "Unknown Interface ($diface)" unless known_interface $diface;

@@ -7793,7 +7655,7 @@ sub verify_dest_interface( $$$$ ) {
 	}

 	$chainref->{restricted} |= $restriction;
-	$rule .= match_dest_dev( $odiface );
+	$rule .= match_dest_dev( $diface );
    }

    $rule;
@@ -8630,20 +8492,7 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
 	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
-	  qq(    [ -n "\$g_dockeruser" ]    && $tool -t filter -S DOCKER-USER      | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
-	  qq(),
-	  qq(    case "\$g_dockernetwork" in),
-	  qq(        One\)),
-	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
-	  qq(            ;;),
-	  qq(        Two\)),
-	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
-	  qq(            ;;),
-	  qq(    esac),
-	  qq(),
+	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
 	);

    if ( known_interface( 'docker0' ) ) {
@@ -8659,8 +8508,7 @@ sub save_docker_rules($) {
 	  q(    rm -f ${VARDIR}/.nat_POSTROUTING),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER),
 	  q(    rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
-	  q(    rm -f ${VARDIR}/.filter_DOCKER-USER),
-	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION*),
+	  q(    rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
 	  q(    rm -f ${VARDIR}/.filter_FORWARD),
 	  q(fi)
 	)
@@ -8671,7 +8519,7 @@ sub save_dynamic_chains() {
    my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';

-    emit ( 'if [ "$COMMAND" = reload ]; then' );
+    emit ( 'if [ "$COMMAND" = reload -o "$COMMAND" = refresh ]; then' );
    push_indent;

    emit( 'if [ -n "$g_counters" ]; then' ,
@@ -9036,6 +8884,9 @@ sub create_load_ipsets() {

 	    emit ( 'elif [ "$COMMAND" = reload ]; then' );   ################### Reload Command ####################
 	    ensure_ipsets( @ipsets );
+
+	    emit( 'elif [ "$COMMAND" = refresh ]; then' );   ################### Refresh Command ###################
+	    ensure_ipsets( @ipsets );
 	};

 	emit ( 'fi' );
@@ -9164,20 +9015,12 @@ sub create_netfilter_load( $ ) {
 			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			enter_cmd_mode;
-			emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-			enter_cat_mode;
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
-			enter_cmd_mode;
-			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
 			enter_cat_mode;
-		    } elsif ( $name eq 'DOCKER-USER' ) {
-			enter_cmd_mode;
-			emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
-			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
@@ -9225,7 +9068,7 @@ sub create_netfilter_load( $ ) {
 	  '',
 	  "cat \${VARDIR}/.${utility}-input | \$command # Use this nonsensical form to appease SELinux",
 	  'if [ $? != 0 ]; then',
-	  qq(    fatal_error "$utility Failed. Input is in \${VARDIR}/.${utility}-input"),
+	  qq(    fatal_error "iptables-restore Failed. Input is in \${VARDIR}/.${utility}-input"),
 	  'fi'
 	);

@@ -9279,23 +9122,14 @@ sub preview_netfilter_load() {
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			enter_cmd_mode1 unless $mode == CMD_MODE;
-			print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
-			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
-			enter_cat_mode1;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
-		    } elsif ( $name eq 'DOCKER-USER' ) {
-			enter_cmd_mode1 unless $mode == CMD_MODE;
-			print( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
-			print "\n";
-			enter_cat_mode1;
 		    } else {		    
 			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
@@ -9327,6 +9161,156 @@ sub preview_netfilter_load() {
    print "\n";
 }

+#
+# Generate the netfilter input for refreshing a list of chains
+#
+sub create_chainlist_reload($) {
+
+    my $chains = $_[0];
+
+    my @chains;
+
+    unless ( $chains eq ':none:' ) {
+	if ( $chains eq ':refresh:' ) {
+	    $chains = '';
+	} else {
+	    @chains =  split_list $chains, 'chain';
+	}
+
+	unless ( @chains ) {
+	    @chains = qw( blacklst ) if $filter_table->{blacklst};
+	    push @chains, 'blackout' if $filter_table->{blackout};
+
+	    for ( grep $_->{blacklistsection} && $_->{referenced}, values %{$filter_table} ) {
+		push @chains, $_->{name} if $_->{blacklistsection};
+	    }
+
+	    push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+	    $chains = join( ',', @chains ) if @chains;
+	}
+    }
+
+    $mode = NULL_MODE;
+
+    emit(  'chainlist_reload()',
+	   '{'
+	   );
+
+    push_indent;
+
+    if ( @chains ) {
+	my $word = @chains == 1 ? 'chain' : 'chains';
+
+	progress_message2 "Compiling iptables-restore input for $word @chains...";
+	save_progress_message "Preparing iptables-restore input for $word @chains...";
+
+	emit '';
+
+	my $table = 'filter';
+
+	my %chains;
+
+	my %tables;
+
+	for my $chain ( @chains ) {
+	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
+
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
+
+	    $chains{$table} = {} unless $chains{$table};
+
+	    if ( $chain ) {
+		my $chainref;
+		fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain};
+		fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin};
+
+		if ( $chainseq{$table} && @{$chainref->{rules}} ) {
+		    $tables{$table} = 1;
+		} else {
+		    $chains{$table}{$chain} = $chainref;
+		}
+	    } else {
+		$tables{$table} = 1;
+	    }
+	}
+
+	for $table ( keys %tables ) {
+	    while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
+		$chains{$table}{$chain} = $chainref if $chainref->{referenced} && ! $chainref->{builtin};
+	    }
+	}
+
+	emit 'exec 3>${VARDIR}/.iptables-restore-input';
+
+	enter_cat_mode;
+
+	for $table ( qw(raw nat mangle filter) ) {
+	    my $tableref=$chains{$table};
+
+	    next unless $tableref;
+
+	    @chains = sort keys %$tableref;
+
+	    emit_unindented "*$table";
+
+	    for my $chain ( @chains ) {
+		my $chainref = $tableref->{$chain};
+		emit_unindented ":$chainref->{name} - [0:0]";
+	    }
+
+	    for my $chain ( @chains ) {
+		my $chainref = $tableref->{$chain};
+		my @rules = @{$chainref->{rules}};
+		my $name = $chainref->{name};
+
+		@rules = () unless @rules;
+		#
+		# Emit the chain rules
+		#
+		emitr($chainref, $_) for @rules;
+	    }
+	    #
+	    # Commit the changes to the table
+	    #
+	    enter_cat_mode unless $mode == CAT_MODE;
+
+	    emit_unindented 'COMMIT';
+	}
+
+	enter_cmd_mode;
+
+	#
+	# Now generate the actual ip[6]tables-restore command
+	#
+	emit(  'exec 3>&-',
+	       '' );
+
+	if ( $family == F_IPV4 ) {
+	    emit ( 'progress_message2 "Running iptables-restore..."',
+		   '',
+		   'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
+		   'if [ $? != 0 ]; then',
+		   '    fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
+		   "fi\n"
+		 );
+	} else {
+	    emit ( 'progress_message2 "Running ip6tables-restore..."',
+		   '',
+		   'cat ${VARDIR}/.iptables-restore-input | $IP6TABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
+		   'if [ $? != 0 ]; then',
+		   '    fatal_error "ip6tables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
+		   "fi\n"
+		 );
+	}
+    } else {
+	emit('true');
+    }
+
+    pop_indent;
+
+    emit "}\n";
+}
+
 #
 # Generate the netfilter input to stop the firewall
 #
@@ -9383,18 +9367,10 @@ sub create_stop_load( $ ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			enter_cat_mode;
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
-			enter_cmd_mode;
-			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
-			enter_cat_mode;
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			enter_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
 			enter_cat_mode;
-		    } elsif ( $name eq 'DOCKER-USER' ) {
-			enter_cmd_mode;
-			emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
-			enter_cat_mode;
 		    } else {		    
 			emit_unindented ":$name - [0:0]";
 		    }
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.2
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.0
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -109,7 +109,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF

-    for my $exit ( qw/init start tcclear started stop stopped clear restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -269,12 +269,7 @@ sub generate_script_2() {
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
 	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-USER      && g_dockeruser=Yes' );
-	emit( 'if chain_exists DOCKER-ISOLATION; then',
-	      '    g_dockernetwork=One',
-	      'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
-	      '    g_dockernetwork=Two',
-	      'fi' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
    }

    pop_indent;
@@ -361,7 +356,7 @@ sub generate_script_2() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_3() {
+sub generate_script_3($) {

    if ( $family == F_IPV4 ) {
 	progress_message2 "Creating iptables-restore input...";
@@ -371,6 +366,7 @@ sub generate_script_3() {

    create_netfilter_load( $test );
    create_arptables_load( $test ) if $have_arptables;
+    create_chainlist_reload( $_[0] );
    create_save_ipsets;
    create_load_ipsets;

@@ -387,7 +383,7 @@ sub generate_script_3() {
 	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );

 	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
-	    emit 'echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir';
+	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;

@@ -402,10 +398,16 @@ sub generate_script_3() {
 	emit 'load_kernel_modules Yes';
    }

-    emit( '' ,
-	  'run_init_exit',
-	  '' ,
-	  'load_ipsets' ,
+    emit '';
+
+    emit ( 'if [ "$COMMAND" = refresh ]; then' ,
+	   '   run_refresh_exit' ,
+	   'else' ,
+	   '    run_init_exit',
+	   'fi',
+	   '' );
+
+    emit( 'load_ipsets' ,
 	  '' );

    create_nfobjects;
@@ -463,6 +465,11 @@ sub generate_script_3() {
    dump_proxy_arp;
    emit_unindented '__EOF__';

+    emit( '',
+	  'if [ "$COMMAND" != refresh ]; then' );
+
+    push_indent;
+
    emit 'cat > ${VARDIR}/zones << __EOF__';
    dump_zone_contents;
    emit_unindented '__EOF__';
@@ -475,6 +482,10 @@ sub generate_script_3() {
    dump_mark_layout;
    emit_unindented '__EOF__';

+    pop_indent;
+
+    emit "fi\n";
+
    emit '> ${VARDIR}/nat';

    add_addresses;
@@ -516,9 +527,26 @@ sub generate_script_3() {
    emithd <<"EOF";
    set_state Started $config_dir
    run_restored_exit
-else
-    setup_netfilter
+elif [ \$COMMAND = refresh ]; then
+    chainlist_reload
 EOF
+    push_indent;
+    setup_load_distribution;
+    setup_forwarding( $family , 0 );
+    pop_indent;
+    #
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
+    #
+    emit( '    run_refreshed_exit',
+	  '    do_iptables -N shorewall' );
+
+    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+
+    emit( "    set_state Started $config_dir",
+	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+	  'else',
+	  '    setup_netfilter'	);
+
    push_indent;
    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
@@ -553,6 +581,9 @@ case $COMMAND in
    reload)
        mylogger kern.info "$g_product reloaded"
        ;;
+    refresh)
+        mylogger kern.info "$g_product refreshed"
+        ;;
    restore)
        mylogger kern.info "$g_product restored"
        ;;
@@ -587,8 +618,8 @@ sub compile_info_command() {
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
-       ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 , $inline ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );

    $export         = 0;
    $test           = 0;
@@ -617,6 +648,7 @@ sub compiler {
 		  timestamp     => { store => \$timestamp,     validate => \&validate_boolean   } ,
 		  debug         => { store => \$debug,         validate => \&validate_boolean   } ,
 		  export        => { store => \$export ,       validate => \&validate_boolean   } ,
+		  chains        => { store => \$chains },
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
@@ -624,6 +656,7 @@ sub compiler {
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -660,7 +693,7 @@ sub compiler {
    #                                      S H O R E W A L L R C ,
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export , $update , $annotate , $inline );
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # now when shorewall.conf has been processed and the capabilities have been determined.
@@ -783,7 +816,7 @@ sub compiler {
    #
    # Setup Masquerade/SNAT
    #
-    setup_snat;
+    setup_snat( $update );
    #
    # Setup Nat
    #
@@ -886,7 +919,7 @@ sub compiler {
 	#                          N E T F I L T E R   L O A D
 	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
-	generate_script_3();
+	generate_script_3( $chains );
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Config.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Config.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -414,6 +414,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		                    'Old conntrack match syntax',
 		 NEW_CONNTRACK_MATCH =>
 		                    'Extended Connection Tracking Match',
+		 USEPKTTYPE      => 'Packet Type Match',
 		 POLICY_MATCH    => 'Policy Match',
 		 PHYSDEV_MATCH   => 'Physdev Match',
 		 PHYSDEV_BRIDGE  => 'Physdev-is-bridged support',
@@ -465,7 +466,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 FLOW_FILTER     => 'Flow Classifier',
 		 FWMARK_RT_MASK  => 'fwmark route mask',
-		 MARK_ANYWHERE   => 'Mark in the filter and nat tables',
+		 MARK_ANYWHERE   => 'Mark in the filter table',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
@@ -497,9 +498,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
                 NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
-		 #
-		 # Helpers
-		 #
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -562,9 +560,7 @@ our %helpers = ( amanda          => UDP,
 		 sip             => UDP,
 		 snmp            => UDP,
 		 tftp            => UDP,
-    );
-
-use constant { INCLUDE_LIMIT     => 20 };
+	       );

 our %helpers_map;

@@ -595,6 +591,8 @@ our %config_files = ( #accounting      => 1,
 		      policy	       => 1,
 		      providers	       => 1,
 		      proxyarp	       => 1,
+		      refresh	       => 1,
+		      refreshed	       => 1,
 		      restored	       => 1,
 		      rawnat	       => 1,
 		      route_rules      => 1,
@@ -669,6 +667,7 @@ our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
 our $nocomment;              # When true, ignore [?]COMMENT in the current file
 our $sr_comment;             # When true, $comment should only be applied to the current rule
 our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
+our $checkinline;            # The -i option to check/compile/etc.
 our $directive_callback;     # Function to call in compiler_directive

 our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.
@@ -710,14 +709,14 @@ our %validlevels;            # Valid log levels.
 #
 # Deprecated options with their default values
 #
-our %deprecated = (
-		   LEGACY_RESTART => 'no' ,
+our %deprecated = ( LEGACY_RESTART => 'no' ,
+		    INLINE_MATCHES => 'no' ,
 		  );
 #
 # Deprecated options that are eliminated via update
 #
 our %converted = (
-		    LEGACY_RESTART => 1 ,
+		  LEGACY_RESTART => 1
 		 );
 #
 # Eliminated options
@@ -732,8 +731,6 @@ our %eliminated = ( LOGRATE          => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
                    MODULE_SUFFIX    => 1,
-                    MAPOLDACTIONS    => 1,
-		    INLINE_MATCHES   => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -838,8 +835,8 @@ sub initialize( $;$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.0-Beta1',
-		    CAPVERSION              => 50200 ,
+		    VERSION                 => "5.1.12",
+		    CAPVERSION              => 50112 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -883,7 +880,6 @@ sub initialize( $;$$$) {
 	  UNTRACKED_LOG_LEVEL => undef,
 	  LOG_BACKEND => undef,
 	  LOG_LEVEL => undef,
-	  LOG_ZONE => undef,
 	  #
 	  # Location of Files
 	  #
@@ -942,6 +938,7 @@ sub initialize( $;$$$) {
 	  MACLIST_TTL => undef,
 	  SAVE_IPSETS => undef,
 	  SAVE_ARPTABLES => undef,
+	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
 	  IPSET_WARNINGS => undef,
@@ -984,6 +981,7 @@ sub initialize( $;$$$) {
 	  USE_RT_NAMES => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
+	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
 	  WORKAROUNDS => undef ,
 	  LEGACY_RESTART => undef ,
@@ -997,7 +995,6 @@ sub initialize( $;$$$) {
 	  BALANCE_PROVIDERS => undef ,
 	  PERL_HASH_SEED => undef ,
 	  USE_NFLOG_SIZE => undef ,
-	  RENAME_COMBINED => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1055,6 +1052,7 @@ sub initialize( $;$$$) {
 	       CONNTRACK_MATCH => undef,
 	       NEW_CONNTRACK_MATCH => undef,
 	       OLD_CONNTRACK_MATCH => undef,
+	       USEPKTTYPE => undef,
 	       POLICY_MATCH => undef,
 	       PHYSDEV_MATCH => undef,
 	       PHYSDEV_BRIDGE => undef,
@@ -2395,6 +2393,8 @@ sub clear_comment();
 sub split_line2( $$;$$$ ) {
    my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;

+    my $inlinematches = $config{INLINE_MATCHES};
+
    my ( $columns, $pairs, $rest );

    my $currline = $currentline;
@@ -2426,11 +2426,11 @@ sub split_line2( $$;$$$ ) {
 	    #
 	    # Don't look for matches below
 	    #
-	    $inline = '';
+	    $inline = $inlinematches = '';
 	}
    }
    #
-    # Next, see if there is a single semicolon on the line; what follows will be column/value pairs
+    # Next, see if there is a semicolon on the line; what follows will be column/value pairs or raw iptables input
    #
    ( $columns, $pairs, $rest ) = split( ';', $currline );

@@ -2439,6 +2439,46 @@ sub split_line2( $$;$$$ ) {
 	# Found it -- be sure there wasn't more than one.
 	#
 	fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
+
+	if ( $inlinematches ) {
+	    fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)" unless $inline;
+
+	    warning_message "This entry needs to be changed (replace ';' with ';;') before the INLINE_MATCHES option is removed in Shorewall 5.2";
+
+	    $inline_matches = $pairs;
+
+	    if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
+		#
+		# Pairs are enclosed in curly brackets.
+		#
+		$columns = $1;
+		$pairs   = $2;
+	    } else {
+		$pairs = '';
+	    }
+	} elsif ( $inline ) {
+	    #
+	    # This file supports INLINE or IPTABLES
+	    #
+	    if ( $currline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
+		$inline_matches = $pairs;
+
+		warning_message "This entry needs to be changed before Shorewall 5.2 (replace ';' with ';;'). '$globals{PRODUCT} update' will do that for you";
+
+		if ( $columns =~ /^(\s*|.*[^&@%])\{(.*)\}\s*$/ ) {
+		    #
+		    # Pairs are enclosed in curly brackets.
+		    #
+		    $columns = $1;
+		    $pairs   = $2;
+		} else {
+		    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes" if $checkinline;
+		    $pairs = '';
+		}
+	    } 
+	} elsif ( $checkinline ) {
+	    warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes";
+	}
    } elsif ( $currline =~ /^(\s*|.*[^&@%])\{(.*)\}$/ ) {
 	#
 	# Pairs are enclosed in curly brackets.
@@ -2529,10 +2569,6 @@ sub split_rawline2( $$;$$$ ) {
    # Delete trailing comment
    #
    $currentline =~ s/\s*#.*//;
-    #
-    # Convert ${...} to $...
-    #
-    $currentline =~ s/\$\{(.*?)\}/\$$1/g;

    my @result = &split_line2( @_ );

@@ -2833,7 +2869,7 @@ sub evaluate_expression( $$$$ ) {
    }

    #                         $1      $2   $3                     -     $4
-    while ( $expression =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);

 	if ( $var =~ /^\d+$/ ) {
@@ -2850,7 +2886,7 @@ sub evaluate_expression( $$$$ ) {

    if ( $chain ) {
 	#                         $1      $2   $3                     -     $4
-	while ( $expression =~ m( ^(.*?) \@(\{)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
@@ -2861,7 +2897,7 @@ sub evaluate_expression( $$$$ ) {
    }

    #                         $1      $2   $3      -     $4
-    while ( $expression =~ m( ^(.*?) __(\{)? (\w+) (?(2)}) (.*)$ )x ) {
+    while ( $expression =~ m( ^(.*?) __({)? (\w+) (?(2)}) (.*)$ )x ) {
 	my ( $first, $cap, $rest ) = ( $1, $3, $4);

 	if ( exists $capdesc{$cap} ) {
@@ -3030,9 +3066,9 @@ sub process_compiler_directive( $$$$ ) {
 		      $var = $2 || 'chain';
 		      directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
 		      my $val = $actparams{$var} = evaluate_expression ( $expression,
-									 $filename,
-									 $linenumber,
-									 0  );
+									$filename,
+									$linenumber,
+									0  );
 		      $parmsmodified = PARMSMODIFIED;
 		  } else {
 		      $variables{$2} = evaluate_expression( $expression,
@@ -3326,7 +3362,7 @@ sub copy1( $ ) {
 			my @line = split / /;

 			fatal_error "Invalid INCLUDE command"    if @line != 2;
-			fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
+			fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;

 			my $filename = find_file $line[1];

@@ -3536,7 +3572,7 @@ sub read_a_line($);
 sub embedded_shell( $ ) {
    my $multiline = shift;

-    fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
+    fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
    my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );

    $directive_callback->( 'SHELL', $currentline ) if $directive_callback;
@@ -3623,7 +3659,7 @@ sub embedded_perl( $ ) {
    $embedded--;

    if ( $perlscript ) {
-	fatal_error "INCLUDEs nested too deeply" if @includestack >= INCLUDE_LIMIT;
+	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;

 	assert( close $perlscript );

@@ -3791,7 +3827,7 @@ sub expand_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
    my $chain = $actparams{chain};
    #                         $1      $2   $3                   -     $4
-    while ( $$lineref =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {

 	my ( $first, $var, $rest ) = ( $1, $3, $4);

@@ -3830,7 +3866,7 @@ sub expand_variables( \$ ) {
 	#
 	$$lineref =~ s/\\@/??/g;
 	#                         $1      $2   $3                     -     $4
-	while ( $$lineref =~ m( ^(.*?) \@(\{)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
+	while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
 	    my $val = $var ? $actparams{$var} : $actparams{chain};
 	    $usedcaller = USEDCALLER if $var eq 'caller';
@@ -3846,7 +3882,7 @@ sub expand_variables( \$ ) {
 sub expand_shorewallrc_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
    #                         $1      $2   $3                  -     $4
-    while ( $$lineref =~ m( ^(.*?) \$(\{)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {

 	my ( $first, $var, $rest ) = ( $1, $3, $4);

@@ -3977,7 +4013,7 @@ sub read_a_line($) {
 		my @line = split ' ', $currentline;

 		fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= INCLUDE_LIMIT;
+		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;

 		my $filename = find_file $line[1];

@@ -4760,6 +4796,10 @@ sub IPSET_V5() {
    $result;
 }

+sub Usepkttype() {
+    qt1( "$iptables $iptablesw -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
+}
+
 sub Addrtype() {
    qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }
@@ -5115,6 +5155,7 @@ our %detect_capability =
      TIME_MATCH => \&Time_Match,
      TPROXY_TARGET => \&Tproxy_Target,
      UDPLITEREDIRECT => \&Udpliteredirect,
+      USEPKTTYPE => \&Usepkttype,
      XCONNMARK_MATCH => \&Xconnmark_Match,
      XCONNMARK => \&Xconnmark,
      XMARK => \&Xmark,
@@ -5225,6 +5266,7 @@ sub determine_capabilities() {
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
+	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
 	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
 	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
@@ -5461,33 +5503,7 @@ sub update_config_file( $ ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
    } else {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
-    }
-
-    for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
-	my $policy = $config{ $_ };
-
-	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
-	    if ( $family == F_IPV4 ) {
-		$policy =~ s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
-	    } else {
-		$policy =~ s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
-	    }
-	} elsif ( $policy =~ /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
-	    if ( $family == F_IPV4 ) {
-		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
-	    } else {
-		$policy =~ s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
-	    }
-	} elsif ( $policy =~ /\b(?:Drop|Reject)\b/ ) {
-	    if ( $family == F_IPV4 ) {
-		$policy =~ s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
-	    } else {
-		$policy =~ s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
-	    }
-	}
-
-	$config{$_} = $policy;
-    }
+    }	

    my $fn;

@@ -5528,13 +5544,7 @@ sub update_config_file( $ ) {
 			#
 			# OPTION='' - use default if 'Yes' or 'No'
 			#
-			if ( $default eq 'Yes' || $default eq 'No' ) {
-			    $config{$var} = $val = $default;
-			} elsif ( $var eq 'CONFIG_PATH' ) {
-			    $val =~ s|^/etc/|\${CONFDIR}|;
-			    $val =~ s|:/etc/|:\${CONFDIR}/g|;
-			    $val =~ s|:/usr/share/|:\${SHAREDIR}|g;
-			}
+			$config{$var} = $val = $default if $default eq 'Yes' || $default eq 'No';
 		    } else {
 			#
 			# Wasn't mentioned in old file - use default value
@@ -5542,6 +5552,7 @@ sub update_config_file( $ ) {
 			$config{$var} = $val = $default;

 		    }
+
 		}
 		if ( supplied $val ) {
 		    #
@@ -6022,12 +6033,11 @@ sub export_params() {
 }

 #
-# Walk the CONFIG_PATH converting
-# - FORMAT and COMMENT lines to compiler directives
-# - single semicolons to double semicolons in lines beginning with 'INLINE', IPTABLES or IP6TABLES
-# - Rename macros/actions to their 5.2 counterparts
+# Walk the CONFIG_PATH converting FORMAT and COMMENT lines to compiler directives
+# Convert single semicolons to double semicolons in lines beginning with 'INLINE',
+# IPTABLES or IP6TABLES
 #
-sub convert_to_version_5_2() {
+sub convert_to_directives() {
    my $sharedir = $shorewallrc{SHAREDIR};
    #
    # Make a copy of @config_path so that the for-loop below doesn't clobber that list
@@ -6038,7 +6048,7 @@ sub convert_to_version_5_2() {

    my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;

-    progress_message3 "Performing Shorewall 5.2 conversions...";
+    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives and replacing single semicolons in INLINE, IPTABLES and IP6TABLES rules...";

    for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -6049,129 +6059,43 @@ sub convert_to_version_5_2() {

 		opendir( my $dirhandle, $dir ) || fatal_error "Cannot open directory $dir for reading:$!";

-		while ( my $fname = readdir( $dirhandle ) ) {
-		    unless ( $fname eq 'capabilities'       ||
-			     $fname eq 'params'             ||
-			     $fname =~ /^shorewall6?.conf$/ ||
-			     $fname =~ /\.bak$/ ) {
-			#
-			# File we are interested in
-			#
-			my $fullname = "$dir/$fname";
-
-			if ( -f $fullname && -w _ ) {
+		while ( my $file = readdir( $dirhandle ) ) {
+		    unless ( $file eq 'capabilities'       ||
+			     $file eq 'params'             ||
+			     $file =~ /^shorewall6?.conf$/ ||
+			     $file =~ /\.bak$/ ) {
+			$file = "$dir/$file";
+		
+			if ( -f $file && -w _ ) {
 			    #
 			    # writeable regular file
 			    #
-			    my $v5_2_update = ( $fname eq 'rules'          ||
-						$fname =~ /^action\./      ||
-						$fname =~ /^macro\./       ||
-						$fname eq 'snat'           ||
-						$fname eq 'mangle'         ||
-						$fname eq 'conntrack'      ||
-						$fname eq 'accounting'     ||
-						$fname eq 'masq'           ||
-						$fname eq 'policy' );
-			    my $is_policy   = ( $fname eq 'policy' );
-			    my @file;
-			    my ( $ifile, $ofile );
-			    my $omitting = 0;
-			    my $changed;
-
-			    open $ifile, '<', "$fullname" or fatal_error "Unable to open $fullname: $!";
-
-			    while ( <$ifile> ) {
-				if ( $omitting ) {
-				    $omitting = 0, next if /\s*\??end\s+(?:perl|shell)/i;
+			    my $result = system << "EOF";
+			    perl -pi.bak -e '/^\\s*FORMAT\\s+/ && s/FORMAT/?FORMAT/;
+                                             /^\\s*SECTION\\s+/ && s/SECTION/?SECTION/;
+                                             if ( /^\\s*COMMENT\\s+/ ) {
+                                                 s/COMMENT/?COMMENT/;
+                                             } elsif ( /^\\s*COMMENT\\s*\$/ ) {
+                                                 s/COMMENT/?COMMENT/;
+                                             }
+                                             if ( /^\\s*(?:INLINE|IP6?TABLES)/ ) {
+                                                 s/;/;;/ unless /;;/;
+                                             }' $file
+EOF
+			    if ( $result == 0 ) {
+				if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
+				    progress_message3 "   File $file updated - old file renamed ${file}.bak";
+				} elsif ( rename "${file}.bak" , $file ) {
+				    progress_message "   File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found";
+				    progress_message "   File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found";
 				} else {
-				    $omitting = 1, next if /\s*\??begin\s+(?:perl|shell)/i;
+				    warning message "Unable to rename ${file}.bak to $file:$!";
 				}
-
-				unless ( $omitting || /^\s*[#?]/ ) {
-				    if ( /^\s*FORMAT\s+/ ) {
-					s/FORMAT/?FORMAT/;
-					$changed = 1;
-				    }
-
-				    if ( /^\s*SECTION\s+/ ) {
-					s/SECTION/?SECTION/;
-					$changed = 1;
-				    }
-
-				    if ( /^\s*COMMENT\s+/ ) {
-					s/COMMENT/?COMMENT/;
-					$changed = 1;
-				    } elsif ( /^\\s*COMMENT\\s*\$/ ) {
-					s/COMMENT/?COMMENT/;
-				    }
-
-				    if ( $v5_2_update ) {
-					if ( /\bA_AllowICMPs\b/ ) {
-					    s/A_AllowICMPs/AllowICMPs(A_ACCEPT)/;
-					    $changed = 1;
-					}
-
-					if ( $is_policy ) {
-					    if ( /\bA_(?:Drop|Reject)\b/ ) {
-						if ( $family == F_IPV4 ) {
-						    s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
-						} else {
-						    s/A_(?:Drop|Reject)/AllowICMPS(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
-						}
-
-						$changed = 1;
-					    } elsif ( /\b(?:Drop|Reject)\(\s*audit.*\)/ ) {
-						if ( $family == F_IPV4 ) {
-						    s/(?:Drop|Reject)\(\s*audit.*\)/Broadcast(A_DROP),Multicast(A_DROP)/;
-						} else {
-						    s/(?:Drop|Reject)\(\s*audit.*\)/AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)/;
-						}
-
-						$changed = 1;
-					    } elsif ( /\b(?:Drop|Reject)\b/ ) {
-						if ( $family == F_IPV4 ) {
-						    s/(?:Drop|Reject)/Broadcast(DROP),Multicast(DROP)/;
-						} else {
-						    s/(?:Drop|Reject)/AllowICMPs,Broadcast(DROP),Multicast(DROP)/;
-						}
-
-						$changed = 1;
-					    }
-					} else {
-					    unless ( /;;/ ) {
-						if ( /^\s*(?:INLINE|IP6?TABLES)/ ) {
-						    s/;/;;/;
-						    $changed = 1;
-						} elsif ( /^[^#]*;\s*-[mgj]/ ) {
-						    s/;/;;/;
-						    $changed = 1;
-						}
-					    }
-
-					    if ( /\bSMTPTrap\b/ ) {
-						s/SMTPTrap/SMTPtrap/;
-						$changed = 1;
-					    }
-					}
-				    }
-				}
-
-				push @file, $_;
-			    }
-
-			    close $ifile;
-
-			    if ( $changed ) {
-				fatal_error "Can't rename $fullname to $fullname.bak" unless rename $fullname, "$fullname.bak";
-				open $ofile, '>', "$fullname" or fatal_error "Unable to open $fullname: $!";
-				print $ofile $_ for @file;
-				close $ofile;
-				progress_message3 "   File $fullname updated - old file renamed ${fullname}.bak";
 			    } else {
-				progress_message "   File $file not updated -- no update required";
+				warning_message ("Unable to update file $file" );
 			    }
 			} else {
-			    warning_message( "$fullname skipped (not writeable)" ) unless -d _;
+			    warning_message( "$file skipped (not writeable)" ) unless -d _;
 			}
 		    }
 		}
@@ -6188,9 +6112,9 @@ sub convert_to_version_5_2() {
 # - Read the capabilities file, if any
 # - establish global hashes %params, %config , %globals and %capabilities
 #
-sub get_configuration( $$$ ) {
+sub get_configuration( $$$$ ) {

-    my ( $export, $update, $annotate ) = @_;
+    ( my ( $export, $update, $annotate ) , $checkinline ) = @_;

    $globals{EXPORT} = $export;

@@ -6492,6 +6416,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
+    default_yes_no 'MAPOLDACTIONS'              , 'Yes';

    warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};

@@ -6547,7 +6472,6 @@ sub get_configuration( $$$ ) {
    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
-    default_yes_no 'RENAME_COMBINED'            , 'Yes';

    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6567,6 +6491,7 @@ sub get_configuration( $$$ ) {
 	$origin{$_} ||= '';
    }
 	    
+    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'WORKAROUNDS'                , 'Yes';
    default_yes_no 'DOCKER'                     , '';
@@ -6599,14 +6524,11 @@ sub get_configuration( $$$ ) {
    default_yes_no 'MANGLE_ENABLED'             , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
    default_yes_no 'USE_DEFAULT_RT'             , '';
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
+    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'TRACK_PROVIDERS'            , 'Yes';
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
    default_yes_no 'USE_NFLOG_SIZE'             , '';

-    if ( ( $val = ( $config{AUTOMAKE} || '' ) ) !~ /^[Rr]ecursive$/ ) {
-	default_yes_no( 'AUTOMAKE' , '' ) unless $val && $val =~ /^\d{1,2}$/;
-    }
-
    if ( $config{USE_NFLOG_SIZE} ) {
 	if ( have_capability( 'NFLOG_SIZE' ) ) {
 	    @suffixes = qw(group size threshold nlgroup cprange qthreshold);
@@ -6803,13 +6725,6 @@ sub get_configuration( $$$ ) {
 	$config{LOG_BACKEND} = $val;
    }

-    if ( supplied( $val = $config{LOG_ZONE} ) ) {
-	fatal_error "Invalid LOG_ZONE setting ($val)" unless $val =~ /^(src|dst|both)$/i;
-	$config{LOG_ZONE} = lc( $val );
-    } else {
-	$config{LOG_ZONE} = 'both';
-    }
-
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};

    default_log_level 'SMURF_LOG_LEVEL',     '';
@@ -7055,7 +6970,7 @@ sub get_configuration( $$$ ) {
 	$variables{$var} = $config{$val};
    }

-    convert_to_version_5_2 if $update;
+    convert_to_directives if $update;

    cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY};
 }
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -60,7 +60,6 @@ our @EXPORT = ( qw( ALLIPv4
 		  decompose_net
 		  decompose_net_u32
 		  compare_nets
-		  loopback_address
 		  validate_host
 		  validate_range
 		  ip_range_explicit
@@ -99,14 +98,12 @@ our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
-our $loopback_address;

 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv4_LOOPBACK       => '127.0.0.1' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
@@ -373,10 +370,6 @@ sub rfc1918_networks() {
    @rfc1918_networks
 }

-sub loopback_address() {
-    $loopback_address;
-}
-
 #
 # Protocol/port validation
 #
@@ -762,7 +755,6 @@ sub initialize( $ ) {
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$vlsm_width       = VLSMv4;
-	$loopback_address = IPv4_LOOPBACK;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -775,7 +767,6 @@ sub initialize( $ ) {
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$vlsm_width       = VLSMv6;
-	$loopback_address = IPv6_LOOPBACK;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -667,18 +667,8 @@ sub create_docker_rules() {

    my $chainref = $filter_table->{FORWARD};

-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
-    add_commands( $chainref, '[ -n "$g_dockeruser" ]    && echo "-A FORWARD -j DOCKER-USER"    >&3', );
-    add_commands( $chainref ,
-		  '',
-		  'case "$g_dockernetwork" in',
-		  '    One)',
-		  '        echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
-		  '        ;;',
-		  '    Two)',
-		  '        echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
-		  '        ;;',
-		  'esac' );
+    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
+    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );

    if ( my $dockerref = known_interface('docker0') ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
@@ -820,7 +810,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );

 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -2564,6 +2554,9 @@ EOF
 	        reload)
 	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
+	        refresh)
+	            mylogger kern.err "ERROR:$g_product refresh failed"
+	            ;;
                enable)
                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -37,7 +37,7 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();

 Exporter::export_ok_tags('rules');
@@ -587,11 +587,11 @@ EOF
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
-    my $have_masq_rules;
-
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );

+	my $have_masq_rules;
+
 	directive_callback(
 	    sub ()
 	    {
@@ -647,8 +647,6 @@ sub convert_masq() {

 	close $snat, directive_callback( 0 );
    }
-
-    $have_masq_rules;
 }

 #
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -60,7 +60,7 @@ our @routemarked_providers;
 our %routemarked_interfaces;
 our @routemarked_interfaces;
 our %provider_interfaces;
-our @load_providers;
+our @load_interfaces;

 our $balancing;
 our $fallback;
@@ -99,7 +99,7 @@ sub initialize( $ ) {
    %routemarked_interfaces = ();
    @routemarked_interfaces = ();
    %provider_interfaces    = ();
-    @load_providers         = ();
+    @load_interfaces        = ();
    $balancing              = 0;
    $balanced_providers     = 0;
    $fallback_providers     = 0;
@@ -163,8 +163,8 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";

 		if ( have_ipsec ) {
-		    if ( have_capability( 'MARK_ANYWHERE' ) && ( my $chainref = $filter_table->{forward_chain($interface)} ) ) {
-			add_ijump_extended $chainref, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
+		    if ( have_capability( 'MARK_ANYWHERE' ) ) {
+			add_ijump_extended $filter_table->{forward_chain($interface)}, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
 			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
 		    }
@@ -185,16 +185,16 @@ sub setup_route_marking() {
 	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
    }

-    if ( @load_providers ) {
+    if ( @load_interfaces ) {
 	my $chainref1 = new_chain 'mangle', 'balance';
 	my @match;

 	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
 	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";

-	for my $provider ( @load_providers ) {
+	for my $physical ( @load_interfaces ) {

-	    my $chainref2 = new_chain( 'mangle', load_chain( $provider ) );
+	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );

 	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );

@@ -446,7 +446,7 @@ sub process_a_provider( $ ) {
    fatal_error 'NAME must be specified' if $table eq '-';

    unless ( $pseudo ) {
-	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[A-Za-z][\w]*$/;
+	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;

 	my $num = numeric_value $number;

@@ -636,7 +636,6 @@ sub process_a_provider( $ ) {
    }

    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
-    fatal_error "An interface supporting multiple providers may not be optional" if $shared && $optional;

    unless ( $pseudo ) {
 	if ( $local ) {
@@ -780,7 +779,7 @@ sub process_a_provider( $ ) {
 	push @routemarked_providers, $providers{$table};
    }

-    push @load_providers, $table if $load;
+    push @load_interfaces, $physical if $load;

    push @providers, $table;

@@ -942,9 +941,8 @@ sub add_a_provider( $$ ) {
 	}
    }

-    emit( "echo $load > \${VARDIR}/${table}_load",
-	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${table}_mark",
-	  "echo $physical > \${VARDIR}/${table}_interface" ) if $load;
+    emit( "echo $load > \${VARDIR}/${physical}_load",
+	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;

    emit( '',
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
@@ -1099,7 +1097,7 @@ CEOF
 	    $weight = 1;
 	}

-	emit ( "distribute_load $maxload @load_providers" ) if $load;
+	emit ( "distribute_load $maxload @load_interfaces" ) if $load;

 	unless ( $shared ) {
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
@@ -1246,7 +1244,7 @@ CEOF
 	}

 	emit ( '',
-	       "distribute_load $maxload @load_providers" ) if $load;
+	       "distribute_load $maxload @load_interfaces" ) if $load;

 	if ( $persistent ) {
 	    emit ( '',
@@ -1617,7 +1615,7 @@ sub finish_providers() {
 	emit(   'fi',
 		'' );
    } else {
-	if ( ( $fallback || @load_providers ) && $config{USE_DEFAULT_RT} ) {
+	if ( ( $fallback || @load_interfaces ) && $config{USE_DEFAULT_RT} ) {
 	    emit  ( q(#),
 		    q(# Delete any default routes in the 'main' table),
 		    q(#),
@@ -1911,7 +1909,7 @@ sub setup_providers() {
 	pop_indent;
 	emit 'fi';

-	setup_route_marking if @routemarked_interfaces || @load_providers;
+	setup_route_marking if @routemarked_interfaces || @load_interfaces;
    } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";

@@ -2370,7 +2368,7 @@ sub handle_optional_interfaces() {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
-		  '        start|reload|restore)'
+		  '        start|reload|restore|refresh)'
 		);

 	    if ( $family == F_IPV4 ) {
@@ -2487,7 +2485,7 @@ sub handle_stickiness( $ ) {
 	}
    }

-    if ( @routemarked_providers || @load_providers ) {
+    if ( @routemarked_providers || @load_interfaces ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
    }
@@ -2495,9 +2493,9 @@ sub handle_stickiness( $ ) {

 sub setup_load_distribution() {
    emit ( '',
-	   "distribute_load $maxload @load_providers" ,
+	   "distribute_load $maxload @load_interfaces" ,
 	   ''
-	 ) if @load_providers;
+	 ) if @load_interfaces;
 }

 1;
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Rules.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Rules.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -112,13 +112,6 @@ our %section_functions = ( ALL_SECTION ,        \&rules_chain,
 			   UNTRACKED_SECTION,   \&untracked_chain,
 			   NEW_SECTION,         \&rules_chain );

-our %log_functions = ( ALL_SECTION ,         \&rules_log ,
-		       BLACKLIST_SECTION ,   \&blacklist_log ,
-		       ESTABLISHED_SECTION , \&established_log ,
-		       RELATED_SECTION ,     \&related_log ,
-		       INVALID_SECTION ,     \&invalid_log ,
-		       UNTRACKED_SECTION ,   \&untracked_log ,
-		       NEW_SECTION ,         \&rules_log );
 #
 # Section => STATE map - initialized in process_rules().
 #
@@ -410,8 +403,8 @@ sub initialize( $ ) {
 #
 # Create a rules chain
 #
-sub new_rules_chain( $$ ) {
-    my $chainref = new_chain( 'filter', &rules_chain( @_ ), &rules_log( @_ ) );
+sub new_rules_chain( $ ) {
+    my $chainref = new_chain( 'filter', $_[0] );

    if ( $config{FASTACCEPT} ) {
 	if ( $globals{RELATED_TARGET} eq 'ACCEPT' && ! $config{RELATED_LOG_LEVEL} ) {
@@ -452,7 +445,7 @@ sub new_policy_chain($$$$$)
 {
    my ($source, $dest, $policy, $provisional, $audit) = @_;

-    my $chainref = new_rules_chain( ${source}, ${dest} );
+    my $chainref = new_rules_chain( rules_chain( ${source}, ${dest} ) );

    convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional, $audit );

@@ -462,11 +455,9 @@ sub new_policy_chain($$$$$)
 #
 # Set the passed chain's policychain and policy to the passed values.
 #
-sub set_policy_chain($$$$$)
+sub set_policy_chain($$$$$$)
 {
-    my ( $source, $dest, $polchainref, $policy, $intrazone ) = @_;
-
-    my $chain = rules_chain( $source, $dest );
+    my ( $chain, $source, $dest, $polchainref, $policy, $intrazone ) = @_;

    my $chainref = $filter_table->{$chain};

@@ -476,7 +467,7 @@ sub set_policy_chain($$$$$)
 	    $chainref->{provisional} = '';
 	}
    } else {
-	$chainref = new_rules_chain( $source, $dest );
+	$chainref = new_rules_chain $chain;
    }

    unless ( $chainref->{policychain} ) {
@@ -492,7 +483,6 @@ sub set_policy_chain($$$$$)
 	    if ( defined $polchainref->{synparams} ) {
 		$chainref->{synparams}   = $polchainref->{synparams};
 		$chainref->{synchain}    = $polchainref->{synchain};
-		$chainref->{synlog}      = $polchainref->{synlog};
 	    }

 	    $chainref->{pactions}    = $polchainref->{pactions} || [];
@@ -753,8 +743,7 @@ sub process_a_policy1($$$$$$$) {
 	$value  = do_ratelimit $synparams, 'ACCEPT'  if $synparams ne '';
 	$value .= do_connlimit $connlimit            if $connlimit ne '';
 	$chainref->{synparams} = $value;
-	$chainref->{synchain}  = $chain;
-	$chainref->{synlog}    = '@' . $chainref->{logname};
+	$chainref->{synchain}  = $chain
    }

    $chainref->{pactions} = $pactionref;
@@ -764,19 +753,19 @@ sub process_a_policy1($$$$$$$) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $zone, $zone1, $chainref, $policy, $intrazone;
+		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $zone, $server, $chainref, $policy, $intrazone;
+		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $zone, $chainref, $policy, $intrazone;
+	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
    } else {
@@ -843,8 +832,6 @@ sub save_policies() {
    }
 }

-sub ensure_rules_chain( $$ );
-
 #
 # Process the policy file
 #
@@ -894,15 +881,19 @@ sub process_policies()
 	if ( $type == LOCAL ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 ) {
-		    set_policy_chain( $zone,  $zone1, ensure_rules_chain( $zone, $zone1  ), 'NONE', 0 );
-		    set_policy_chain( $zone1, $zone,  ensure_rules_chain( $zone1, $zone ), 'NONE', 0 );
+		    my $name  = rules_chain( $zone,  $zone1 );
+		    my $name1 = rules_chain( $zone1, $zone  );
+		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
-		    set_policy_chain( $zone,  $zone1, ensure_rules_chain( $zone, $zone1  ), 'NONE', 0 );
-		    set_policy_chain( $zone1, $zone,  ensure_rules_chain( $zone1, $zone ), 'NONE', 0 );
+		    my $name  = rules_chain( $zone,  $zone1 );
+		    my $name1 = rules_chain( $zone1, $zone  );
+		    set_policy_chain( $name,  $zone,  $zone1, ensure_rules_chain( $name  ), 'NONE', 0 );
+		    set_policy_chain( $name1, $zone1, $zone,  ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	}
@@ -1071,7 +1062,7 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
    progress_message_nocompress "   Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
 }

-sub finish_chain_sections( $ );
+sub ensure_rules_chain( $ );

 #
 # Finish all policy Chains
@@ -1095,13 +1086,13 @@ sub complete_policy_chains() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    finish_chain_sections( $chainref ) if ( @$defaults         ||
-							    $loglevel          ||
-							    $synparams         ||
-							    $config{MULTICAST} ||
-							    ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
+		    ensure_rules_chain $name if ( @$defaults         ||
+						  $loglevel          ||
+						  $synparams         ||
+						  $config{MULTICAST} ||
+						  ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
 		} else {
-		    finish_chain_sections( $chainref );
+		    ensure_rules_chain $name;
 		}
 	    }

@@ -1158,14 +1149,13 @@ sub setup_syn_flood_chains() {
 	my $limit = $chainref->{synparams};
 	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
 	    my $level = $chainref->{loglevel};
-	    my $synchainref =
-		@zones > 1 ?
-		new_chain( 'filter' , syn_flood_chain $chainref , $chainref->{synlog} ) :
-		new_chain( 'filter' , '@' . $chainref->{name}   , '@' . $chainref->{logname} );
+	    my $synchainref = @zones > 1 ?
+		    new_chain 'filter' , syn_flood_chain $chainref :
+		    new_chain( 'filter' , '@' . $chainref->{name} );
 	    add_rule $synchainref , "${limit}-j RETURN";
 	    log_irule_limit( $level ,
 			     $synchainref ,
-			     $synchainref->{logname} ,
+			     $synchainref->{name} ,
 			     'DROP',
 			     @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
 			    '' ,
@@ -1232,12 +1222,12 @@ sub finish_chain_section ($$$) {
 		    if ( $twochains ) {
 			$chain2ref = $chainref;
 		    } else {
-			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
+			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" );
 		    }

 		    log_rule_limit( $level,
 				    $chain2ref,
-				    $chain2ref->{logname},
+				    $chain2ref->{name},
 				    uc $target,
 				    $globals{LOGLIMIT},
 				    $tag ,
@@ -1316,9 +1306,20 @@ sub finish_chain_section ($$$) {
    pop_comment( $save_comment );
 }

-sub finish_chain_sections( $ ) {
-    my ( $chainref ) = @_;
+#
+# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
+#
+# Return a reference to the chain's table entry.
+#
+sub ensure_rules_chain( $ )
+{
+    my ($chain) = @_;

+    my $chainref = $filter_table->{$chain};
+
+    $chainref = new_rules_chain( $chain ) unless $chainref;
+
+    unless ( $chainref->{referenced} ) {
 	if ( $section & ( NEW_SECTION | POLICYACTION_SECTION ) ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID,UNTRACKED';
 	} elsif ( $section == UNTRACKED_SECTION ) {
@@ -1330,24 +1331,7 @@ sub finish_chain_sections( $ ) {
 	}

 	$chainref->{referenced} = 1;
-}
- 
-#
-# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
-#
-# Return a reference to the chain's table entry.
-#
-sub ensure_rules_chain( $$ )
-{
-    my ($source, $dest) = @_;
-
-    my $chain = rules_chain( $source, $dest );
-
-    my $chainref = $filter_table->{$chain};
-
-    $chainref = new_rules_chain( $source, $dest ) unless $chainref;
-
-    finish_chain_sections( $chainref ) unless $chainref->{referenced};
+    }

    $chainref;
 }
@@ -1730,6 +1714,34 @@ sub isolate_basic_target( $ ) {
    $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
 }

+#
+# Map pre-3.0 actions to the corresponding Macro invocation
+#
+
+sub find_old_action ( $$$ ) {
+    my ( $target, $macro, $param ) = @_;
+
+    if ( my $actiontype = find_macro( $macro ) ) {
+	( $macro, $actiontype , $param );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
+sub map_old_actions( $ ) {
+    my $target = shift;
+
+    if ( $target =~ /^Allow(.*)$/ ) {
+	find_old_action( $target, $1, 'ACCEPT' );
+    } elsif ( $target =~ /^Drop(.*)$/ ) {
+	find_old_action( $target, $1, 'DROP' );
+    } elsif ( $target = /^Reject(.*)$/ ) {
+	find_old_action( $target, $1, 'REJECT' );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
@@ -2618,6 +2630,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    $actiontype = $targets{$basictarget} || find_macro( $basictarget );

+    if ( $config{ MAPOLDACTIONS } ) {
+	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
+    }
+
    fatal_error "Unknown ACTION ($action)" unless $actiontype;

    $usergenerated = $actiontype & IPTABLES;
@@ -2983,7 +2999,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Mark the chain as referenced and add appropriate rules from earlier sections.
 	#
-	$chainref = ensure_rules_chain ${sourcezone}, ${destzone};
+	$chainref = ensure_rules_chain $chain;
 	#
 	# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
 	#
@@ -2993,7 +3009,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {

 	    unless ( $auxref ) {
 		my $save_comment = push_comment;
-		$auxref = new_chain 'filter', $auxchain, $log_functions{$section}->( $sourcezone, $destzone );
+		$auxref = new_chain 'filter', $auxchain;
 		$auxref->{blacklistsection} = 1 if $blacklist;

 		add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
@@ -3137,14 +3153,13 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    if ( $actiontype & ( NATRULE | NONAT ) && ! ( $actiontype & NATONLY ) ) {
 	#
 	# Either a DNAT, REDIRECT or ACCEPT+ rule or an Action with NAT;
+	# don't apply rate limiting twice
 	#
 	$rule .= join( '',
 		       do_proto($proto, $ports, $sports),
-		       do_ratelimit( $ratelimit, 'ACCEPT' ),
 		       do_user( $user ) ,
 		       do_test( $mark , $globals{TC_MASK} ) ,
 		       do_connlimit( $connlimit ),
-		       do_ratelimit( $ratelimit, 'ACCEPT' ),
 		       do_time( $time ) ,
 		       do_headers( $headers ) ,
 		       do_condition( $condition , $chain ) ,
@@ -3240,12 +3255,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	#   - the destination IP will be the server IP   ($dest)  -- also done above
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
-	#   - don't apply rate limiting twice
 	#
 	unless ( $actiontype & NATONLY ) {
 	    $rule = join( '',
 			  $matches,
 			  do_proto( $proto, $ports, $sports ),
+			  do_ratelimit( $ratelimit, 'ACCEPT' ),
 			  do_user $user,
 			  do_test( $mark , $globals{TC_MASK} ),
 			  do_condition( $condition , $chain ),
@@ -4078,10 +4093,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	O => OUTPUT,
 	T => POSTROUTING,
 	R => REALPREROUTING,
-	NP => REALPREROUTING,
-	NI => REALINPUT,
-	NO => REALOUTPUT,
-	NT => REALPOSTROUTING
 	);

    my %chainlabels = ( 1  => 'PREROUTING',
@@ -4090,17 +4101,14 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 			8  => 'OUTPUT',
 			16 => 'POSTROUTING' );

-    my %chainnames = ( 1    => 'tcpre',
-		       2    => 'tcin',
-		       4    => 'tcfor',
-		       8    => 'tcout',
-		       16   => 'tcpost',
-		       32   => 'sticky',
-		       64   => 'sticko',
-		       128  => 'PREROUTING',
-		       256  => 'INPUT',
-		       512  => 'OUTPUT',
-		       1024 => 'POSTROUTING',
+    my %chainnames = ( 1   => 'tcpre',
+		       2   => 'tcin',
+		       4   => 'tcfor',
+		       8   => 'tcout',
+		       16  => 'tcpost',
+		       32  => 'sticky',
+		       64  => 'sticko',
+		       128 => 'PREROUTING',
 	);

    my $inchain        = defined $chainref;
@@ -4124,8 +4132,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
    my $actiontype;
    my $commandref;
    my $prerule        = '';
-    my $table          = 'mangle';
-    my $tabletype      = MANGLE_TABLE;
    #
    # Subroutine for handling MARK and CONNMARK. We use an enclosure so as to keep visibility of the
    # function's local variables without making them static. process_mangle_rule1() is called
@@ -4167,7 +4173,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {

 	    $option ||= ( $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' );

-	    my $chainref = ensure_chain( $table, $chain = $chainnames{$chain} );
+	    my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} );

 	    $restriction |= $chainref->{restriction};

@@ -4486,7 +4492,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
-		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & $tabletype;
+		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
 		$target        = $params;
 		$usergenerated = 1;
 	    },
@@ -4502,7 +4508,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 		my ( $tgt,  $options ) = split( ' ', $params, 2 );
 		my $target_type = $builtin_target{$tgt};
 		fatal_error "Unknown target ($tgt)" unless $target_type;
-		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & $tabletype;
+		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
 		$target        = $params;
 		$usergenerated = 1;
 	    },
@@ -4574,7 +4580,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {

 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING | REALPREROUTING | REALINPUT | REALOUTPUT | REALPOSTROUTING,
+	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -4610,7 +4616,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {

 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING | REALPREROUTING | REALINPUT | REALOUTPUT | REALPOSTROUTING,
+	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -4856,14 +4862,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	fatal_error "A chain designator may not be specified in an action body" if $inaction;
 	my $temp = $designators{$designator};
 	fatal_error "Invalid chain designator ( $designator )" unless $temp;
-
-	if ( $designator =~ /^N/ ) {
-	    fatal_error "Only MARK, CONNMARK, SAVE and RESTORE may be used in the nat table" unless $cmd =~ /^(?:(?:(?:CONN)MARK)|SAVE|RESTORE)[(]?/;
-	    require_capability('MARK_ANYWHERE', "The $designator designator", 's');
-	    $table = 'nat';
-	    $tabletype = NAT_TABLE;
-	}
-
 	$designator = $temp;
    }

@@ -4896,21 +4894,12 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {

    if ( $source ne '-' ) {
 	if ( $source eq $fw ) {
-	    if ( $designator ) {
-		fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' unless $designator & ( OUTPUT | REALOUTPUT );
-		$chain = $designator;
-	    } else {
-		$chain = OUTPUT;
-	    }
-
+	    fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator != OUTPUT;
+	    $chain = OUTPUT;
 	    $source = '-';
 	} elsif ( $source =~ s/^($fw):// ) {
-	    if ( $designator ) {
-		fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' unless $designator & ( OUTPUT | REALOUTPUT );
-		$chain = $designator;
-	    } else {
-		$chain = OUTPUT;
-	    }
+	    fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator != OUTPUT;
+	    $chain = OUTPUT;
 	}
    }

@@ -4980,11 +4969,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	} else {
 	    $resolve_chain->();
 	    fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
-	    unless ( $chain & ( OUTPUT | POSTROUTING | REALOUTPUT | REALPOSTROUTING ) ) {
+	    unless ( $chain == OUTPUT || $chain == POSTROUTING  ) {
 		fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
 	    }

-	    $chainref = ensure_chain( $table, $chainnames{$chain} );
+	    $chainref = ensure_chain( 'mangle', $chainnames{$chain} );
 	}

 	$restriction |= $chainref->{restriction};
@@ -5574,15 +5563,6 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $chainref = $interface ? ensure_chain('nat',  $pre_nat ? snat_chain $interface : masq_chain $interface) : $nat_table->{INPUT};
 	}

-	if ( $chainref->{complete} ) {
-	    if ( $interface ) {
-		warning_message( "Interface $interface entry generated no $toolname rule" );
-	    } else {
-		warning_message( "Entry generated no $toolname rule" );
-	    }
-	    next;
-	}
-
 	$baserule .= do_condition( $condition , $chainref->{name} );
 	#
 	# Handle IPSEC options, if any
@@ -5887,15 +5867,23 @@ sub process_snat( )
 }

 #
-# Process the snat file. Convert the masq file if found and non-empty
+# Process the masq or snat file
 #
-sub setup_snat()
+sub setup_snat( $ ) # Convert masq->snat if true
 {
    my $fn;
+    my $have_masq;

-    unless ( convert_masq ) {
+    if ( $_[0] ) {
+	convert_masq();
+    } elsif ( $fn = open_file( 'masq', 1, 1 ) ) {
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
+	process_one_masq(0), $have_masq = 1 while read_a_line( NORMAL_READ );
+    }
+
+    unless ( $have_masq ) {
 	#
-	# Masq file was empty or didn't exist
+	# Masq file empty or didn't exist
 	#
 	if ( $fn = open_file( 'snat', 1, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tunnels.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
@@ -85,8 +85,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( ${zone}, ${fw} );
-		$outchainref = ensure_rules_chain( ${fw}, ${zone} );
+		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );

 		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  p => 50, @$source;
@@ -250,8 +250,8 @@ sub setup_tunnels() {

 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );

-	my $inchainref  = ensure_rules_chain( ${zone}, ${fw}   );
-	my $outchainref = ensure_rules_chain( ${fw},   ${zone} );
+	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );

 	$gateways = ALLIP if $gateways eq '-';

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Zones.pm
+# Shorewall 5.1 -- /usr/share/shorewall/Shorewall/Zones.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -2031,7 +2031,7 @@ sub verify_required_interfaces( $ ) {
 	if ( $generate_case ) {
 	    emit( 'case "$COMMAND" in' );
 	    push_indent;
-	    emit( 'start|reload|restore)' );
+	    emit( 'start|reload|restore|refresh)' );
 	    push_indent;
 	}

--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -32,6 +32,7 @@
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
+#         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
@@ -39,6 +40,7 @@
 #         --shorewallrc=<path>        # Path to global shorewallrc file.
 #         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
+#         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
 #    If the <filename> is omitted, then a 'check' operation is performed.
@@ -62,6 +64,7 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --timestamp ]
    [ --debug ]
    [ --confess ]
+    [ --refresh=<chainlist> ]
    [ --log=<filename> ]
    [ --log-verbose={-1|0-2} ]
    [ --test ]
@@ -72,6 +75,7 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --shorewallrc=<pathname> ]
    [ --shorewallrc1=<pathname> ]
    [ --config_path=<path-list> ]
+    [ --inline ]
 _EOF_

 exit shift @_;
@@ -86,6 +90,7 @@ my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
 my $confess       = 0;
+my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
@@ -97,6 +102,7 @@ my $update        = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 my $shorewallrc1  = '';
+my $inline        = 0;

 Getopt::Long::Configure ('bundling');

@@ -111,6 +117,8 @@ my $result = GetOptions('h'               => \$help,
 			'timestamp'       => \$timestamp,
 			't'               => \$timestamp,
 		        'debug'           => \$debug,
+			'r=s'             => \$chains,
+			'refresh=s'       => \$chains,
 			'log=s'           => \$log,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
@@ -124,6 +132,7 @@ my $result = GetOptions('h'               => \$help,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
+			'inline'          => \$inline,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 			'shorewallrc1=s'  => \$shorewallrc1,
@@ -138,6 +147,7 @@ compiler( script          => $ARGV[0] || '',
 	  timestamp       => $timestamp,
 	  debug           => $debug,
 	  export          => $export,
+	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
@@ -149,4 +159,5 @@ compiler( script          => $ARGV[0] || '',
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc,
 	  shorewallrc1    => $shorewallrc1,
+	  inline          => $inline,
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall Packet Filtering Firewall Param File Helper - V5.2
+#     The Shoreline Firewall Packet Filtering Firewall Param File Helper - V4.4
 #
 #     (c) 2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -601,29 +601,26 @@ interface_enabled() {
 }

 distribute_load() {
-    local provider
    local interface
-    local currentload # Total load of enabled providers
-    local load        # Specified load of an enabled provider
-    local mark        # Mark of an enabled provider
-    local totalload   # Total load of all providers - usually 1.000000
-    local nload       # Normalized load of an enabled provider
+    local currentload # Total load of enabled interfaces
+    local load        # Specified load of an enabled interface
+    local mark        # Mark of an enabled interface
+    local totalload   # Total load of all interfaces - usually 1.000000
+    local nload       # Normalized load of an enabled interface
+    local var         # Interface name to embed in a variable name

    totalload=$1
    shift

    currentload=0

-    for provider in $@; do
-
-	interface=$(cat ${VARDIR}/${provider}_interface)
-	eval ${provider}_interface=$interface
-
+    for interface in $@; do
 	if interface_enabled $interface; then
-	    load=$(cat ${VARDIR}/${provider}_load)
-	    eval ${provider}_load=$load
-	    mark=$(cat ${VARDIR}/${provider}_mark)
-	    eval ${provider}_mark=$mark
+	    var=$(echo $interface | sed 's/[.-]/_/g')
+	    load=$(cat ${VARDIR}/${interface}_load)
+	    eval ${var}_load=$load
+	    mark=$(cat ${VARDIR}/${interface}_mark)
+	    eval ${var}_mark=$mark
 	    currentload=$( bc <<EOF
 scale=8
 $currentload + $load
@@ -633,13 +630,12 @@ EOF
    done

    if [ $currentload ]; then
-	for provider in $@; do
-	    eval interface=\$${provider}_interface
+	for interface in $@; do
+	    qt $g_tool -t mangle -F ~$interface

-	    qt $g_tool -t mangle -F ~$provider
-
-	    eval load=\$${provider}_load
-	    eval mark=\$${provider}_mark
+	    var=$(echo $interface | sed 's/[.-]/_/g')
+	    eval load=\$${var}_load
+	    eval mark=\$${var}_mark

 	    if [ -n "$load" ]; then
 		nload=$(bc <<EOF
@@ -655,10 +651,10 @@ EOF

 		case $nload in
 		    .*|0.*)
-			run_iptables -t mangle -A ~$provider -m statistic --mode random --probability $nload -j MARK --set-mark $mark
+			run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $nload -j MARK --set-mark $mark
 			;;
 		    *)
-			run_iptables -t mangle -A ~$provider -j MARK --set-mark $mark
+			run_iptables -t mangle -A ~$interface -j MARK --set-mark $mark
 			;;
 		esac
 	    fi
@@ -679,7 +675,7 @@ interface_is_usable() # $1 = interface
    status=0

    if ! loopback_interface $1; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -963,7 +959,7 @@ add_gateway() # $1 = Delta $2 = Table Number
    local delta
    local dev

-    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/linkdown//g; s/[\]//g'`
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`

    if [ -z "$route" ]; then
 	run_ip route add default scope global table $2 $1
@@ -997,7 +993,7 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
    local gateway
    local dev

-    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/linkdown//g; s/[\]//g'`
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1

    if [ -n "$route" ]; then
@@ -1105,7 +1101,7 @@ interface_is_usable() # $1 = interface
    status=0

    if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -45,8 +45,6 @@ LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

-LOG_ZONE=Both
-
 LOGALLNEW=

 LOGFILE=/var/log/messages
@@ -185,6 +183,8 @@ IGNOREUNKNOWNVARIABLES=No

 IMPLICIT_CONTINUE=No

+INLINE_MATCHES=No
+
 IPSET_WARNINGS=Yes

 IP_FORWARDING=On
@@ -199,6 +199,8 @@ MACLIST_TTL=

 MANGLE_ENABLED=Yes

+MAPOLDACTIONS=No
+
 MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No
@@ -217,8 +219,6 @@ PERL_HASH_SEED=0

 REJECT_ACTION=

-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=Yes

 RESTART=restart
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -56,8 +56,6 @@ LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

-LOG_ZONE=Both
-
 LOGALLNEW=

 LOGFILE=/var/log/messages
@@ -196,6 +194,8 @@ IGNOREUNKNOWNVARIABLES=No

 IMPLICIT_CONTINUE=No

+INLINE_MATCHES=No
+
 IPSET_WARNINGS=Yes

 IP_FORWARDING=Off
@@ -210,6 +210,8 @@ MACLIST_TTL=

 MANGLE_ENABLED=Yes

+MAPOLDACTIONS=No
+
 MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No
@@ -228,8 +230,6 @@ PERL_HASH_SEED=0

 REJECT_ACTION=

-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=No

 RESTART=restart
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -53,8 +53,6 @@ LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

-LOG_ZONE=Both
-
 LOGALLNEW=

 LOGFILE=/var/log/messages
@@ -193,6 +191,8 @@ IGNOREUNKNOWNVARIABLES=No

 IMPLICIT_CONTINUE=No

+INLINE_MATCHES=No
+
 IPSET_WARNINGS=Yes

 IP_FORWARDING=On
@@ -207,6 +207,8 @@ MACLIST_TTL=

 MANGLE_ENABLED=Yes

+MAPOLDACTIONS=No
+
 MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No
@@ -225,8 +227,6 @@ PERL_HASH_SEED=0

 REJECT_ACTION=

-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=No

 RESTART=restart
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -56,8 +56,6 @@ LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

-LOG_ZONE=Both
-
 LOGALLNEW=

 LOGFILE=/var/log/messages
@@ -196,6 +194,8 @@ IGNOREUNKNOWNVARIABLES=No

 IMPLICIT_CONTINUE=No

+INLINE_MATCHES=No
+
 IPSET_WARNINGS=Yes

 IP_FORWARDING=On
@@ -210,6 +210,8 @@ MACLIST_TTL=

 MANGLE_ENABLED=Yes

+MAPOLDACTIONS=No
+
 MINIUPNPD=No

 MARK_IN_FORWARD_CHAIN=No
@@ -228,8 +230,6 @@ PERL_HASH_SEED=0

 REJECT_ACTION=

-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=No

 RESTART=restart
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,8 +8,11 @@
 #
 ###############################################################################
 #ACTION
+A_AllowICMPs inline		# Audited version of AllowICMPs
+A_Drop				# Audited Default Action for DROP policy
 A_REJECT     noinline,logjump	# Audits then rejects a connection request
 A_REJECT!    inline		# Audits then rejects a connection request
+A_Reject			# Audited Default action for REJECT policy
 AllowICMPs   inline		# Allow Required ICMP packets
 allowBcast   inline		# Silently Allow Broadcast
 allowinUPnP  inline		# Allow UPnP inbound (to firewall) traffic
@@ -24,6 +27,7 @@ Broadcast    inline,audit	# Handles Broadcast/Anycast
 Broadcast    noinline,audit	# Handles Broadcast/Anycast
 ?endif
 DNSAmp	     proto=17		# Matches one-question recursive DNS queries
+Drop				# Default Action for DROP policy (deprecated)
 dropBcast    inline		# Silently Drop Broadcast
 dropBcasts   inline		# Silently Drop Broadcast
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
@@ -50,6 +54,7 @@ New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline,audit,\	# Handles TCP packets which do not have SYN=1 and ACK=0
 	     proto=6
 rejNotSyn    noinline,proto=6	# Silently Reject Non-syn TCP packets
+Reject				# Default Action for REJECT policy (deprecated)
 Related	     inline,\		# Handles packets in the RELATED conntrack state
 	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -0,0 +1,10 @@
+#
+# Shorewall -- /etc/shorewall/masq
+#
+# For information about entries in this file, type "man shorewall-masq"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-masq.html
+#
+###################################################################################################################################
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -45,8 +45,6 @@ LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

-LOG_ZONE=Both
-
 LOGALLNEW=

 LOGFILE=/var/log/messages
@@ -185,6 +183,8 @@ IGNOREUNKNOWNVARIABLES=No

 IMPLICIT_CONTINUE=No

+INLINE_MATCHES=No
+
 IPSET_WARNINGS=Yes

 IP_FORWARDING=Keep
@@ -199,6 +199,8 @@ MACLIST_TTL=

 MANGLE_ENABLED=Yes

+MAPOLDACTIONS=No
+
 MARK_IN_FORWARD_CHAIN=No

 MINIUPNPD=No
@@ -217,8 +219,6 @@ PERL_HASH_SEED=0

 REJECT_ACTION=

-RENAME_COMBINED=Yes
-
 REQUIRE_INTERFACE=No

 RESTART=restart
--- a/Shorewall/init.alt.sh
+++ b/Shorewall/init.alt.sh
@@ -1,117 +0,0 @@
-#!/bin/sh
-#
-# Shorewall init script
-#
-# chkconfig: - 28 90
-# description: Packet filtering firewall
-#
-### BEGIN INIT INFO
-# Provides: shorewall
-# Required-Start: $local_fs $remote_fs $syslog $network
-# Should-Start: $time $named
-# Required-Stop:
-# Default-Start: 3 4 5
-# Default-Stop:  0 1 2 6
-# Short-Description: Packet filtering firewall
-# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
-#              Netfilter (iptables) based firewall
-### END INIT INFO
-
-# Do not load RH compatibility interface.
-WITHOUT_RC_COMPAT=1
-
-# Source function library.
-. /etc/init.d/functions
-
-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
-NAME="Shorewall firewall"
-PROG="shorewall"
-SHOREWALL="$SBINDIR/$PROG"
-LOGGER="logger -i -t $PROG"
-
-# Get startup options (override default)
-OPTIONS=
-
-SourceIfNotEmpty $SYSCONFDIR/$PROG
-
-LOCKFILE=/var/lock/subsys/shorewall
-RETVAL=0
-
-start() {
-	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
-	return $RETVAL
-}
-
-stop() {
-	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
-	return $RETVAL
-}
-
-restart() {
-	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	return $RETVAL
-}
-
-reload() {
-	action $"Reloading $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	return $RETVAL
-}
-
-clear() {
-	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
-	RETVAL=$?
-	return $RETVAL
-}
-
-# See how we were called.
-case "$1" in
-	start)
-	    start
-	    ;;
-	stop)
-	    stop
-	    ;;
-	restart)
-	    restart
-	    ;;
-	reload)
-	    reload
-	    ;;
-	clear)
-	    clear
-	    ;;
-	condrestart)
-	    if [ -e "$LOCKFILE" ]; then
-		restart
-	    fi
-	    ;;
-	condreload)
-	    if [ -e "$LOCKFILE" ]; then
-		restart
-	    fi
-	    ;;
-	condstop)
-	    if [ -e "$LOCKFILE" ]; then
-		stop
-	    fi
-	    ;;
-	status)
-	    "$SHOREWALL" status
-	     RETVAL=$?
-	    ;;
-	*)
-	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
-	    RETVAL=1
-esac
-
-exit $RETVAL
--- a/Shorewall/init.sh
+++ b/Shorewall/init.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005, 2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall/init.suse.sh
+++ b/Shorewall/init.suse.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -197,9 +197,6 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
-		    alt|basealt|altlinux)
-			BUILD=alt
-			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -208,8 +205,6 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
-	    elif [ -f /etc/altlinux-release ]; then
-		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
@@ -274,9 +269,6 @@ case "$HOST" in
    openwrt)
 	echo "Installing OpenWRT-specific configuration..."
 	;;
-    alt)
-	echo "Installing ALT-specific configuration...";
-	;;
    linux)
 	;;
    *)
@@ -1239,19 +1231,6 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

-#
-# Remove deleted actions and macros
-#
-if [ $PRODUCT = shorewall ]; then
-    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.A_AllowICMPs
-    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.A_Drop
-    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.A_Reject
-    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.Drop
-    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/action.Reject
-
-    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/macro.SMTPTraps
-fi
-
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
    if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.cli-std
+# Shorewall 5.1 -- /usr/share/shorewall/lib.cli-std.
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
@@ -281,18 +281,10 @@ get_config() {

    case $AUTOMAKE in
 	Yes|yes)
-	    AUTOMAKE=1
 	    ;;
 	No|no)
 	    AUTOMAKE=
 	    ;;
-	[1-9])
-	    ;;
-	[1-9][0-9])
-	    ;;
-	[Rr]ecursive)
-	    AUTOMAKE=recursive
-	    ;;
 	*)
 	    if [ -n "$AUTOMAKE" ]; then
 		fatal_error "Invalid AUTOMAKE setting ($AUTOMAKE)"
@@ -405,22 +397,10 @@ uptodate() {
 	    #
 	    # Busybox 'find' doesn't support -quit.
 	    #
-	    if [ $AUTOMAKE = recursive ]; then
-		if [ -n "$(${find} ${dir} -newer $1 -print)" ]; then
-		    return 1;
-		fi
-	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
+	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print)" ]; then
 		return 1;
 	    fi
-	elif [ "$AUTOMAKE" = recursive ]; then
-	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
-		return 1;
-	    fi
-	elif [ -z "$AUTOMAKE" ]; then
-	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
-		return 1;
-	    fi
-	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
+	elif [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
 	    return 1;
 	fi
    done
@@ -465,7 +445,7 @@ compiler() {
    get_config Yes

    case $COMMAND in
-	*start|try|reload|restart|safe-*)
+	*start|try|refresh|reload|restart|safe-*)
 	    ;;
 	*)
 	    STARTUP_LOG=
@@ -507,9 +487,11 @@ compiler() {
    [ -n "$g_test" ]           && options="$options --test"
    [ -n "$g_preview" ]        && options="$options --preview"
    [ "$g_debugging" = trace ] && options="$options --debug"
+    [ -n "$g_refreshchains" ]  && options="$options --refresh=$g_refreshchains"
    [ -n "$g_confess" ]        && options="$options --confess"
    [ -n "$g_update" ]         && options="$options --update"
    [ -n "$g_annotate" ]       && options="$options --annotate"
+    [ -n "$g_inline" ]         && options="$options --inline"

    if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -614,6 +596,10 @@ start_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
+			i*)
+			    g_inline=Yes
+			    option=${option#i}
+			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
@@ -655,7 +641,7 @@ start_command() {
    esac

    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if ! uptodate $g_firewall; then
+	if ! uptodate ${VARDIR}/firewall; then
 	    g_fast=
 	    AUTOMAKE=
 	fi
@@ -724,6 +710,10 @@ compile_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
+			i*)
+			    g_inline=Yes
+			    option=${option#i}
+			    ;;
 			-)
 			    finished=1
 			    option=
@@ -744,7 +734,7 @@ compile_command() {

    case $# in
 	0)
-	    [ -n "$g_export" ] && g_file=firewall || g_file=$g_firewall
+	    [ -n "$g_export" ] && g_file=firewall || g_file=${VARDIR}/firewall
 	    ;;
 	1)
 	    g_file=$1
@@ -818,6 +808,10 @@ check_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
+			i*)
+			    g_inline=Yes
+			    option=${option#i}
+			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -902,11 +896,16 @@ update_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
+			i*)
+			    g_inline=Yes
+			    option=${option#i}
+			    ;;
 			a*)
 			    g_annotate=Yes
 			    option=${option#a}
 			    ;;
 			A*)
+			    g_inline=Yes
 			    option=${option#A}
 			    ;;
 			*)
@@ -996,6 +995,7 @@ restart_command() {
 			    option=${option#T}
 			    ;;
 			i*)
+			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
@@ -1041,7 +1041,7 @@ restart_command() {
    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"

    if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then
-	uptodate $g_firewall && g_fast=Yes
+	uptodate ${VARDIR}/firewall && g_fast=Yes
    fi

    g_file="${VARDIR}/.${COMMAND}"
@@ -1057,9 +1057,9 @@ restart_command() {
 	    mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
 	fi
    else
-	[ -x $g_firewall ] || fatal_error "No $g_firewall file found"
+	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
 	[ -n "$g_nolock" ] || mutex_on
-	run_it $g_firewall $g_debugging $COMMAND
+	run_it ${VARDIR}/firewall $g_debugging $COMMAND
 	rc=$?
 	[ -n "$g_nolock" ] || mutex_off
    fi
@@ -1067,6 +1067,93 @@ restart_command() {
    return $rc
 }

+#
+# Refresh Command Executor
+#
+refresh_command() {
+    local finished
+    finished=0
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			d*)
+			    g_debug=Yes
+			    option=${option#d}
+			    ;;
+			n*)
+			    g_noroutes=Yes
+			    option=${option#n}
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			i*)
+			    g_inline=Yes
+			    option=${option#i}
+			    ;;
+			D)
+			    if [ $# -gt 1 ]; then
+				g_shorewalldir="$2"
+				option=
+				shift
+			    else
+				fatal_error "The -D option requires a directory name"
+			    fi
+			    ;;
+			*)
+			    option_error $option
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    if [ $# -gt 0 ]; then
+	g_refreshchains=$1
+	shift
+
+	while [ $# -gt 0 ]; do
+	    g_refreshchains="$g_refreshchains,$1"
+	    shift
+	done
+    else
+	g_refreshchains=:refresh:
+    fi
+
+    product_is_started || fatal_error "$g_product is not running"
+
+    [ -n "$STARTUP_ENABLED" ] || not_configured_error "Startup is disabled"
+
+    g_file="${VARDIR}/.refresh"
+
+    if compiler $g_debugging $g_nolock compile "$g_file"; then
+	[ -n "$g_nolock" ] || mutex_on
+	run_it ${VARDIR}/.refresh $g_debugging refresh
+	rc=$?
+	[ -n "$g_nolock" ] || mutex_off
+    else
+	rc=$?
+    fi
+
+    return $rc
+}
+
 read_yesno_with_timeout() {
    local timeout
    timeout=${1:-60}
@@ -1387,163 +1474,10 @@ rcp_command() {
    eval $RCP_COMMAND
 }

-#
-# Remote-{getcaps|getrc} command executer
-#
-remote_capture() # $* = original arguments less the command.
-{
-    local verbose
-    verbose=$(make_verbose)
-    local finished
-    finished=0
-    local system
-    local getrc
-    getrc=
-    local getcaps
-    getcaps=
-    local remote_sw_dir_path
-    remote_sw_dir_path=
-    local root
-    root=root
-    local libexec
-    libexec=${LIBEXECDIR}
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			R*)
-			    getrc=Yes
-			    option=${option#R}
-			    ;;
-			c*)
-			    getcaps=Yes
-			    option=${option#c}
-			    ;;
-			r)
-			    [ $# -gt 1 ] || fatal_error "Missing Root User name"
-			    root=$2
-			    option=
-			    shift
-			    ;;
-			D)
-			    [ $# -gt 1 ] || fatal_error "Missing directory name"
-			    g_shorewalldir=$2
-			    option=
-			    shift
-			    ;;
-			p)
-			    [ $# -gt 1 ] || fatal_error "Missing directory name"
-			    remote_sw_dir_path=$2
-			    option=
-			    shift
-			    ;;
-			T*)
-			    g_confess=Yes
-			    option=${option#T}
-			    ;;
-			*)
-			    option_error $option
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    case $# in
-	0)
-	    [ -n "$g_shorewalldir" ] || g_shorewalldir='.'
-	    ;;
-	1)
-	    g_shorewalldir="."
-	    system=$1
-	    ;;
-	2)
-	    g_shorewalldir=$1
-	    system=$2
-	    ;;
-	*)
-	    too_many_arguments $3
-	    ;;
-    esac
-
-    g_export=Yes
-
-    ensure_config_path
-
-    get_config Yes
-
-    g_haveconfig=Yes
-
-    if [ -z "$system" ]; then
-        system=$FIREWALL
-        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
-    fi
-
-    case $COMMAND in
-        remote-getrc)
-            getrc=Yes
-            ;;
-        remote-getcaps)
-            getcaps=Yes
-            ;;
-    esac
-
-    [ -n "$getcaps" ] && getrc=Yes
-
-    if [ -n "$getrc" -o ! -s $g_shorewalldir/shorewallrc ]; then
-        progress_message2 "Getting shorewallrc file on system $system..."
-
-        if [ -n "$remote_sw_dir_path" ]; then
-            if ! rsh_command "/sbin/shorewall-lite show rc $remote_sw_dir_path" > $g_shorewalldir/shorewallrc; then
-                fatal_error "Capturing RC file on system $system failed"
-            fi
-        elif ! rsh_command "/sbin/shorewall-lite show rc" > $g_shorewalldir/shorewallrc; then
-            fatal_error "Capturing RC file on system $system failed"
-        fi
-    fi
-
-    remote_sw_dir_path=
-
-    if [ -n "$getcaps" -o ! -s $g_shorewalldir/capabilities ]; then
-        if [ -f $g_shorewalldir/shorewallrc -a -s $g_shorewalldir/shorewallrc ]; then
-            . $g_shorewalldir/shorewallrc
-            libexec="$LIBEXECDIR"
-
-            [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
-
-            progress_message2 "Getting Capabilities on system $system..."
-
-            if [ $g_family -eq 4 ]; then
-                if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
-                    fatal_error "Capturing capabilities on system $system failed"
-                fi
-            elif ! rsh_command "MODULESDIR=$MODULESDIR IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
-                fatal_error "Capturing capabilities on system $system failed"
-            fi
-        else
-            fatal_error "$g_shorewalldir/shorewallrc is not present."
-        fi
-    fi
-}
-
 #
 # Remote-{start|reload|restart} command executor
 #
-remote_commands() # $* = original arguments less the command.
+remote_reload_command() # $* = original arguments less the command.
 {
    local verbose
    verbose=$(make_verbose)
@@ -1609,6 +1543,10 @@ remote_commands() # $* = original arguments less the command.
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
+			i*)
+			    g_inline=Yes
+			    option=${option#i}
+			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -1656,26 +1594,34 @@ remote_commands() # $* = original arguments less the command.

    g_export=Yes

-    ensure_config_path
+    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
+	if [ -f $g_shorewalldir/params ]; then
+	    . $g_shorewalldir/params
+	fi

-    get_config Yes
+	ensure_config_path

-    g_haveconfig=Yes
+	get_config No

-    if [ -z "$system" ]; then
-        system=$FIREWALL
-        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
+	g_haveconfig=Yes
+
+	if [ -z "$system" ]; then
+	    system=$FIREWALL
+	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
+	fi
+    else
+	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
    fi

    if [ -z "$getcaps" ]; then
 	capabilities=$(find_file capabilities)
-	[ ! -f $capabilities -o ! -s $capabilities ] && getcaps=Yes
+	[ -f $capabilities ] || getcaps=Yes
    fi

    if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"

-	progress_message2 "Getting Capabilities on system $system..."
+	progress_message "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
 	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
@@ -1691,7 +1637,6 @@ remote_commands() # $* = original arguments less the command.
    #
    # Handle nonstandard remote VARDIR
    #
-    progress_message3 "Getting VARDIR on system $system..."
    temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
 
    [ -n "$temp" ] && litedir="$temp"
@@ -1832,11 +1777,11 @@ export_command() # $* = original arguments less the command.
 }

 run_command() {
-    if [ -x $g_firewall ] ; then
-	uptodate $g_firewall || echo "   WARNING: $g_firewall is not up to date" >&2
-	run_it $g_firewall $g_debugging $@
+    if [ -x ${VARDIR}/firewall ] ; then
+	uptodate ${VARDIR}/firewall || echo "   WARNING: ${VARDIR}/firewall is not up to date" >&2
+	run_it ${VARDIR}/firewall $g_debugging $@
    else
-	fatal_error "$g_firewall does not exist or is not executable"
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }

@@ -1847,6 +1792,12 @@ compiler_command() {
 	    shift
 	    compile_command $@
 	    ;;
+	refresh)
+	    only_root
+	    get_config Yes Yes
+	    shift
+	    refresh_command $@
+	    ;;
 	check|ck)
 	    shift
 	    check_command $@
@@ -1857,7 +1808,7 @@ compiler_command() {
 	    ;;
 	remote-start|remote-reload|remote-restart)
 	    shift
-	    remote_commands $@
+	    remote_reload_command $@
 	    ;;
 	export)
 	    shift
@@ -1875,10 +1826,6 @@ compiler_command() {
 	    shift
 	    safe_commands $@
 	    ;;
-        remote-getrc|remote-getcaps)
-            shift
-            remote_capture $@
-            ;;
 	*)
 	    fatal_error "Invalid command: $COMMAND"
 	    ;;
--- a/Shorewall/manpages/shorewall-addresses.xml
+++ b/Shorewall/manpages/shorewall-addresses.xml
@@ -1,199 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall-addresses</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>addresses</refname>
-
-    <refpurpose>Specifying addresses within a Shorewall
-    configuration</refpurpose>
-  </refnamediv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>In both Shorewall and Shorewall6, there are two basic types of
-    addresses:</para>
-
-    <variablelist>
-      <varlistentry>
-        <term>Host Address</term>
-
-        <listitem>
-          <para>This address type refers to a single host.</para>
-
-          <para>In IPv4, the format is <emphasis>i.j.k.l</emphasis> where
-          <emphasis>i</emphasis> through <emphasis>l</emphasis> are decimal
-          numbers between 1 and 255.</para>
-
-          <para>In IPv6, the format is <emphasis>a:b:c:d:e:f:g:h</emphasis>
-          where <emphasis>a</emphasis> through <emphasis>h</emphasis> consist
-          of 1 to 4 hexidecimal digits (leading zeros may be omitted). a
-          single series of 0 addresses may be omitted. For example
-          2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Network Address</term>
-
-        <listitem>
-          <para>A network address refers to 1 or more hosts and consists of a
-          host address followed by a slash ("/") and a <firstterm>Variable
-          Length Subnet Mask</firstterm> (VLSM). This is known as
-          <firstterm>Classless Internet Domain Routing</firstterm> (CIDR)
-          notation.</para>
-
-          <para>The VLSM is a decimal number. For IPv4, it is in the range 0
-          through 32. For IPv6, the range is 0 through 128. The number
-          represents the number of leading bits in the address that represent
-          the network address; the remainder of the bits are a host address
-          and are generally given as zero.</para>
-
-          <para>Examples:</para>
-
-          <para>IPv4: 192.168.1.0/24</para>
-
-          <para>IPv6: 2001:227:e857:1:0:0:0:0:1/64</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-
-    <para>In the Shorewall documentation and manpages, we have tried to make
-    it clear which type of address is accepted in each specific case.</para>
-
-    <para>Because Shorewall uses a colon (":") as a separator in many
-    contexts, IPv6 addresses are best written using the standard convention in
-    which the address itself is enclosed in square brackets:</para>
-
-    <simplelist>
-      <member>[2001:227:e857:1::1]</member>
-
-      <member>[2001:227:e857:1::]/64</member>
-    </simplelist>
-  </refsect1>
-
-  <refsect1>
-    <title>Specifying SOURCE and DEST</title>
-
-    <para>Entries in Shorewall configuration files often deal with the source
-    (SOURCE) and destination (DEST) of connections and Shorewall implements a
-    uniform way for specifying them.</para>
-
-    <para>A SOURCE or DEST consists of one to three parts separated by colons
-    (":"):</para>
-
-    <orderedlist>
-      <listitem>
-        <para>ZONE — The name of a zone declared in
-        <filename>/etc/shorewall/zones</filename> or
-        <filename>/etc/shorewall6/zones</filename>. This part is only
-        available in the rules file
-        (<filename>/etc/shorewall/rules</filename>,
-        <filename>/etc/shorewall/blrules</filename>,<filename>
-        /etc/shorewall6/rules</filename> and
-        <filename>/etc/shorewall6/blrules</filename>).</para>
-      </listitem>
-
-      <listitem>
-        <para>INTERFACE — The name of an interface that matches an entry in
-        <filename>/etc/shorewall/interfaces</filename>
-        (<filename>/etc/shorewall6/interfaces</filename>).</para>
-
-        <para>Beginning with Shorweall 5.2.1, the
-        <replaceable>interface</replaceable> may be preceded with '!' which
-        matches all interfaces except the one specified.</para>
-      </listitem>
-
-      <listitem>
-        <para>ADDRESS LIST — A list of one or more addresses (host or network)
-        or address ranges, separated by commas. In an IPv6 configuration, this
-        list must be included in square or angled brackets ("[...]" or
-        "&lt;...&gt;"). The list may have exclusion.</para>
-      </listitem>
-    </orderedlist>
-
-    <para>Examples.</para>
-
-    <orderedlist>
-      <listitem>
-        <para>All hosts in the <emphasis role="bold">net</emphasis> zone —
-        <emphasis role="bold">net</emphasis></para>
-      </listitem>
-
-      <listitem>
-        <para>Subnet 192.168.1.0/29 in the <emphasis
-        role="bold">loc</emphasis> zone — <emphasis
-        role="bold">loc:192.168.1.0/29</emphasis></para>
-      </listitem>
-
-      <listitem>
-        <para>All hosts in the net zone connecting through <filename
-        class="devicefile">ppp0</filename> — <emphasis
-        role="bold">net:ppp0</emphasis></para>
-      </listitem>
-
-      <listitem>
-        <para>All hosts interfaced by <filename
-        class="devicefile">eth3</filename> — <emphasis
-        role="bold">eth3</emphasis></para>
-      </listitem>
-
-      <listitem>
-        <para>Subnet 10.0.1.0/24 interfacing through <filename><filename
-        class="devicefile">eth2</filename></filename> — <emphasis
-        role="bold">eth2:10.0.1.0/24</emphasis></para>
-      </listitem>
-
-      <listitem>
-        <para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
-        role="bold">loc</emphasis> zone — <emphasis
-        role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
-      </listitem>
-
-      <listitem>
-        <para>The primary IP address of eth0 in the $FW zone - <emphasis
-        role="bold">$FW:&amp;eth0</emphasis></para>
-      </listitem>
-
-      <listitem>
-        <para>All hosts in Vatican City - <emphasis
-        role="bold">net:^VA</emphasis> (Requires the <emphasis>GeoIP
-        Match</emphasis> capability).</para>
-      </listitem>
-    </orderedlist>
-  </refsect1>
-
-  <refsect1>
-    <title>IP Address Ranges</title>
-
-    <para>If you kernel and iptables have <emphasis>IP Range match
-    support</emphasis>, you may use IP address ranges in Shorewall
-    configuration file entries; IP address ranges have the syntax
-    &lt;<emphasis>low IP address</emphasis>&gt;-&lt;<emphasis>high IP
-    address</emphasis>&gt;.</para>
-
-    <para>Example: 192.168.1.5-192.168.1.12.</para>
-  </refsect1>
-
-  <refsect1>
-    <title/>
-
-    <para/>
-  </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para>For more information about addressing, see the<ulink
-    url="shorewall_setup_guide.htm#Addressing"> Setup Guide</ulink>.</para>
-  </refsect1>
-</refentry>
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -280,9 +280,9 @@
        <term>IPv4 Example 1:</term>

        <listitem>
-          <para>Drop 6to4 packets from the net.</para>
+          <para>Drop Teredo packets from the net.</para>

-          <programlisting>DROP          net:192.88.99.1            all</programlisting>
+          <programlisting>DROP          net:[2001::/32]            all</programlisting>
        </listitem>
      </varlistentry>

@@ -290,10 +290,10 @@
        <term>IPv4 Example 2:</term>

        <listitem>
-          <para>Don't subject packets from 70.90.191.120/29 to the remaining
+          <para>Don't subject packets from 2001:DB8::/64 to the remaining
          rules in the file.</para>

-          <programlisting>WHITELIST     net:70.90.191.120/29       all</programlisting>
+          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-files.xml
+++ b/Shorewall/manpages/shorewall-files.xml
@@ -1,967 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall-files</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>files</refname>
-
-    <refpurpose>Shorewall Configuration Files</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>/etc/shorewall[6]/*</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>The following are the Shorewall[6] configuration files:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para><ulink
-        url="shorewall.conf.html"><filename>/etc/shorewall/shorewall.conf</filename>
-        and <filename>/etc/shorewall6/shorewall6.conf</filename></ulink> -
-        used to set global firewall parameters.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-params.html">/etc/shorewall[6]/params</ulink></filename>
-        - use this file to set shell variables that you will expand in other
-        files. It is always processed by /bin/sh or by the shell specified
-        through SHOREWALL_SHELL in
-        <filename>/etc/shorewall/shorewall.conf.</filename></para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-zones.html">/etc/shorewall[6]/zones</ulink></filename>
-        - partition the firewall's view of the world into zones.</para>
-      </listitem>
-
-      <listitem>
-        <para><ulink
-        url="shorewall-policy.html"><filename>/etc/shorewall[6]/policy</filename></ulink>
-        - establishes firewall high-level policy.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall[6]/initdone</filename> - An optional
-        Perl script that will be invoked by the Shorewall rules compiler when
-        the compiler has finished it's initialization.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-interfaces.html">/etc/shorewall[6]/interfaces</ulink></filename>
-        - describes the interfaces on the firewall system.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-hosts.html">/etc/shorewall[6]/hosts</ulink></filename>
-        - allows defining zones in terms of individual hosts and
-        subnetworks.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-masq.html">/etc/shorewall[6]/masq</ulink></filename> -
-        directs the firewall where to use many-to-one (dynamic) Network
-        Address Translation (a.k.a. Masquerading) and Source Network Address
-        Translation (SNAT). Superseded by /etc/shorewall[6]/snat in Shorewall
-        5.0.14 and not supported in Shorewall 5.1.0 and later versions.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-mangle.html">/etc/shorewall[6]/mangle</ulink></filename>
-        - supersedes <filename>/etc/shorewall/tcrules</filename> in Shorewall
-        4.6.0. Contains rules for packet marking, TTL, TPROXY, etc.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-rules.html">/etc/shorewall[6]/rules</ulink></filename>
-        - defines rules that are exceptions to the overall policies
-        established in /etc/shorewall/policy.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-nat.html">/etc/shorewall[6]/nat</ulink></filename> -
-        defines one-to-one NAT rules.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-proxyarp.html">/etc/shorewall6/proxyarp</ulink></filename>
-        - defines use of Proxy ARP.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-proxyndp.html">/etc/shorewall6/proxyndp</ulink></filename>
-        - defines use of Proxy NDP.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall[6]/routestopped</filename> - defines
-        hosts accessible when Shorewall is stopped. Superseded in Shorewall
-        4.6.8 by <filename>/etc/shorewall/stoppedrules</filename>. Not
-        supported in Shorewall 5.0.0 and later versions.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-tcrules.html">/etc/shorewall[6]/tcrules</ulink>
-        </filename>- The file has a rather unfortunate name because it is used
-        to define marking of packets for later use by both traffic
-        control/shaping and policy routing. This file is superseded by
-        <filename>/etc/shorewall/mangle</filename> in Shorewall 4.6.0. Not
-        supported in Shorewall 5.0.0 and later releases.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-tos.html">/etc/shorewall[6]/tos</ulink></filename> -
-        defines rules for setting the TOS field in packet headers. Superseded
-        in Shorewall 4.5.1 by the TOS target in
-        <filename>/etc/shorewall/tcrules</filename> (which file has since been
-        superseded by <filename>/etc/shorewall/mangle</filename>). Not
-        supported in Shorewall 5.0.0 and later versions.</para>
-      </listitem>
-
-      <listitem>
-        <para><ulink
-        url="shorewall-tunnels.html"><filename>/etc/shorewall[6]/tunnels</filename></ulink>
-        - defines tunnels (VPN) with end-points on the firewall system.</para>
-      </listitem>
-
-      <listitem>
-        <para><ulink
-        url="shorewall-blacklist.html"><filename>/etc/shorewall[6]/blacklist</filename></ulink>
-        - Deprecated in favor of <filename>/etc/shorewall/blrules</filename>.
-        Lists blacklisted IP/subnet/MAC addresses. Not supported in Shorewall
-        5.0.0 and later releases.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall[6]/blrules</filename> — Added in
-        Shorewall 4.5.0. Define blacklisting and whitelisting. Supersedes
-        <filename>/etc/shorewall/blacklist</filename>.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall[6]/init</filename> - shell commands
-        that you wish to execute at the beginning of a <quote>shorewall
-        start</quote>, "shorewall reload" or <quote>shorewall
-        restart</quote>.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall[6]/start</filename> - shell commands
-        that you wish to execute near the completion of a <quote>shorewall
-        start</quote>, "shorewall reload" or <quote>shorewall
-        restart</quote></para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall[6]/started</filename> - shell commands
-        that you wish to execute after the completion of a <quote>shorewall
-        start</quote>, "shorewall reload" or <quote>shorewall
-        restart</quote></para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall[6]/stop </filename>- commands that you
-        wish to execute at the beginning of a <quote>shorewall
-        stop</quote>.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/etc/shorewall[6]/stopped</filename> - shell commands
-        that you wish to execute at the completion of a <quote>shorewall
-        stop</quote>.</para>
-      </listitem>
-
-      <listitem>
-        <para><ulink url="shorewall-ecn.html">/etc/shorewall/ecn</ulink> -
-        disable Explicit Congestion Notification (ECN - RFC 3168) to remote
-        hosts or networks. Superceded by ECN entries in
-        <filename>/etc/shorewall/mangle</filename> in Shorewall 5.0.6.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-accounting.html">/etc/shorewall/accounting</ulink></filename>
-        - define IP traffic accounting rules</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-actions.html">/etc/shorewall[6]/actions</ulink></filename>
-        and <filename>/usr/share/shorewall[6]/action.template</filename> allow
-        user-defined actions.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="???">/etc/shorewall[6]/providers</ulink></filename> - defines
-        alternate routing tables.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-rtrules.html">/etc/shorewall[6]/rtrules</ulink></filename>
-        - Defines routing rules to be used in conjunction with the routing
-        tables defined in
-        <filename>/etc/shorewall/providers</filename>.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-tcdevices.html">/etc/shorewall[6]/tcdevices</ulink></filename>,
-        <filename><ulink
-        url="shorewall-tcclasses.html">/etc/shorewall[6]/tcclasses</ulink></filename>,
-        <filename><ulink
-        url="shorewall-tcfilters.html">/etc/shorewall[6]/tcfilters</ulink></filename>
-        - Define complex traffic shaping.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-tcrules.html">/etc/shorewall[6]/tcrules</ulink></filename>
-        - Mark or classify traffic for traffic shaping or multiple providers.
-        Deprecated in Shorewall 4.6.0 in favor of
-        <filename>/etc/shorewall/mangle</filename>. Not supported in Shorewall
-        5.0.0 and later releases.</para>
-      </listitem>
-
-      <listitem>
-        <para><ulink
-        url="shorewall-tcinterfaces.html"><filename>/etc/shorewall[6]/tcinterfaces</filename></ulink>
-        and <filename><ulink
-        url="shorewall-tcpri.html">/etc/shorewall[6]/tcpri</ulink></filename>
-        - Define simple traffic shaping.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-secmarks.html">/etc/shorewall[6]/secmarks</ulink></filename>
-        - Added in Shorewall 4.4.13. Attach an SELinux context to selected
-        packets.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-vardir.html">/etc/shorewall[6]/vardir</ulink></filename>
-        - Determines the directory where Shorewall maintains its state.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-arprules.html">/etc/shorewall/arprules</ulink></filename>
-        — Added in Shorewall 4.5.12. Allows specification of arptables
-        rules.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-mangle.html">/etc/shorewall/mangle</ulink></filename>
-        -- Added in Shorewall 4.6.0. Supersedes<filename>
-        /etc/shorewall/tcrules</filename>.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename><ulink
-        url="shorewall-snat.html">/etc/shorewall[6]/snat</ulink></filename> -
-        directs the firewall where to use many-to-one (dynamic) Network
-        Address Translation (a.k.a. Masquerading) and Source Network Address
-        Translation (SNAT). Superseded /etc/shorewall[6]/masq in Shorewall
-        5.0.14</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/usr/share/shorewall[6]/actions.std</filename> -
-        Actions defined by Shorewall.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/usr/share/shorewall[6]/action.*</filename> - Details
-        of actions defined by Shorewall.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/usr/share/shorewall[6]/macro.*</filename> - Details
-        of macros defined by Shorewall.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/usr/share/shorewall[6]/modules</filename> — Specifies
-        the kernel modules to be loaded during shorewall start/restart.</para>
-      </listitem>
-
-      <listitem>
-        <para><filename>/usr/share/shorewall[6]/helpers</filename> — Added in
-        Shorewall 4.4.7. Specifies the kernel modules to be loaded during
-        shorewall start/restart when LOAD_HELPERS_ONLY=Yes in
-        <filename>shorewall.conf</filename>.</para>
-      </listitem>
-    </itemizedlist>
-  </refsect1>
-
-  <refsect1>
-    <title>CONFIG_PATH</title>
-
-    <para>The CONFIG_PATH option in <ulink
-    url="???">shorewall[6].conf(5)</ulink> determines where the compiler
-    searches for configuration files. The default setting is
-    CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the
-    compiler first looks in /etc/shorewall and if it doesn't find the file, it
-    then looks in /usr/share/shorewall.</para>
-
-    <para>You can change this setting to have the compiler look in different
-    places. For example, if you want to put your own versions of standard
-    macros in /etc/shorewall/Macros, then you could set
-    CONFIG_PATH=/etc/shorewall:/etc/shorewall/Macros:/usr/share/shorewall and
-    the compiler will use your versions rather than the standard ones.</para>
-  </refsect1>
-
-  <refsect1>
-    <title>Comments</title>
-
-    <para>You may place comments in configuration files by making the first
-    non-whitespace character a pound sign (<quote>#</quote>). You may also
-    place comments at the end of any line, again by delimiting the comment
-    from the rest of the line with a pound sign.</para>
-
-    <example id="comment">
-      <title>Comments in a Configuration File</title>
-
-      <programlisting># This is a comment
-ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</programlisting>
-    </example>
-
-    <important>
-      <para>Except in <ulink
-      url="shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
-      url="shorewall-params.html">params(5)</ulink>, if a comment ends with a
-      backslash ("\"), the next line will also be treated as a comment. See
-      <link linkend="Continuation">Line Continuation</link> below.</para>
-    </important>
-  </refsect1>
-
-  <refsect1>
-    <title>Blank Lines</title>
-
-    <para>Most of the configuration files are organized into space-separated
-    columns. If you don't want to supply a value in a column but want to
-    supply a value in a following column, simply enter '-' to make the column
-    appear empty.</para>
-
-    <para>Example:<programlisting>#INTERFACE         BROADCAST            OPTIONS
-br0                -                    routeback</programlisting></para>
-  </refsect1>
-
-  <refsect1>
-    <title id="Continuation">Line Continuation</title>
-
-    <para>Lines may be continued using the usual backslash (<quote>\</quote>)
-    followed immediately by a new line character (Enter key).</para>
-
-    <programlisting>ACCEPT  net     $FW      tcp \↵
-smtp,www,pop3,imap  #Services running on the firewall</programlisting>
-
-    <important>
-      <para>What follows does NOT apply to <ulink
-      url="manpages/shorewall-params.html">shorewall-params(5)</ulink> and
-      <ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
-    </important>
-
-    <para>In certain cases, leading white space is ignored in continuation
-    lines:</para>
-
-    <orderedlist>
-      <listitem>
-        <para>The continued line ends with a colon (":")</para>
-      </listitem>
-
-      <listitem>
-        <para>The continued line ends with a comma (",")</para>
-      </listitem>
-    </orderedlist>
-
-    <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
-
-    <programlisting>#ACTION     SOURCE          DEST            PROTO           DPORT
-ACCEPT      net:\
-            206.124.146.177,\
-            206.124.146.178,\
-            206.124.146.180\
-                            dmz             tcp             873</programlisting>
-
-    <para>The leading white space on the first through third continuation
-    lines is ignored so the SOURCE column effectively contains
-    "net:206.124.146.177,206.124.147.178,206.124.146.180". Because the third
-    continuation line does not end with a comma or colon, the leading white
-    space in the last line is not ignored.</para>
-
-    <important>
-      <para>A trailing backslash is not ignored in a comment. So the continued
-      rule above can be commented out with a single '#' as follows:</para>
-
-      <programlisting>#ACTION     SOURCE          DEST            PROTO           DPORT
-<emphasis role="bold">#</emphasis>ACCEPT     net:\
-            206.124.146.177,\
-            206.124.146.178,\
-            206.124.146.180\
-                            dmz             tcp             873</programlisting>
-    </important>
-  </refsect1>
-
-  <refsect1>
-    <title>Alternative Specification of Column Values</title>
-
-    <para>Some of the configuration files now have a large number of columns.
-    That makes it awkward to specify a value for one of the right-most columns
-    as you must have the correct number of intervening '-' columns.</para>
-
-    <para>This problem is addressed by allowing column values to be specified
-    as <replaceable>column-name</replaceable>/<replaceable>value</replaceable>
-    pairs.</para>
-
-    <para>There is considerable flexibility in how you specify the
-    pairs:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>At any point, you can enter a left curly bracket ('{') followed
-        by one or more specifications of the following forms:</para>
-
-        <simplelist>
-          <member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member>
-
-          <member><replaceable>column-name</replaceable>=<replaceable>&gt;value</replaceable></member>
-
-          <member><replaceable>column-name</replaceable>:<replaceable>value</replaceable></member>
-        </simplelist>
-
-        <para>The pairs must be followed by a right curly bracket
-        ("}").</para>
-
-        <para>The value may optionally be enclosed in double quotes.</para>
-
-        <para>The pairs must be separated by white space, but you can add a
-        comma adjacent to the <replaceable>values</replaceable> for
-        readability as in:</para>
-
-        <simplelist>
-          <member><emphasis role="bold">{ proto=&gt;udp, port=1024
-          }</emphasis></member>
-        </simplelist>
-      </listitem>
-
-      <listitem>
-        <para>You can also separate the pairs from columns by using a
-        semicolon:</para>
-
-        <simplelist>
-          <member><emphasis role="bold">; proto:udp,
-          port:1024</emphasis></member>
-        </simplelist>
-      </listitem>
-    </itemizedlist>
-
-    <para>In Shorewall 5.0.3, the sample configuration files and the man pages
-    were updated to use the same column names in both the column headings and
-    in the alternate specification format. The following table shows the
-    column names for each of the table-oriented configuration files.</para>
-
-    <note>
-      <para>Column names are <emphasis
-      role="bold">case-insensitive</emphasis>.</para>
-    </note>
-
-    <informaltable>
-      <tgroup cols="2">
-        <tbody>
-          <row>
-            <entry><emphasis role="bold">File</emphasis></entry>
-
-            <entry><emphasis role="bold">Column names</emphasis></entry>
-          </row>
-
-          <row>
-            <entry>accounting</entry>
-
-            <entry>action,chain, source, dest, proto, dport, sport, user,
-            mark, ipsec, headers</entry>
-          </row>
-
-          <row>
-            <entry>conntrack</entry>
-
-            <entry>action,source,dest,proto,dport,sport,user,switch</entry>
-          </row>
-
-          <row>
-            <entry>blacklist</entry>
-
-            <entry>networks,proto,port,options</entry>
-          </row>
-
-          <row>
-            <entry>blrules</entry>
-
-            <entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper</entry>
-          </row>
-
-          <row>
-            <entry>ecn</entry>
-
-            <entry>interface,hosts. Beginning with Shorewall 4.5.4, 'host' is
-            a synonym for 'hosts'.</entry>
-          </row>
-
-          <row>
-            <entry>hosts</entry>
-
-            <entry>zone,hosts,options. Beginning with Shorewall 4.5.4, 'host'
-            is a synonym for 'hosts'.</entry>
-          </row>
-
-          <row>
-            <entry>interfaces</entry>
-
-            <entry>zone,interface,broadcast,options</entry>
-          </row>
-
-          <row>
-            <entry>maclist</entry>
-
-            <entry>disposition,interface,mac,addresses</entry>
-          </row>
-
-          <row>
-            <entry>mangle</entry>
-
-            <entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
-          </row>
-
-          <row>
-            <entry>masq</entry>
-
-            <entry>interface,source,address,proto,port,ipsec,mark,user,switch</entry>
-          </row>
-
-          <row>
-            <entry>nat</entry>
-
-            <entry>external,interface,internal,allints,local</entry>
-          </row>
-
-          <row>
-            <entry>netmap</entry>
-
-            <entry>type,net1,interface,net2,net3,proto,dport,sport</entry>
-          </row>
-
-          <row>
-            <entry>notrack</entry>
-
-            <entry>source,dest,proto,dport,sport,user</entry>
-          </row>
-
-          <row>
-            <entry>policy</entry>
-
-            <entry>source,dest,policy,loglevel,limit,connlimit</entry>
-          </row>
-
-          <row>
-            <entry>providers</entry>
-
-            <entry>table,number,mark,duplicate,interface,gateway,options,copy</entry>
-          </row>
-
-          <row>
-            <entry>proxyarp and proxyndp</entry>
-
-            <entry>address,interface,external,haveroute,persistent</entry>
-          </row>
-
-          <row>
-            <entry>rtrules</entry>
-
-            <entry>source,dest,provider,priority</entry>
-          </row>
-
-          <row>
-            <entry>routes</entry>
-
-            <entry>provider,dest,gateway,device</entry>
-          </row>
-
-          <row>
-            <entry>routestopped</entry>
-
-            <entry>interface,hosts,options,proto,dport,sport</entry>
-          </row>
-
-          <row>
-            <entry>rules</entry>
-
-            <entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper</entry>
-          </row>
-
-          <row>
-            <entry>secmarks</entry>
-
-            <entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
-          </row>
-
-          <row>
-            <entry>tcclasses</entry>
-
-            <entry>interface,mark,rate,ceil,prio,options</entry>
-          </row>
-
-          <row>
-            <entry>tcdevices</entry>
-
-            <entry>interface,in_bandwidth,out_bandwidth,options,redirect</entry>
-          </row>
-
-          <row>
-            <entry>tcfilters</entry>
-
-            <entry>class,source,dest,proto,dport,sport,tos,length</entry>
-          </row>
-
-          <row>
-            <entry>tcinterfaces</entry>
-
-            <entry>interface,type,in_bandwidth,out_bandwidth</entry>
-          </row>
-
-          <row>
-            <entry>tcpri</entry>
-
-            <entry>band,proto,port,address,interface,helper</entry>
-          </row>
-
-          <row>
-            <entry>tcrules</entry>
-
-            <entry>mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers.
-            Beginning with Shorewall 4.5.3, 'action' is a synonym for
-            'mark'.</entry>
-          </row>
-
-          <row>
-            <entry>tos</entry>
-
-            <entry>source,dest,proto,dport,sport,tos,mark</entry>
-          </row>
-
-          <row>
-            <entry>tunnels</entry>
-
-            <entry>type,zone,gateway,gateway_zone. Beginning with Shorewall
-            4.5.3, 'gateways' is a synonym for 'gateway'. Beginning with
-            Shorewall 4.5.4, 'gateway_zones' is a synonym for
-            'gateway_zone'.</entry>
-          </row>
-
-          <row>
-            <entry>zones</entry>
-
-            <entry>zone,type,options,in_options,out_options</entry>
-          </row>
-        </tbody>
-      </tgroup>
-    </informaltable>
-
-    <para>Example (rules file):</para>
-
-    <programlisting>#ACTION         SOURCE            DEST            PROTO   DPORT
-DNAT            net               loc:10.0.0.1    tcp     80    ; mark="88"</programlisting>
-
-    <para>Here's the same line in several equivalent formats:</para>
-
-    <programlisting>{ action=&gt;DNAT, source=&gt;net, dest=&gt;loc:10.0.0.1, proto=&gt;tcp, dport=&gt;80, mark=&gt;88 }
-; action:"DNAT" source:"net"  dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
-DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
-
-    <para>Beginning with Shorewall 5.0.11, ip[6]table comments can be attached
-    to individual rules using the <option>comment</option> keyword.</para>
-
-    <para>Example from the rules file:</para>
-
-    <programlisting>        ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }</programlisting>
-
-    <para>As shown in that example, when the comment contains whitespace, it
-    must be enclosed in double quotes and any embedded double quotes must be
-    escaped using a backslash ("\").</para>
-  </refsect1>
-
-  <refsect1>
-    <title>Time Columns</title>
-
-    <para>Several of the files include a TIME colum that allows you to specify
-    times when the rule is to be applied. Contents of this column is a list of
-    <replaceable>timeelement</replaceable>s separated by apersands
-    (&amp;).</para>
-
-    <para>Each <replaceable>timeelement</replaceable> is one of the
-    following:</para>
-
-    <variablelist>
-      <varlistentry>
-        <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-        <listitem>
-          <para>Defines the starting time of day.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-        <listitem>
-          <para>Defines the ending time of day.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>contiguous</term>
-
-        <listitem>
-          <para>Added in Shoreawll 5.0.12. When <emphasis
-          role="bold">timestop</emphasis> is smaller than <emphasis
-          role="bold">timestart</emphasis> value, match this as a single time
-          period instead of distinct intervals. See the Examples below.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>utc</term>
-
-        <listitem>
-          <para>Times are expressed in Greenwich Mean Time.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>localtz</term>
-
-        <listitem>
-          <para>Deprecated by the Netfilter team in favor of <emphasis
-          role="bold">kerneltz</emphasis>. Times are expressed in Local Civil
-          Time (default).</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>kerneltz</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.2. Times are expressed in Local Kernel
-          Time (requires iptables 1.4.12 or later).</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>weekdays=ddd[,ddd]...</term>
-
-        <listitem>
-          <para>where <replaceable>ddd</replaceable> is one of
-          <option>Mon</option>, <option>Tue</option>, <option>Wed</option>,
-          <option>Thu</option>, <option>Fri</option>, <option>Sat</option> or
-          <option>Sun</option></para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>monthdays=dd[,dd],...</term>
-
-        <listitem>
-          <para>where <replaceable>dd</replaceable> is an ordinal day of the
-          month</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-        <listitem>
-          <para>Defines the starting date and time.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-        <listitem>
-          <para>Defines the ending date and time.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-
-    <para>Examples:</para>
-
-    <variablelist>
-      <varlistentry>
-        <term>To match on weekends, use:</term>
-
-        <listitem>
-          <para/>
-
-          <para>weekdays=Sat,Sun</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Or, to match (once) on a national holiday block:</term>
-
-        <listitem>
-          <para/>
-
-          <para>datestart=2016-12-24&amp;datestop=2016-12-27</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Since the stop time is actually inclusive, you would need the
-        following stop time to not match the first second of the new
-        day:</term>
-
-        <listitem>
-          <para/>
-
-          <para>datestart=2016-12-24T17:00&amp;datestop=2016-12-27T23:59:59</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>During Lunch Hour</term>
-
-        <listitem>
-          <para/>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>The fourth Friday in the month:</term>
-
-        <listitem>
-          <para/>
-
-          <para>weekdays=Fri&amp;monthdays=22,23,24,25,26,27,28</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Matching across days might not do what is expected. For
-        instance,</term>
-
-        <listitem>
-          <para/>
-
-          <para>weekdays=Mon&amp;timestart=23:00&amp;timestop=01:00</para>
-
-          <para>Will match Monday, for one hour from midnight to 1 a.m., and
-          then again for another hour from 23:00 onwards. If this is unwanted,
-          e.g. if you would like 'match for two hours from Montay 23:00
-          onwards' you need to also specify the <emphasis
-          role="bold">contiguous</emphasis> option in the example
-          above.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>Switches</title>
-
-    <para>here are times when you would like to enable or disable one or more
-    rules in the configuration without having to do a <command>shorewall
-    reload</command> or <command>shorewall restart</command>. This may be
-    accomplished using the SWITCH column in <ulink
-    url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or <ulink
-    url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). Using
-    this column requires that your kernel and iptables include
-    <firstterm>Condition Match Support</firstterm> and you must be running
-    Shorewall 4.4.24 or later. See the output of <command>shorewall show
-    capabilities</command> and <command>shorewall version</command> to
-    determine if you can use this feature.</para>
-
-    <para>The SWITCH column contains the name of a
-    <firstterm>switch.</firstterm> Each switch is initially in the <emphasis
-    role="bold">off</emphasis> position. You can turn on the switch named
-    <emphasis>switch1</emphasis> by:</para>
-
-    <simplelist>
-      <member><command>echo 1 &gt;
-      /proc/net/nf_condition/switch1</command></member>
-    </simplelist>
-
-    <para>You can turn it off again by:</para>
-
-    <simplelist>
-      <member><command>echo 0 &gt;
-      /proc/net/nf_condition/switch1</command></member>
-    </simplelist>
-
-    <para>If you simply include the switch name in the SWITCH column, then the
-    rule is enabled only when the switch is <emphasis
-    role="bold">on</emphasis>. If you precede the switch name with ! (e.g.,
-    !switch1), then the rule is enabled only when the switch is <emphasis
-    role="bold">off</emphasis>. Switch settings are retained over
-    <command>shorewall restart</command>.</para>
-
-    <para>Shorewall requires that switch names:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>begin with a letter and be composed of letters, digits,
-        underscore ('_') or hyphen ('-'); and</para>
-      </listitem>
-
-      <listitem>
-        <para>be 30 characters or less in length.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>Multiple rules can be controlled by the same switch.</para>
-
-    <para>Example:</para>
-
-    <blockquote>
-      <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
-      on.</para>
-
-      <programlisting>#ACTION     SOURCE          DEST        PROTO       DPORT        SPORT     ORIGDEST   RATE      USER      MARK    CONNLIMIT     TIME     HEADERS    SWITCH
-DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          <emphasis
-          role="bold">primary_down</emphasis>  </programlisting>
-    </blockquote>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <para>/etc/shorewall[6]/*</para>
-  </refsect1>
-</refentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -90,44 +90,8 @@
                <para>INPUT chain.</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term>NP</term>
-
-              <listitem>
-                <para>PREROUTING chain in the nat table.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>NI</term>
-
-              <listitem>
-                <para>INPUT chain in the nat table.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>NO</term>
-
-              <listitem>
-                <para>OUTPUT chain in the nat table.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>NT</term>
-
-              <listitem>
-                <para>POSTROUTING chain in the nat table.</para>
-              </listitem>
-            </varlistentry>
          </variablelist>

-          <para>The nat table designators were added in Shorewall 5.2.1. When
-          a nat table designator is given, only the CONNMARK, MARK, SAVE and
-          RESTORE commands may be used.</para>
-
          <para>Unless otherwise specified for the particular
          <replaceable>command</replaceable>, the default chain is PREROUTING
          when MARK_IN_FORWARD_CHAIN=No in <ulink
@@ -410,8 +374,8 @@ DIVERTHA        -               -               tcp</programlisting>

              <listitem>
                <para>Allows you to place your own ip[6]tables matches at the
-                end of the line following a semicolon (";") (deprecated) or
-                two semicolons (";;") (preferred since Shoreall 5.0.0). If an
+                end of the line following two semicolons (";;") (preferred) or
+                a single semicolon (";") (deprecated). If an
                <replaceable>action</replaceable> is specified, the compiler
                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
@@ -857,20 +821,15 @@ Normal-Service       =&gt; 0x00</programlisting>

          <variablelist>
            <varlistentry>
-              <term>[!]<replaceable>interface</replaceable></term>
+              <term><replaceable>interface</replaceable></term>

              <listitem>
                <para>where <replaceable>interface</replaceable> is the
-                logical name of an <replaceable>interface</replaceable>
-                defined in <ulink
+                logical name of an interface defined in <ulink
                url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
                Matches packets entering the firewall from the named
                interface. May not be used in CLASSIFY rules or in rules using
                the :T chain qualifier.</para>
-
-                <para>Beginning with Shorweall 5.2.1, the
-                <replaceable>interface</replaceable> may be preceded with '!'
-                which matches all interfaces except the one specified.</para>
              </listitem>
            </varlistentry>

@@ -904,31 +863,23 @@ Normal-Service       =&gt; 0x00</programlisting>
            </varlistentry>

            <varlistentry>
-              <term>[!]<replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
+              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>

              <listitem>
                <para>This form combines the preceding two forms and matches
                when both the incoming interface and source IP address
                match.</para>
-
-                <para>Beginning with Shorweall 5.2.1, the
-                <replaceable>interface</replaceable> may be preceded with '!'
-                which matches all interfaces except the one specified.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term>[!]<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>

              <listitem>
                <para>This form matches packets arriving through the named
                <replaceable>interface</replaceable> and whose source IP
                address does not match any of the addresses in the
                <replaceable>exclusion</replaceable>.</para>
-
-                <para>Beginning with Shorweall 5.2.1, the
-                <replaceable>interface</replaceable> may be preceded with '!'
-                which matches all interfaces except the one specified.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -0,0 +1,781 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-masq</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>masq</refname>
+
+    <refpurpose>Shorewall Masquerade/SNAT definition file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall[6]/masq</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to define dynamic NAT (Masquerading) and to define
+    Source NAT (SNAT). While still supported, its use is deprecated in favor
+    of <ulink url="shorewall-snat.html">shorewall-snat</ulink>(5) which was
+    introduced in Shorewall 5.0.14.</para>
+
+    <warning>
+      <para>The entries in this file are order-sensitive. The first entry that
+      matches a particular connection will be the one that is used.</para>
+    </warning>
+
+    <warning>
+      <para>If you have more than one ISP link, adding entries to this file
+      will <emphasis role="bold">not</emphasis> force connections to go out
+      through a particular link. You must use entries in <ulink
+      url="/manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
+      PREROUTING entries in <ulink
+      url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
+      that.</para>
+    </warning>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE:DEST</emphasis> - {[<emphasis
+        role="bold">+</emphasis>]<emphasis>interfacelist</emphasis>[<emphasis
+        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
+        role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|?COMMENT}</term>
+
+        <listitem>
+          <para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
+          comma-separated list of interface names. This is usually your
+          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), you
+          may add ":" and a <emphasis>digit</emphasis> to indicate that you
+          want the alias added with that name (e.g., eth0:0). This will allow
+          the alias to be displayed with ifconfig. <emphasis role="bold">That
+          is the only use for the alias name; it may not appear in any other
+          place in your Shorewall configuration.</emphasis></para>
+
+          <para>Each interface must match an entry in <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+          Shorewall allows loose matches to wildcard entries in <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+          For example, <filename class="devicefile">ppp0</filename> in this
+          file will match a <ulink
+          url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+          entry that defines <filename
+          class="devicefile">ppp+</filename>.</para>
+
+          <para>Where <ulink url="/4.4/MultiISP.html#Shared">more that one
+          internet provider share a single interface</ulink>, the provider is
+          specified by including the provider name or number in
+          parentheses:</para>
+
+          <programlisting>        eth0(Avvanta)</programlisting>
+
+          <para>In that case, you will want to specify the interface's address
+          for that provider in the ADDRESS column.</para>
+
+          <para>The interface may be qualified by adding the character ":"
+          followed by a comma-separated list of destination host or subnet
+          addresses to indicate that you only want to change the source IP
+          address for packets being sent to those particular destinations.
+          Exclusion is allowed (see <ulink
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
+          as are ipset names preceded by a plus sign '+';</para>
+
+          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
+          entry then include the ":" but omit the digit:</para>
+
+          <programlisting>        eth0(Avvanta):
+        eth2::192.0.2.32/27</programlisting>
+
+          <para>Normally Masq/SNAT rules are evaluated after those for
+          one-to-one NAT (defined in <ulink
+          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5)). If you
+          want the rule to be applied before one-to-one NAT rules, prefix the
+          interface name with "+":</para>
+
+          <programlisting>        +eth0
+        +eth0:192.0.2.32/27
+        +eth0:2</programlisting>
+
+          <para>This feature should only be required if you need to insert
+          rules in this file that preempt entries in <ulink
+          url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5).</para>
+
+          <para>Comments may be attached to Netfilter rules generated from
+          entries in this file through the use of ?COMMENT lines. These lines
+          begin with ?COMMENT; the remainder of the line is treated as a
+          comment which is attached to subsequent rules until another ?COMMENT
+          line is found or until the end of the file is reached. To stop
+          adding comments to rules, use a line containing only
+          ?COMMENT.</para>
+
+          <para>Beginning with Shorewall 4.6.0, a new syntax is also accepted.
+          With the exception of the leading '+', the interfacelist and
+          qualifiers may appear within the parentheses of <emphasis
+          role="bold">INLINE</emphasis>(...).</para>
+
+          <para>Example:</para>
+
+          <programlisting>        +INLINE(eth0)</programlisting>
+
+          <para>When this is done, you may augment the rule generated by
+          Shorewall with iptables matches of your own. These matches appear
+          after a semicolon (';') at the end of the line.</para>
+
+          <para>See example 8 below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET
+        - Optional) -
+        [<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
+
+        <listitem>
+          <para>Set of hosts that you wish to masquerade. You can specify this
+          as an <emphasis>address</emphasis> (net or host) or as an
+          <emphasis>interface</emphasis> (use of an
+          <emphasis>interface</emphasis> is deprecated). If you give the name
+          of an interface, the interface must be up before you start the
+          firewall and the Shorewall rules compiler will warn you of that
+          fact. (Shorewall will use your main routing table to determine the
+          appropriate addresses to masquerade).</para>
+
+          <para>The preferred way to specify the SOURCE is to supply one or
+          more host or network addresses separated by comma. You may use ipset
+          names preceded by a plus sign (+) to specify a set of hosts.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
+        role="bold">-</emphasis>|<emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
+        role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
+        role="bold">:random</emphasis>][:persistent]|<emphasis
+        role="bold">detect</emphasis>|<emphasis
+        role="bold">random</emphasis>]</term>
+
+        <listitem>
+          <para>If you specify an address here, SNAT will be used and this
+          will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
+          in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) then
+          Shorewall will automatically add this address to the INTERFACE named
+          in the first column.</para>
+
+          <para>You may also specify a range of up to 256 IP addresses if you
+          want the SNAT address to be assigned from that range in a
+          round-robin fashion by connection. The range is specified by
+          <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
+          You may follow the port range with<emphasis role="bold">
+          :random</emphasis> in which case assignment of ports from the list
+          will be random. <emphasis role="bold">random</emphasis> may also be
+          specified by itself in this column in which case random local port
+          assignments are made for the outgoing connections.</para>
+
+          <para>Example: 206.124.146.177-206.124.146.180</para>
+
+          <para>You may follow the port range (or <emphasis
+          role="bold">:random</emphasis>) with <emphasis
+          role="bold">:persistent</emphasis>. This is only useful when an
+          address range is specified and causes a client to be given the same
+          source/destination IP pair. This feature replaces the SAME modifier
+          which was removed from Shorewall in version 4.4.0. Unlike <emphasis
+          role="bold">random</emphasis>, <emphasis
+          role="bold">persistent</emphasis> may not be used by itself.</para>
+
+          <para>You may also use the special value "detect" which causes
+          Shorewall to determine the IP addresses configured on the interface
+          named in the INTERFACES column and substitute them in this
+          column.</para>
+
+          <para>Finally, you may also specify a comma-separated list of ranges
+          and/or addresses in this column.</para>
+
+          <para>This column may not contain DNS Names.</para>
+
+          <para>Normally, Netfilter will attempt to retain the source port
+          number. You may cause netfilter to remap the source port by
+          following an address or range (if any) by ":" and a port range with
+          the format
+          <emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If this
+          is done, you must specify "tcp" or "udp" in the PROTO column.</para>
+
+          <para>Examples:</para>
+
+          <programlisting>        192.0.2.4:5000-6000
+        :4000-5000</programlisting>
+
+          <para>If you simply place <emphasis role="bold">NONAT</emphasis> in
+          this column, no rewriting of the source IP address or port number
+          will be performed. This is useful if you want particular traffic to
+          be exempt from the entries that follow in the file.</para>
+
+          <para>If you want to leave this column empty but you need to specify
+          the next column then place a hyphen ("-") here.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
+        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
+
+        <listitem>
+          <para>If you wish to restrict this entry to a particular protocol
+          then enter the protocol name (from protocols(5)) or number
+          here.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
+
+          <para>Beginning with Shorewall 4.6.0, an
+          <replaceable>ipset</replaceable> name can be specified in this
+          column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PORT</emphasis> (Optional) -
+        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
+
+        <listitem>
+          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
+          SCTP (132) or UDPLITE (136) then you may list one or more port
+          numbers (or names from services(5)) or port ranges separated by
+          commas.</para>
+
+          <para>Port ranges are of the form
+          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.6.0, an
+          <replaceable>ipset</replaceable> name can be specified in this
+          column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
+        [<emphasis>option</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
+
+        <listitem>
+          <para>If you specify a value other than "-" in this column, you must
+          be running kernel 2.6 and your kernel and iptables must include
+          policy match support.</para>
+
+          <para>Comma-separated list of options from the following. Only
+          packets that will be encrypted via an SA that matches these options
+          will have their source address changed.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is specified using
+                setkey(8) using the 'unique:<emphasis>number</emphasis> option
+                for the SPD level.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is the SPI of the SA
+                used to encrypt/decrypt packets.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">proto=</emphasis><emphasis
+              role="bold">ah</emphasis>|<emphasis
+              role="bold">esp</emphasis>|<emphasis
+              role="bold">ipcomp</emphasis></term>
+
+              <listitem>
+                <para>IPSEC Encapsulation Protocol</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>sets the MSS field in TCP packets</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">mode=</emphasis><emphasis
+              role="bold">transport</emphasis>|<emphasis
+              role="bold">tunnel</emphasis></term>
+
+              <listitem>
+                <para>IPSEC mode</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">strict</emphasis></term>
+
+              <listitem>
+                <para>Means that packets must match all rules.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">next</emphasis></term>
+
+              <listitem>
+                <para>Separates rules; can only be used with strict</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">yes</emphasis></term>
+
+              <listitem>
+                <para>When used by itself, causes all traffic that will be
+                encrypted/encapsulated to match the rule.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
+        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
+        role="bold">:C</emphasis>]</term>
+
+        <listitem>
+          <para>Defines a test on the existing packet or connection mark. The
+          rule will match only if the test returns true.</para>
+
+          <para>If you don't want to define a test but need to specify
+          anything in the following columns, place a "-" in this field.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>!</term>
+
+              <listitem>
+                <para>Inverts the test (not equal)</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>value</emphasis></term>
+
+              <listitem>
+                <para>Value of the packet or connection mark.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>mask</emphasis></term>
+
+              <listitem>
+                <para>A mask to be applied to the mark before testing.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">:C</emphasis></term>
+
+              <listitem>
+                <para>Designates a connection mark. If omitted, the packet
+                mark's value is tested.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
+
+        <listitem>
+          <para>This column was formerly labelled USER/GROUP.</para>
+
+          <para>Only locally-generated connections will match if this column
+          is non-empty.</para>
+
+          <para>When this column is non-empty, the rule matches only if the
+          program generating the output is running under the effective
+          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
+          specified (or is NOT running under that id if "!" is given).</para>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>joe</term>
+
+              <listitem>
+                <para>program must be run by joe</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>:kids</term>
+
+              <listitem>
+                <para>program must be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>!:kids</term>
+
+              <listitem>
+                <para>program must not be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>+upnpd</term>
+
+              <listitem>
+                <para>#program named upnpd</para>
+
+                <important>
+                  <para>The ability to specify a program name was removed from
+                  Netfilter in kernel version 2.6.14.</para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
+          rule without requiring <command>shorewall restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+
+          <para>Beginning with Shorewall 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
+
+        <listitem>
+          <para>(Optional) Added in Shorewall 4.5.6. This column may be
+          included and may contain one or more addresses (host or network)
+          separated by commas. Address ranges are not allowed. When this
+          column is supplied, rules are generated that require that the
+          original destination address matches one of the listed addresses. It
+          is useful for specifying that SNAT should occur only for connections
+          that were acted on by a DNAT when they entered the firewall.</para>
+
+          <para>This column was formerly labelled ORIGINAL DEST.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROBABILITY</emphasis> -
+        [<replaceable>probability</replaceable>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.0. When non-empty, requires the
+          <firstterm>Statistics Match</firstterm> capability in your kernel
+          and ip6tables and causes the rule to match randomly but with the
+          given <replaceable>probability</replaceable>. The
+          <replaceable>probability</replaceable> is a number 0 &lt;
+          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
+          at up to 8 decimal points of precision.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Examples</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>IPv4 Example 1:</term>
+
+        <listitem>
+          <para>You have a simple masquerading setup where eth0 connects to a
+          DSL or cable modem and eth1 connects to your local network with
+          subnet 192.168.0.0/24.</para>
+
+          <para>Your entry in the file will be:</para>
+
+          <programlisting>        #INTERFACE   SOURCE
+        eth0    192.168.0.0/24</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 2:</term>
+
+        <listitem>
+          <para>You add a router to your local network to connect subnet
+          192.168.1.0/24 which you also want to masquerade. You then add a
+          second entry for eth0 to this file:</para>
+
+          <programlisting>        #INTERFACE   SOURCE
+        eth0         192.168.1.0/24</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 3:</term>
+
+        <listitem>
+          <para>You have an IPSEC tunnel through ipsec0 and you want to
+          masquerade packets coming from 192.168.1.0/24 but only if these
+          packets are destined for hosts in 10.1.1.0/24:</para>
+
+          <programlisting>        #INTERFACE              SOURCE
+        ipsec0:10.1.1.0/24      196.168.1.0/24</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 4:</term>
+
+        <listitem>
+          <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
+          to use source address 206.124.146.176 which is NOT the primary
+          address of eth0. You want 206.124.146.176 to be added to eth0 with
+          name eth0:0.</para>
+
+          <programlisting>        #INTERFACE              SOURCE          ADDRESS
+        eth0:0                  192.168.1.0/24  206.124.146.176</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 5:</term>
+
+        <listitem>
+          <para>You want all outgoing SMTP traffic entering the firewall from
+          172.20.1.0/29 to be sent from eth0 with source IP address
+          206.124.146.177. You want all other outgoing traffic from
+          172.20.1.0/29 to be sent from eth0 with source IP address
+          206.124.146.176.</para>
+
+          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   DPORT
+        eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
+        eth0         172.20.1.0/29    206.124.146.176</programlisting>
+
+          <warning>
+            <para>The order of the above two rules is significant!</para>
+          </warning>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 6:</term>
+
+        <listitem>
+          <para>Connections leaving on eth0 and destined to any host defined
+          in the ipset <emphasis>myset</emphasis> should have the source IP
+          address changed to 206.124.146.177.</para>
+
+          <programlisting>        #INTERFACE              SOURCE          ADDRESS
+        eth0:+myset[dst]        -               206.124.146.177</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 7:</term>
+
+        <listitem>
+          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
+          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
+          (Shorewall 4.5.9 and later).</para>
+
+          <programlisting>/etc/shorewall/tcrules:
+
+       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
+       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
+
+/etc/shorewall/masq:
+
+       #INTERFACE SOURCE         ADDRESS     ...
+       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
+       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
+       eth0       192.168.1.0/24 1.1.1.9 ; mark=3:C</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv4 Example 8:</term>
+
+        <listitem>
+          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
+          70.90.191.123. You want to use the iptables statistics match to
+          masquerade outgoing connections evenly between these two
+          addresses.</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       INLINE(eth1)  0.0.0.0/0      70.90.191.121 ;  -m statistic --mode random --probability 0.50
+       eth1          0.0.0.0/0      70.90.191.123 
+</programlisting>
+
+          <para>If INLINE_MATCHES=Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
+          these rules may be specified as follows:</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       eth1          0.0.0.0/0      70.90.191.121 ;  -m statistic --mode random --probability 0.50
+       eth1          0.0.0.0/0      70.90.191.123 
+</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 1:</term>
+
+        <listitem>
+          <para>You have a simple 'masquerading' setup where eth0 connects to
+          a DSL or cable modem and eth1 connects to your local network with
+          subnet 2001:470:b:787::0/64</para>
+
+          <para>Your entry in the file will be:</para>
+
+          <programlisting>        #INTERFACE   SOURCE                  ADDRESS
+        eth0         2001:470:b:787::0/64    -</programlisting>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IPv6 Example 2:</term>
+
+        <listitem>
+          <para>Your sit1 interface has two public IP addresses:
+          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
+          iptables statistics match to masquerade outgoing connections evenly
+          between these two addresses.</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       INLINE(sit1)  ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::2 
+</programlisting>
+
+          <para>If INLINE_MATCHES=Yes in <ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
+          then these rules may be specified as follows:</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       sit1          ::/0           2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          ::/0           2001:470:a:227::2</programlisting>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/masq</para>
+
+    <para>/etc/shorewall6/masq</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall(8)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall/manpages/shorewall-names.xml
+++ b/Shorewall/manpages/shorewall-names.xml
@@ -1,310 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall-names</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-
-    <refmiscinfo>Configuration Files</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname>names</refname>
-
-    <refpurpose>Shorewall object names</refpurpose>
-  </refnamediv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>When you define an object in Shorewall (<ulink
-    url="manpages/shorewall-zones.html">Zone</ulink>, <link
-    linkend="Logical">Logical Interface</link>, <ulink
-    url="ipsets.html">ipsets</ulink>, <ulink
-    url="Actions.html">Actions</ulink>, etc., you give it a name. Shorewall
-    names start with a letter and consist of letters, digits or underscores
-    ("_"). Except for Zone names, Shorewall does not impose a limit on name
-    length.</para>
-
-    <para>When an ipset is referenced, the name must be preceded by a plus
-    sign ("+").</para>
-
-    <para>The last character of an interface may also be a plus sign to
-    indicate a wildcard name.</para>
-
-    <para>Physical interface names match names shown by 'ip link ls'; if the
-    name includes an at sign ("@"), do not include that character or any
-    character that follows. For example, "sit1@NONE" is referred to as simply
-    'sit1".</para>
-  </refsect1>
-
-  <refsect1>
-    <title>Zone and Chain Names</title>
-
-    <para>For a pair of zones, Shorewall creates two Netfilter chains; one for
-    connections in each direction. The names of these chains are formed by
-    separating the names of the two zones by either "2" or "-".</para>
-
-    <para>Example: Traffic from zone A to zone B would go through chain A2B
-    (think "A to B") or "A-B".</para>
-
-    <para>In Shorewall 4.6, the default separator is "-" but you can override
-    that by setting ZONE_SEPARATOR="2" in <ulink
-    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
-
-    <note>
-      <para>Prior to Shorewall 4.6, the default separator was "2".</para>
-    </note>
-
-    <para>Zones themselves have names that begin with a letter and are
-    composed of letters, numerals, and "_". The maximum length of a name is
-    dependent on the setting of LOGFORMAT in <ulink
-    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5). See <ulink
-    url="manpages/shorewall-zones.html">shorewall-zones</ulink> (5) for
-    details.</para>
-  </refsect1>
-
-  <refsect1>
-    <title>Using DNS Names</title>
-
-    <caution>
-      <para>I personally recommend strongly against using DNS names in
-      Shorewall configuration files. If you use DNS names and you are called
-      out of bed at 2:00AM because Shorewall won't start as a result of DNS
-      problems then don't say that you were not forewarned.</para>
-    </caution>
-
-    <para>Host addresses in Shorewall configuration files may be specified as
-    either IP addresses or DNS Names.</para>
-
-    <para>DNS names in iptables rules aren't nearly as useful as they first
-    appear. When a DNS name appears in a rule, the iptables utility resolves
-    the name to one or more IP addresses and inserts those addresses into the
-    rule. So changes in the DNS-&gt;IP address relationship that occur after
-    the firewall has started have absolutely no effect on the firewall's rule
-    set.</para>
-
-    <para>For some sites, using DNS names is very risky. Here's an
-    example:</para>
-
-    <programlisting>teastep@ursa:~$ dig pop.gmail.com
-
-; &lt;&lt;&gt;&gt; DiG 9.4.2-P1 &lt;&lt;&gt;&gt; pop.gmail.com
-;; global options:  printcmd
-;; Got answer:
-;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 1774
-;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 0
-
-;; QUESTION SECTION:
-;pop.gmail.com.               IN A
-
-;; ANSWER SECTION:
-pop.gmail.com.          <emphasis role="bold">300</emphasis>   IN CNAME gmail-pop.l.google.com.
-gmail-pop.l.google.com. <emphasis role="bold">300</emphasis>   IN A     209.85.201.109
-gmail-pop.l.google.com. <emphasis role="bold">300</emphasis>   IN A     209.85.201.111</programlisting>
-
-    <para>Note that the TTL is 300 -- 300 seconds is only 5 minutes. So five
-    minutes later, the answer may change!</para>
-
-    <para>So this rule may work for five minutes then suddently stop
-    working:</para>
-
-    <programlisting>#ACTION        SOURCE               DEST              PROTO             DPORT
-POP(ACCEPT)    loc                  net:pop.gmail.com</programlisting>
-
-    <para>There are two options in <ulink
-    url="manpages/shorewall.conf.html">shorewall[6].conf(5)</ulink> that
-    affect the use of DNS names in Shorewall[6] config files:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>DEFER_DNS_RESOLUTION - When set to No, DNS names are resolved at
-        compile time; when set to Yes, DNS Names are resolved at
-        runtime.</para>
-      </listitem>
-
-      <listitem>
-        <para>AUTOMAKE - When set to Yes, <command>start</command>,
-        <command>restart</command> and <command>reload</command> only result
-        in compilation if one of the files on the CONFIG_PATH has changed
-        since the the last compilation.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>So by setting AUTOMAKE=Yes, and DEFER_DNS_RESOLUTION=No, compilation
-    will only take place at boot time if a change had been make to the config
-    but no <command>restart</command> or <command>reload</command> had taken
-    place. This is clearly spelled out in the shorewall.conf manpage. So with
-    these settings, so long as a 'reload' or 'restart' takes place after the
-    Shorewall configuration is changes, there should be no DNS-related
-    problems at boot time.</para>
-
-    <important>
-      <para>When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS change
-      makes it necessary to recompile an existing firewall script, the
-      <option>-c</option> option must be used with the
-      <command>reload</command> or <command>restart</command> command to force
-      recompilation.</para>
-    </important>
-
-    <para>If your firewall rules include DNS names then, even if
-    DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>If your <filename>/etc/resolv.conf </filename>is wrong then your
-        firewall may not start.</para>
-      </listitem>
-
-      <listitem>
-        <para>If your <filename>/etc/nsswitch.conf</filename> is wrong then
-        your firewall may not start.</para>
-      </listitem>
-
-      <listitem>
-        <para>If your Name Server(s) is(are) down then your firewall may not
-        start.</para>
-      </listitem>
-
-      <listitem>
-        <para>If your startup scripts try to start your firewall before
-        starting your DNS server then your firewall may not start.</para>
-      </listitem>
-
-      <listitem>
-        <para>Factors totally outside your control (your ISP's router is down
-        for example), can prevent your firewall from starting.</para>
-      </listitem>
-
-      <listitem>
-        <para>You must bring up your network interfaces prior to starting your
-        firewall, or the firewall may not start.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>Each DNS name must be fully qualified and include a minimum of two
-    periods (although one may be trailing). This restriction is imposed by
-    Shorewall to insure backward compatibility with existing configuration
-    files.</para>
-
-    <example id="validdns">
-      <title>Valid DNS Names</title>
-
-      <itemizedlist>
-        <listitem>
-          <para>mail.shorewall.net</para>
-        </listitem>
-
-        <listitem>
-          <para>shorewall.net. (note the trailing period).</para>
-        </listitem>
-      </itemizedlist>
-    </example>
-
-    <example id="invaliddns">
-      <title>Invalid DNS Names</title>
-
-      <itemizedlist>
-        <listitem>
-          <para>mail (not fully qualified)</para>
-        </listitem>
-
-        <listitem>
-          <para>shorewall.net (only one period)</para>
-        </listitem>
-      </itemizedlist>
-    </example>
-
-    <para>DNS names may not be used as:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>The server address in a DNAT rule (/etc/shorewall/rules
-        file)</para>
-      </listitem>
-
-      <listitem>
-        <para>In the ADDRESS column of an entry in /etc/shorewall/masq.</para>
-      </listitem>
-
-      <listitem>
-        <para/>
-      </listitem>
-
-      <listitem>
-        <para>In the <filename>/etc/shorewall/nat</filename> file.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>These restrictions are imposed by Netfilter and not by
-    Shorewall.</para>
-  </refsect1>
-
-  <refsect1>
-    <title id="Logical">Logical Interface Names</title>
-
-    <para>When dealing with a complex configuration, it is often awkward to
-    use physical interface names in the Shorewall configuration.</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>You need to remember which interface is which.</para>
-      </listitem>
-
-      <listitem>
-        <para>If you move the configuration to another firewall, the interface
-        names might not be the same.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>Beginning with Shorewall 4.4.4, you can use logical interface names
-    which are mapped to the actual interface using the
-    <option>physical</option> option in <ulink
-    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
-    (5).</para>
-
-    <para>Here is an example:</para>
-
-    <programlisting>#ZONE  INTERFACE  OPTIONS
-net    <emphasis role="bold">COM_IF </emphasis>    dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
-        role="bold">physical=eth0</emphasis>
-net    <emphasis role="bold">EXT_IF</emphasis>     dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
-        role="bold">physical=eth2</emphasis>
-loc    <emphasis role="bold">INT_IF </emphasis>    dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
-        role="bold">physical=eth1</emphasis>
-dmz    <emphasis role="bold">VPS_IF </emphasis>    logmartians=1,routefilter=0,routeback,<emphasis
-        role="bold">physical=venet0</emphasis>
-loc    <emphasis role="bold">TUN_IF</emphasis>     <emphasis role="bold">physical=tun+</emphasis></programlisting>
-
-    <para>In this example, COM_IF is a logical interface name that refers to
-    Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
-    a logical interface name that refers to Ethernet interface <filename
-    class="devicefile">eth2</filename>, and so on.</para>
-
-    <para>Here are a couple of more files from the same configuration:</para>
-
-    <para><ulink url="manpages/shorewall-masq.html">shorewall-masq</ulink>
-    (5):</para>
-
-    <programlisting>#INTERFACE SOURCE                    ADDRESS
-
-COMMENT Masquerade Local Network
-<emphasis role="bold">COM_IF</emphasis>     0.0.0.0/0
-<emphasis role="bold">EXT_IF </emphasis>    !206.124.146.0/24         206.124.146.179:persistent</programlisting>
-
-    <para><ulink
-    url="manpages/shorewall-providers.html">shorewall-providers</ulink>
-    (5)</para>
-
-    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
-Avvanta 1        0x10000 main       <emphasis role="bold">EXT_IF </emphasis>    206.124.146.254 loose,fallback        <emphasis
-        role="bold">INT_IF,VPS_IF,TUN_IF</emphasis>
-Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>     detect          balance               <emphasis
-        role="bold">INT_IF,VPS_IF,TUN_IF</emphasis></programlisting>
-
-    <para>Note in particular that Shorewall translates TUN_IF to <filename
-    class="devicefile">tun*</filename> in the COPY column.</para>
-  </refsect1>
-</refentry>
--- a/Shorewall/manpages/shorewall-params.xml
+++ b/Shorewall/manpages/shorewall-params.xml
@@ -26,8 +26,10 @@
    <title>Description</title>

    <para>Assign any shell variables that you need in this file. The file is
-    always processed by <filename>/bin/sh</filename> so the full range of
-    shell capabilities may be used.</para>
+    always processed by <filename>/bin/sh</filename> or by the shell specified
+    through SHOREWALL_SHELL in <ulink
+    url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5) so the full
+    range of shell capabilities may be used.</para>

    <para>It is suggested that variable names begin with an upper case letter
    to distinguish them from variables used internally within the Shorewall
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -295,21 +295,21 @@
          <para>where limit is one of:</para>

          <simplelist>
-            <member>[<emphasis role="bold">-</emphasis>|[{<emphasis
-            role="bold">s</emphasis>|<emphasis
-            role="bold">d</emphasis>}[/<replaceable>vlsm</replaceable>]:[[<replaceable>name</replaceable>][(ht-buckets,ht-max)]:]]]<emphasis>rate</emphasis><emphasis
+            <member>[<emphasis
+            role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>

-            <member>[<replaceable>name</replaceable>1:]<emphasis>rate1</emphasis><emphasis
+            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2:]<emphasis>rate2</emphasis><emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
@@ -331,14 +331,7 @@
          role="bold">shorewall</emphasis> is assumed. Where more than one
          POLICY or rule specifies the same name, the connections counts for
          the policies are aggregated and the individual rates apply to the
-          aggregated count. Beginning with Shorewall 5.2.1, the <emphasis
-          role="bold">s</emphasis> or <emphasis role="bold">d</emphasis> may
-          be followed by a slash ("/") and an integer
-          <replaceable>vlsm</replaceable>. When a
-          <replaceable>vlsm</replaceable> is specified, all source or
-          destination addresses encountered will be grouped according to the
-          given prefix length and the so-created subnet will be subject to the
-          rate limit.</para>
+          aggregated count.</para>

          <para>Beginning with Shorewall 4.6.5, two<replaceable>
          limit</replaceable>s may be specified, separated by a comma. In this
@@ -349,17 +342,6 @@

          <para>Example: <emphasis
          role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
-
-          <para>Beginning with Shorewall 5.2.1, the table name, if any, may be
-          followed by two integers separated by commas and enclosed in
-          parentheses. The first integer
-          (<replaceable>ht-buckets</replaceable>) specifies the number of
-          buckets in the generated hash table. The second integer
-          (<replaceable>ht-max</replaceable>) specifies the maximum number of
-          entries in the hash table.</para>
-
-          <para>Example: <emphasis
-          role="bold">s:client(1024,65536):10/sec</emphasis></para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -84,8 +84,8 @@

          <para>If PROVIDER_OFFSET is non-zero in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases,
-          the number of significant bits may not exceed PROVIDER_OFFSET +
+          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the
+          number of significant bits may not exceed PROVIDER_OFFSET +
          PROVIDER_BITS.</para>
        </listitem>
      </varlistentry>
@@ -117,12 +117,6 @@
          specified unless <option>loose</option> is given in the OPTIONS
          column of this entry.</para>

-          <important>
-            <para>For IPv6, if the interface is an Ethernet device and an IP
-            address is supplied, it should be the upstream router's link-level
-            address, not its global address.</para>
-          </important>
-
          <para>Where more than one provider is serviced through a single
          interface, the <emphasis>interface</emphasis> must be followed by a
          colon and the IP <emphasis>address</emphasis> of the interface that
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -461,7 +461,8 @@
              <listitem>
                <para>Added in Shorewall 4.5.16. This action allows you to
                construct most of the rule yourself using iptables syntax. The
-                part that you specify must follow two semicolons (';;') and is
+                part that you specify must follow two semicolons (';;')
+                (preferred) or a single semicolon (';') (deprecated) and is
                completely free-form. If the target of the rule (the part
                following 'j') is something that Shorewall supports in the
                ACTION column, then you may enclose it in parentheses (e.g.,
@@ -1045,7 +1046,7 @@
            </varlistentry>

            <varlistentry>
-              <term><replaceable>zone</replaceable>:[!]<replaceable>interface</replaceable></term>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>

              <listitem>
                <para>When this form is used,
@@ -1058,11 +1059,6 @@
                Only packets from hosts in the <replaceable>zone</replaceable>
                that arrive through the named interface will match the
                rule.</para>
-
-                <para>Beginning with Shorweall 5.2.1, the
-                <replaceable>interface</replaceable> may be preceded with '!'
-                which matches all interfaces associated with the zone except
-                the one specified.</para>
              </listitem>
            </varlistentry>

@@ -1401,7 +1397,7 @@
            </varlistentry>

            <varlistentry>
-              <term><replaceable>zone</replaceable>:[!]<replaceable>interface</replaceable></term>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>

              <listitem>
                <para>When this form is used,
@@ -1414,11 +1410,6 @@
                Only packets to hosts in the <replaceable>zone</replaceable>
                that are sent through the named interface will match the
                rule.</para>
-
-                <para>Beginning with Shorweall 5.2.1, the
-                <replaceable>interface</replaceable> may be preceded with '!'
-                which matches all interfaces associated with the zone except
-                the one specified.</para>
              </listitem>
            </varlistentry>

@@ -1472,17 +1463,12 @@
            </varlistentry>

            <varlistentry>
-              <term><replaceable>zone</replaceable>:[!]<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>

              <listitem>
                <para>This form combines the preceding two and requires that
                both the outgoing interface and destinationaddress
                match.</para>
-
-                <para>Beginning with Shorweall 5.2.1, the
-                <replaceable>interface</replaceable> may be preceded with '!'
-                which matches all interfaces associated with the zone except
-                the one specified.</para>
              </listitem>
            </varlistentry>

@@ -1497,7 +1483,7 @@
            </varlistentry>

            <varlistentry>
-              <term><replaceable>zone</replaceable>:[!]<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>

              <listitem>
                <para>This form matches packets to the named
@@ -1505,11 +1491,6 @@
                <replaceable>interface</replaceable> where the destination
                address does not match any entry in the
                <replaceable>exclusion</replaceable>.</para>
-
-                <para>Beginning with Shorweall 5.2.1, the
-                <replaceable>interface</replaceable> may be preceded with '!'
-                which matches all interfaces associated with the zone except
-                the one specified.</para>
              </listitem>
            </varlistentry>

@@ -1900,19 +1881,19 @@
          <simplelist>
            <member>[<emphasis role="bold">-</emphasis>|[{<emphasis
            role="bold">s</emphasis>|<emphasis
-            role="bold">d</emphasis>}[/<replaceable>vlsm</replaceable>]:[[<replaceable>name</replaceable>][(<replaceable>ht-buckets</replaceable>,<replaceable>ht-max</replaceable>)]:]<emphasis>rate</emphasis><emphasis
+            role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
            role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>

-            <member>[<replaceable>name</replaceable>1:]<emphasis>rate1</emphasis><emphasis
+            <member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
            role="bold">hour</emphasis>|<emphasis
-            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2:]<emphasis>rate2</emphasis><emphasis
+            role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
            role="bold">/</emphasis>{<emphasis
            role="bold">sec</emphasis>|<emphasis
            role="bold">min</emphasis>|<emphasis
@@ -1940,16 +1921,7 @@
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
          the connections counts for the rules are aggregated and the
-          individual rates apply to the aggregated count. Beginning with
-          Shorewall 5.2.1, the <emphasis role="bold">s</emphasis> or <emphasis
-          role="bold">d</emphasis> may be followed by a slash ("/") and an
-          integer <replaceable>vlsm</replaceable>. When a
-          <replaceable>vlsm</replaceable> is specified, all source or
-          destination addresses encountered will be grouped according to the
-          given prefix length and the so-created subnet will be subject to the
-          rate limit.</para>
-
-          <para>Example: <emphasis role="bold">s/24::10/sec</emphasis></para>
+          individual rates apply to the aggregated count.</para>

          <para>Beginning with Shorewall 4.6.5, two<replaceable>
          limit</replaceable>s may be specified, separated by a comma. In this
@@ -1966,17 +1938,6 @@
          name for the hash table that tracks the per-destination
          limit.</para>

-          <para>Beginning with Shorewall 5.2.1, the table name, if any, may be
-          followed by two integers separated by commas and enclosed in
-          parentheses. The first integer
-          (<replaceable>ht-buckets</replaceable>) specifies the number of
-          buckets in the generated hash table. The second integer
-          (<replaceable>ht-max</replaceable>) specifies the maximum number of
-          entries in the hash table.</para>
-
-          <para>Example: <emphasis
-          role="bold">s:netfw(1024,65536):10/sec</emphasis></para>
-
          <para>This column was formerly labelled RATE LIMIT.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@@ -112,7 +112,7 @@
          ppp interfaces, you need to put them all in here!</para>

          <para>If the device doesn't exist, a warning message will be issued
-          during "shorewall [re]start" and "shorewall reload" and traffic
+          during "shorewall [re]start" and "shorewall refresh" and traffic
          shaping configuration will be skipped for that device.</para>

          <para>Shorewall assigns a sequential <firstterm>interface
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -463,8 +463,7 @@

      <varlistentry>
        <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis
-        role="bold">No</emphasis>|<option>recursive</option>|<replaceable>depth</replaceable>]</term>
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

        <listitem>
          <para>If set, the behavior of the <command>start</command>,
@@ -482,27 +481,6 @@
          <command>restart</command> command includes a directory name
          (e.g.,<command> shorewall restart
          /etc/shorewall.new</command>).</para>
-
-          <para>When AUTOMAKE=Yes, each directory in the CONFIG_PATH was
-          originally searched recursively for files newer than the compiled
-          script. That was changed in Shorewall 5.1.10.2 such that only the
-          listed directories themselves were searched. That broke some
-          configurations that played tricks with embedded SHELL such as
-          "<command>SHELL cat /etc/shorewall/rules.d/loc/*.rules".</command>
-          Prior to 5.1.10.2, a change to a file in or adding a file to
-          /etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
-          with 5.1.10.2, such changes would not trigger recompilation.
-          Beginning with Shorewall 5.2.0, the pre-5.1.10.2 behavior can be
-          obtained by setting AUTOMAKE=recursive.</para>
-
-          <para>Also beginning with Shorewall 5.2.0, AUTOMAKE may be set to a
-          numeric <replaceable>depth</replaceable> which specifies how deeply
-          each listed directory is to be searched. AUTOMAKE=1 only searches
-          each directory itself and is equivalent to AUTOMAKE=Yes. AUTOMAKE=2
-          will search each directory and its immediate sub-directories;
-          AUTOMAKE=3 will search each diretory, each of its immediate
-          sub-directories, and each of their immediate sub-directories,
-          etc.</para>
        </listitem>
      </varlistentry>

@@ -1163,6 +1141,36 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">INLINE_MATCHES=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.0. Traditionally in <ulink
+          url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5), a
+          semicolon separates column-oriented specifications on the left from
+          <ulink url="/configuration_file_basics.htm#Pairs">alternative
+          specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
+          specified, the specifications on the right are interpreted as if
+          INLINE had been specified in the ACTION column. This also applies to
+          <ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink>
+          and <ulink
+          url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>)
+          which also support INLINE. If not specified or if specified as the
+          empty value, the value 'No' is assumed for backward
+          compatibility.</para>
+
+          <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
+          set INLINE_MATCHES=Yes in order to be able to specify your own
+          iptables text in a rule and INLINE_MATCHES=Yes is deprecated.
+          Beginning with 5.0.0, you may simply preface your text with a pair
+          of semicolons (";;"). If alternate input is also specified in the
+          rule, it should appear before the semicolons and may be separated
+          from normal column input by a single semicolon or enclosed in curly
+          braces ("{....}").</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
@@ -1340,9 +1348,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            running, you should remove the file
            <filename>/var/lib/shorewall/rt_tables</filename>
            (<filename>/var/lib/shorewall-lite/rt_tables</filename>) before
-            your next <command>stop</command>, <command>restore</command>,
-            <emphasis role="bold">reload</emphasis> or
-            <command>restart</command> command.</para>
+            your next <command>stop</command>, <command>refresh</command>,
+            <command>restore</command>, <emphasis
+            role="bold">reload</emphasis> or <command>restart</command>
+            command.</para>
          </blockquote>

          <para>IPv6:</para>
@@ -1356,9 +1365,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
            is running, you should remove the file
            <filename>/var/lib/shorewall6/rt_tables</filename>
            (<filename>/var/lib/shorewall6-lite/rt_tables</filename>) before
-            your next <command>stop</command>, <command>restore</command>,
-            <emphasis role="bold">reload</emphasis> or
-            <command>restart</command> command.</para>
+            your next <command>stop</command>, <command>refresh</command>,
+            <command>restore</command>, <emphasis
+            role="bold">reload</emphasis> or <command>restart</command>
+            command.</para>
          </blockquote>

          <important>
@@ -1440,24 +1450,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">LOG_ZONE=</emphasis>[<emphasis
-        role="bold"><option>src</option>|<option>dst</option>|<option>both</option></emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.2.0. When a log message is issued from a
-          chain that relates to a pair of zones (e.g, 'fw-net'), the chain
-          name normally appears in the log message (unless LOGTAGONLY=Yes and
-          a log tag is specified). This can prevent OPTIMIZE category 8 from
-          combining chains which are identical except for the names of the
-          zones involved. LOG_ZONE allows for only the source or destination
-          zone to appear in the messages by setting LOG_ZONE to
-          <option>src</option> or <option>dest</option> respectively. If
-          LOG_ZONE=<option>both</option> (the default), then the full chain
-          name is included in log messages.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis
        role="bold">LOG_LEVEL=</emphasis><emphasis>log-level</emphasis>[:<replaceable>log-tag</replaceable>]</term>
@@ -1817,6 +1809,19 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">MAPOLDACTIONS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>IPv4 only.</para>
+
+          <para>This option is included for compatibility with old Shorewall
+          configuration. New installs should always have
+          MAPOLDACTIONS=No.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2469,20 +2474,6 @@ INLINE          -       -       -       ;; -j REJECT
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis role="bold">RENAME_COMBINED=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 5.2.0. Traditionally, when OPTIMIZE
-          category 8 is enabled, identical chains are combined under a name
-          beginning with '~comb' or '~blacklist'. This behavior is maintained
-          under the default setting RENAME_COMBINED=Yes. If
-          RENAMED_COMBINED=No, the chains are combined under the original name
-          of one of the chains.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">REQUIRE_INTERFACE=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2782,6 +2773,7 @@ INLINE          -       -       -       ;; -j REJECT
          of each <emphasis role="bold">start</emphasis>, <emphasis
          role="bold">reload</emphasis>, <emphasis
          role="bold">restart</emphasis>, <emphasis
+          role="bold">refresh</emphasis>, <emphasis
          role="bold">try</emphasis>, and <emphasis
          role="bold">safe-</emphasis>* command. Logging verbosity is
          determined by the setting of LOG_VERBOSITY above.</para>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -151,7 +151,7 @@ fi

 remove_file ${SBINDIR}/$PRODUCT

-if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
    FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
 elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
--- a/Shorewall6-lite/init.alt.sh
+++ b/Shorewall6-lite/init.alt.sh
@@ -1,117 +0,0 @@
-#!/bin/sh
-#
-# Shorewall6-Lite init script
-#
-# chkconfig: - 28 90
-# description: Packet filtering firewall
-#
-### BEGIN INIT INFO
-# Provides: shorewall6
-# Required-Start: $local_fs $remote_fs $syslog $network
-# Should-Start: $time $named
-# Required-Stop:
-# Default-Start: 3 4 5
-# Default-Stop:  0 1 2 6
-# Short-Description: Packet filtering firewall
-# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
-#              Netfilter (iptables) based firewall
-### END INIT INFO
-
-# Do not load RH compatibility interface.
-WITHOUT_RC_COMPAT=1
-
-# Source function library.
-. /etc/init.d/functions
-
-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
-NAME="Shorewall6-Lite firewall"
-PROG="shorewall"
-SHOREWALL="$SBINDIR/$PROG -6l"
-LOGGER="logger -i -t $PROG"
-
-# Get startup options (override default)
-OPTIONS=
-
-SourceIfNotEmpty $SYSCONFDIR/${PROG}6-lite
-
-LOCKFILE="/var/lock/subsys/${PROG}6-lite"
-RETVAL=0
-
-start() {
-	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
-	return $RETVAL
-}
-
-stop() {
-	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
-	return $RETVAL
-}
-
-restart() {
-	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	return $RETVAL
-}
-
-reload() {
-	action $"Reloadinging $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	return $RETVAL
-}
-
-clear() {
-	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
-	RETVAL=$?
-	return $RETVAL
-}
-
-# See how we were called.
-case "$1" in
-	start)
-	    start
-	    ;;
-	stop)
-	    stop
-	    ;;
-	restart)
-	    restart
-	    ;;
-	reload)
-	    reload
-	    ;;
-	clear)
-	    clear
-	    ;;
-	condrestart)
-	    if [ -e "$LOCKFILE" ]; then
-		restart
-	    fi
-	    ;;
-	condreload)
-	    if [ -e "$LOCKFILE" ]; then
-		restart
-	    fi
-	    ;;
-	condstop)
-	    if [ -e "$LOCKFILE" ]; then
-		stop
-	    fi
-	    ;;
-	status)
-	    "$SHOREWALL" status
-	     RETVAL=$?
-	    ;;
-	*)
-	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
-	    RETVAL=1
-esac
-
-exit $RETVAL
--- a/Shorewall6-lite/init.openwrt.sh
+++ b/Shorewall6-lite/init.openwrt.sh
@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)
--- a/Shorewall6-lite/init.sh
+++ b/Shorewall6-lite/init.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
--- a/Shorewall6-lite/init.suse.sh
+++ b/Shorewall6-lite/init.suse.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	6033fcb40a	Be sure that mutex is released when exiting Signed-off-by: Tom Eastep <teastep@shorewall.net> # Conflicts: # Shorewall/lib.cli-std	2018-03-01 08:47:48 -08:00
Tom Eastep	4a5a6ee008	Correct typo - synparms -> synparams - Causes SYN limiting to be omitted in rare cases. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-21 11:53:39 -08:00
Tom Eastep	48241d62d5	Correct "Invalid Policy Action" error message Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-19 10:30:41 -08:00
Tom Eastep	1621251d04	Correct typo in add_common_rules() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-14 12:01:29 -08:00
Tom Eastep	27f3ad5ee5	Convert ';' to ';;' in INLINE and IP6?TABLES rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-10 13:25:45 -08:00
Tom Eastep	f816f9b3b2	More INLINE_MATCHES changes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-10 10:38:45 -08:00
Tom Eastep	b8196a932f	Add another INLINE_MATCHES warning for INLINE and IP[6]TABLES Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-02-10 09:04:06 -08:00