Correct 'show bl|blacklists' syntax

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Add target file(s) 5.2.8-base
2020-10-09 09:39:58 -07:00 · 2020-09-24 15:16:51 -07:00 · 2020-09-24 14:46:24 -07:00 · 2020-09-24 11:19:46 -07:00 · 2020-09-19 11:38:41 -07:00 · 2020-09-19 11:20:10 -07:00
54 changed files with 1911 additions and 822 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
+*targetname export-ignore
--- a/Shorewall-core/Shorewall-core-targetname
+++ b/Shorewall-core/Shorewall-core-targetname
@@ -1 +1 @@
-5.2.4.1
+5.2.8-RC1
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=50200
+SHOREWALL_CAPVERSION=50207

 if [ -z "$g_basedir" ]; then
    #
@@ -247,10 +247,39 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc1() {
+show_one_classifier() {
+    local class

+    qt tc -s filter ls root dev $1 && tc -s filter ls root dev $device | grep -v '^$'
+    tc filter show dev $1
+    tc class show dev $1 | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+	if [ -n "$class" ]; then
+	    echo
+	    echo Node $class
+	    tc filter show dev $device parent $class
+	fi
+    done
+    echo
+}
+
+show_classifier1() {
+    local device
+    local qdisc
+
+    device=${1%@*}
+    qdisc=$(tc qdisc list dev $device)
+    if [ -n "$qdisc" ]; then
+	echo Device $device:
+	show_one_classifier $device
+    fi
+}
+
+show_tc1() {
    show_one_tc() {
 	local device
+	local qdisc
+	local ingress
+
 	device=${1%@*}
 	qdisc=$(tc qdisc list dev $device)

@@ -260,6 +289,7 @@ show_tc1() {
 	    echo
 	    tc -s -d class show dev $device
 	    echo
+	    show_one_classifier $device "$qdisc"
 	fi
    }

@@ -270,7 +300,6 @@ show_tc1() {
 	    show_one_tc ${interface%:}
 	done
    fi
-
 }

 show_tc() {
@@ -291,28 +320,8 @@ show_tc() {
 #
 show_classifiers() {

-    show_one_classifier() {
-	local device
-	device=${1%@*}
-	qdisc=$(tc qdisc list dev $device)
-
-	if [ -n "$qdisc" ]; then
-	    echo Device $device:
-	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
-	    tc filter show dev $device
-	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
-		if [ -n "$class" ]; then
-		    echo
-		    echo Node $class
-		    tc filter show dev $device parent $class
-		fi
-	    done
-	    echo
-	fi
-    }
-
    ip -o link list | while read inx interface details; do
-	show_one_classifier ${interface%:}
+	show_classifier1 ${interface%:}
    done

 }
@@ -937,11 +946,28 @@ show_events() {
    fi
 }

+sort_actions() {
+    local sep #separates sort keys from the action[.std] record
+    sep="##"
+
+    awk -v sep="$sep" \
+         'BEGIN		  { action = ""; ifrec = ""; nr = 0; };\
+	  /^#/	  	  { next; };\
+	  /^\?(if|IF|If)/ { ifrec = $0; nr = NR; next; };\
+	  /^( |\t|\?)/	  { if ( action != "" ) print action, NR, sep $0; next; };\
+			  { action = $1; };\
+	  nr != 0	  { print action , nr, sep ifrec; nr = 0; };\
+			  { print action , NR, sep $0; }' | sort -k 1,2 | sed "s/^.*${sep}//"
+}
+
 show_actions() {
-    if [ -f ${g_confdir}/actions ]; then
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
+    local actions
+    actions=$(find_file actions)
+
+    if [ -f ${actions} ]; then
+	cat ${actions} ${g_sharedir}/actions.std | sort_actions
    else
-	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
+        sort_actions < ${g_sharedir}/actions.std
    fi
 }

@@ -1000,6 +1026,8 @@ show_mangle() {
 show_classifiers_command() {
    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
    echo
+    echo "Warning: This command is deprecated in favor of the 'show tc' command"
+    echo
    show_classifiers
 }

@@ -1108,10 +1136,6 @@ show_blacklists() {
    show_bl;
 }

-show_actions_sorted() {
-    show_actions | sort
-}
-
 show_macros() {
    for directory in $(split $CONFIG_PATH); do
 	temp=
@@ -1543,7 +1567,7 @@ show_command() {
 			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
-			    eval show_actions_sorted $g_pager
+			    eval show_actions $g_pager
 			    return
 			    ;;
 			macro)
@@ -1891,8 +1915,6 @@ do_dump_command() {
    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
 	show_tc1
-	heading "TC Filters"
-	show_classifiers
 	fi
 }

@@ -2651,6 +2673,7 @@ allow_command() {
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 		    fi
 		fi

@@ -2667,6 +2690,7 @@ allow_command() {
 	    *)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 			allowed=Yes
 		    fi
 		fi
@@ -2863,6 +2887,7 @@ determine_capabilities() {
    NETMAP_TARGET=
    NFLOG_SIZE=
    RESTORE_WAIT_OPTION=
+    CONNMARK_ACTION=

    AMANDA_HELPER=
    FTP_HELPER=
@@ -3230,6 +3255,10 @@ determine_capabilities() {
 	    BASIC_FILTER=Yes
 	    $TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes
 	fi
+
+	if $TC action add connmark help 2>&1 | grep -q ^Usage; then
+	    CONNMARK_ACTION=Yes
+	fi
    fi

    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
@@ -3373,6 +3402,7 @@ report_capabilities_unsorted() {
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
    report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
+    report_capability "TC connmark support (CONNMARK_ACTION)" $CONNMARK_ACTION

    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3479,6 +3509,7 @@ report_capabilities_unsorted1() {
    report_capability1 NFLOG_SIZE
    report_capability1 RESTORE_WAIT_OPTION
    report_capability1 NAT_INPUT_CHAIN
+    report_capability1 CONNMARK_ACTION

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3574,7 +3605,7 @@ status_command() {

    [ $# -eq 0 ] || missing_argument

-    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
+    [ $VERBOSITY -ge 1 ] && echo "${g_product} $SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
    [ -n "$interfaces" ] && show_interfaces
    exit $status
@@ -3622,6 +3653,7 @@ reject_command() {

 blacklist_command() {
    local family
+    local timeout

    [ $# -gt 0 ] || fatal_error "Missing address"

@@ -3639,10 +3671,17 @@ blacklist_command() {
 	    ;;
    esac

-    if $IPSET -A $g_blacklistipset $@ -exist; then
+    if [ $COMMAND = 'blacklist!' ]; then
+	timeout='timeout 0'
+    else
+	echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
+    fi
+
+    if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
 	local message

 	progress_message2 "$1 Blacklisted"
+	[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Blacklisted"

 	if [ -n "$g_disconnect" ]; then
 	    message="$(conntrack -D -s $1 2>&1)"
@@ -3897,7 +3936,7 @@ setup_dbl() {
    case $DYNAMIC_BLACKLIST in
 	ipset*,src-dst*)
 	    #
-	    # This utility doesn't need to know about 'src-dst'
+	    # Capture 'src-dst'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')

@@ -3905,11 +3944,49 @@ setup_dbl() {
 	    ;;
    esac

+    case $DYNAMIC_BLACKLIST in
+	ipset*,log*)
+	    #
+	    # Capture 'log'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,log//')
+
+	    g_dbllog=Yes
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,noupdate*)
+	    #
+	    # This utility doesn't use this option
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,noupdate//')
+	    ;;
+    esac
+
    case $DYNAMIC_BLACKLIST in
 	ipset*,timeout*)
 	    #
-	    # This utility doesn't need to know about 'timeout=nnn'
+	    # Capture timeout
 	    #
+	    local ifs
+	    local f
+
+	    ifs=$IFS
+	    IFS=','
+
+	    for f in $DYNAMIC_BLACKLIST; do
+		case $f in
+		    timeout=*)
+			g_dbltimeout=${f#timeout=}
+			g_dbltimeout=${g_dbltimeout%%:*}
+			break
+			;;
+		esac
+	    done
+
+	    IFS=$ifs
+
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
 	    ;;
    esac
@@ -3942,9 +4019,15 @@ setup_dbl() {
 # the Standard CLI by loading lib.cli-std
 ################################################################################
 #
-# Set the configuration variables from shorewall[6]-lite.conf.
+# Set the configuration variables from shorewall[6]-lite.conf. This function
+# is replaced by the one in lib.cli-std (Shorewall product) when Shorewall or
+# Shorewall6 is being run.
 #
-get_config() {
+#     $1 = Yes: read the params file
+#     $2 = Yes: check for STARTUP_ENABLED
+#     $3 = Yes: Check for LOGFILE
+#
+lite_get_config() {
    local config
    local lib

@@ -3964,7 +4047,7 @@ get_config() {

    ensure_config_path

-    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf

    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

@@ -4093,7 +4176,7 @@ get_config() {

 	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"

-	    g_pager="| $g_pager"
+	    g_pager="2>&1 | $g_pager"
 	fi
    fi

@@ -4106,10 +4189,22 @@ get_config() {
    [ -f $lib ] && . $lib

 }
+
+#
+# get_config() -- calls the appropriate xxx_get_config()
+#
+get_config() {
+    if [ -z "$g_lite" ]; then
+	std_get_config $@
+    else
+	lite_get_config $@
+    fi
+}
+
 #
 # Start Command Executor
 #
-start_command() {
+lite_start_command() {
    local finished
    finished=0

@@ -4127,7 +4222,7 @@ start_command() {
 	    rc=$?
 	else
 	    error_message "$g_firewall is missing or is not executable"
-	    mylogger kern.err "ERROR:$g_product start failed"
+	    mylogger daemon.err "ERROR:$g_product start failed"
 	    rc=6
 	fi

@@ -4196,10 +4291,21 @@ start_command() {
    do_it
 }

+#
+# start_command() -- calls the appropriate xxx_start_command()
+#
+start_command() {
+    if [ -z "$g_lite" ]; then
+	std_start_command $@
+    else
+	lite_start_command $@
+    fi
+}
+
 #
 # Reload/Restart Command Executor
 #
-restart_command() {
+lite_restart_command() {
    local finished
    finished=0
    local rc
@@ -4260,7 +4366,7 @@ restart_command() {
 	rc=$?
    else
 	error_message "$g_firewall is missing or is not executable"
-	mylogger kern.err "ERROR:$g_product $COMMAND failed"
+	mylogger daemon.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi

@@ -4268,6 +4374,17 @@ restart_command() {
    return $rc
 }

+#
+# restart_command() -- calls the appropriate xxx_restart_command()
+#
+restart_command() {
+    if [ -z "$g_lite" ]; then
+	std_restart_command $@
+    else
+	lite_restart_command $@
+    fi
+}
+
 run_command() {
    if [ -x $g_firewall ] ; then
 	run_it $g_firewall $@
@@ -4298,9 +4415,9 @@ usage() # $1 = exit status
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    echo "   blacklist <address> [ <option> ... ]"
-    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
+    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ -D ] [ <directory> ]"
    echo "   clear"
-    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
+    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ -D ] [ <directory name> ] [ <path name> ]"
    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
@@ -4340,7 +4457,7 @@ usage() # $1 = exit status
    if [ -n "$g_lite" ]; then
 	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
    else
-	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
    fi

    if [ -z "$g_lite" ]; then
@@ -4356,7 +4473,7 @@ usage() # $1 = exit status
    if [ -n "$g_lite" ]; then
 	echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
    else
-	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
    fi

    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
@@ -4371,12 +4488,11 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
-    echo "   [ show | list | ls ] classifiers"
+    echo "   [ show | list | ls ] {classifiers|filters)"
    echo "   [ show | list | ls ] config"
    echo "   [ show | list | ls ] connections"
    echo "   [ show | list | ls ] event [ <event> ...]"
    echo "   [ show | list | ls ] events"
-    echo "   [ show | list | ls ] filters"
    echo "   [ show | list | ls ] ip"

    if [ $g_family -eq 4 ]; then
@@ -4458,6 +4574,8 @@ shorewall_cli() {
    g_disconnect=
    g_havemutex=
    g_trace=
+    g_dbltimeout=
+    g_dbllog=

    VERBOSE=
    VERBOSITY=1
@@ -4635,7 +4753,7 @@ shorewall_cli() {
 	exit 1
    fi

-    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
+    banner="${g_product} ${SHOREWALL_VERSION} Status at $g_hostname -"

    COMMAND=$1

@@ -4679,7 +4797,7 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	blacklist)
+	blacklist|blacklist!)
 	    only_root
 	    get_config Yes
 	    shift
@@ -4725,7 +4843,7 @@ shorewall_cli() {
 	logwatch)
 	    only_root
 	    get_config Yes Yes Yes
-	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
+	    banner="${g_product} $SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
@@ -4757,7 +4875,7 @@ shorewall_cli() {
 	    ;;
 	allow)
 	    only_root
-	    get_config
+	    get_config Yes
 	    allow_command $@
 	    ;;
 	add)
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -55,13 +55,13 @@ startup_error() # $* = Error Message

    case $COMMAND in
        start)
-	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac

--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -337,8 +337,15 @@ ensure_config_path() {
 	. $F
    fi

-    if [ -n "$g_shorewalldir" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+    if [ -n "$g_shorewalldir" ] && [ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ];then
+	case $CONFIG_PATH in
+	    :*)
+		CONFIG_PATH=${g_shorewalldir}${CONFIG_PATH}
+		;;
+	    *)
+		CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+		;;
+	esac
    fi
 }

--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -48,7 +48,7 @@

      <arg>options</arg>

-      <arg choice="plain"><option>blacklist</option></arg>
+      <arg choice="plain"><option>blacklist[!]</option></arg>

      <arg
      choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
@@ -981,7 +981,22 @@
              <td><command>shorewall -6</command> or <command>shorewall
              -6l</command></td>
            </tr>
+
+            <tr>
+              <td><command>shorewall</command></td>
+
+              <td><command>shorewall -l</command></td>
+            </tr>
          </table>
+
+          <para>Note that when Shorewall isn't installed, the 'shorewall'
+          command behaves like shorewall-lite. The same is not true with
+          respect to Shorewall6, "shorewall6" and 'shorewall6-lite". You can
+          make 'shorewall6' behave like 'shorewallt-lite' by adding the
+          following command to root's .profile file (or to .bashrc, if root's
+          shell is bash):</para>
+
+          <programlisting>    alias shorewall6=shorewall6-lite</programlisting>
        </listitem>
      </varlistentry>

@@ -1151,7 +1166,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">blacklist</emphasis>
+        <term><emphasis role="bold">blacklist[!]</emphasis>
        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
        ... ]</term>

@@ -1165,7 +1180,17 @@
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
          <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
-          add</command> command.</para>
+          add</command> command. Probably the most useful
+          <replaceable>option</replaceable> is the <option>timeout</option>
+          option. For example, to permanently blacklist 192.0.2.22, the
+          command would be:</para>
+
+          <programlisting>    shorewall blacklist 192.0.2.22 timeout 0</programlisting>
+
+          <para>Beginning with Shorewall 5.2.5, the above command can be
+          shortened to:</para>
+
+          <programlisting>    shorewall blacklist! 192.0.2.22</programlisting>

          <para>If the <option>disconnect</option> option is specified in the
          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
@@ -2108,10 +2133,6 @@
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
-
-          <para>The <emphasis role="bold">-D </emphasis>option was added in
-          Shoewall 5.2.4 and causes the compiler to write a large amount of
-          debugging information to standard output.</para>
        </listitem>
      </varlistentry>

@@ -2452,8 +2473,8 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis>
-              [-<option>x</option>]</term>
+              <term><emphasis role="bold">[-<option>x</option>]
+              bl|blacklists</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -2521,7 +2542,9 @@
              <listitem>
                <para>Displays information about the packet classifiers
                defined on the system as a result of traffic shaping
-                configuration.</para>
+                configuration. Beginning with Shorewall 5.2.8, this command is
+                deprecated, as its output is included in the information
+                displayed by the 'show tc' command.</para>
              </listitem>
            </varlistentry>

@@ -2891,25 +2914,18 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">stop</emphasis>
-        [-<option>f</option>]</term>
+        <term><emphasis role="bold">stop</emphasis></term>

        <listitem>
          <para>Stops the firewall. All existing connections, except those
          listed in <ulink
-          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
          or permitted by the ADMINISABSENTMINDED option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are
-          taken down. The only new traffic permitted through the firewall is
-          from systems listed in <ulink
-          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> The only
+          new traffic permitted through the firewall is from systems listed in
+          <ulink
+          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
-
-          <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful <emphasis
-          role="bold">start</emphasis>, <emphasis
-          role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -134,6 +134,7 @@ fi

 remove_directory ${SHAREDIR}/shorewall
 remove_file ~/.shorewallrc
+remove_file ${SBINDIR}/shorewall

 #
 # Report Success
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -127,6 +127,17 @@ esac
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null

 for PRODUCT in $PRODUCTS; do
+    if [ -n "$ADDRFAM" -a ${COMMAND} = up ]; then
+	case $PRODUCT in
+	    *6*)
+		[ ${ADDRFAM} = inet6 ] || continue
+		;;
+	    *)
+		[ ${ADDRFAM} = inet ] || continue
+		;;
+	esac
+    fi
+
    setstatedir

    if [ -x $VARLIB/$PRODUCT/firewall ]; then
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -169,7 +169,7 @@ if [ -z "$BUILD" ]; then
 	    ;;
 	*)
 	    if [ -f /etc/os-release ]; then
-		eval $(cat /etc/os-release | grep ^ID=)
+		ID=$(grep '^ID=' /etc/os-release | sed 's/ID=//; s/"//g;')

 		case $ID in
 		    fedora|rhel|centos|foobar)
@@ -357,12 +357,11 @@ fi
 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
 	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
    elif [ $configure -eq 0 ]; then
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
+	make_parent_directory ${CONFDIR}/network/if-up.d 0755
+	make_parent_directory ${CONFDIR}/network/if-post-down.d 0755
+	rm -f ${CONFDIR}/network/if-down.d/shorewall
    fi

    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
@@ -388,7 +387,7 @@ else
 	    elif [ $HOST = openwrt ]; then
 		# Not implemented on OpenWRT
 		/bin/true
-	    else
+	    elif [ "$HOST" != debian ]; then
 		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
@@ -417,19 +416,22 @@ if [ $HOST != openwrt ]; then
 fi

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
+    if [ "$HOST" = debian ]; then
+	rm -f ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall
+    else
 	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
 	install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
+    fi
 fi

 case $HOST in
    debian)
 	if [ $configure -eq 1 ]; then
 	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	    rm -f ${DESTDIR}/etc/network/if-down.d/shorewall
 	else
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
 	fi
 	;;
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -25,6 +25,7 @@
 #
 ###############################################################################
 # set the STATEDIR variable
+
 setstatedir() {
    local statedir
    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
@@ -42,29 +43,18 @@ setstatedir() {
    fi
 }

-#
-# This is modified by the installer when ${SHAREDIR} <> /usr/share
-#
-. /usr/share/shorewall/shorewallrc
+# Initialize the firewalls

-# check if shorewall-init is configured or not
-if [ -f "$SYSCONFDIR/shorewall-init" ]; then
-    . $SYSCONFDIR/shorewall-init
-    if [ -z "$PRODUCTS" ]; then
-	echo "ERROR: No products configured" >&2
-	exit 1
-    fi
-else
-    echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
-    exit 1
-fi
-
-# Initialize the firewall
-shorewall_start () {
+shorewall_init_start () {
    local PRODUCT
    local STATEDIR

    printf "Initializing \"Shorewall-based firewalls\": "
+
+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    #
@@ -78,19 +68,17 @@ shorewall_start () {
 	fi
    done

-    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-	ipset -R < "$SAVE_IPSETS"
-    fi
-
    return 0
 }

-# Clear the firewall
-shorewall_stop () {
+# Clear the firewalls
+
+shorewall_init_stop () {
    local PRODUCT
    local STATEDIR

    printf "Clearing \"Shorewall-based firewalls\": "
+
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    #
@@ -116,12 +104,29 @@ shorewall_stop () {
    return 0
 }

+#
+# This is modified by the installer when ${SHAREDIR} <> /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+# check if shorewall-init is configured or not
+if [ -f "$SYSCONFDIR/shorewall-init" ]; then
+    . $SYSCONFDIR/shorewall-init
+    if [ -z "$PRODUCTS" ]; then
+	echo "ERROR: No products configured" >&2
+	exit 1
+    fi
+else
+    echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
+    exit 1
+fi
+
 case "$1" in
    start)
-	shorewall_start
+	shorewall_init_start
 	;;
    stop)
-	shorewall_stop
+	shorewall_init_stop
 	;;
    *)
 	echo "Usage: $0 {start|stop}"
--- a/Shorewall/Macros/macro.NFS
+++ b/Shorewall/Macros/macro.NFS
@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.NFS
+#
+# This macro handles NFS v4.1+ traffic with default ports.
+# You should only allow NFS traffic between hosts you fully trust.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	111		# portmapper, rpcbind
+PARAM	-	-	tcp	2049		# nfs
+PARAM	-	-	tcp	20048		# mountd
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -320,6 +320,7 @@ our $VERSION = 'MODULEVERSION';
 #    %chain_table { <table> => { <chain1>  => { name         => <chain name>
 #                                               table        => <table name>
 #                                               is_policy    => undef|1 -- if 1, this is a policy chain
+#                                               wild         => undef|1 -- If 1, source or dest is 'all'. Only applies to policy chains
 #                                               provisional  => undef|1 -- See below.
 #                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
@@ -726,6 +727,7 @@ our %opttype = ( rule          => CONTROL,
 		 'icmpv6-type' => UNIQUE,

 		 comment       => CONTROL,
+		 digest        => CONTROL,

 		 policy        => MATCH,
 		 state         => EXCLUSIVE,
@@ -892,7 +894,7 @@ sub validate_port( $$ ) {

    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;

-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])";
 }

 #
@@ -3521,6 +3523,33 @@ sub irule_to_string( $ ) {
    $string;
 }

+#
+# This one omits the comment
+#
+sub irule_to_string1( $ ) {
+    my ( $ruleref ) = @_;
+
+    return $ruleref->{cmd} if exists $ruleref->{cmd};
+
+    my $string = '';
+
+    for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}}) {
+	my $value = $ruleref->{$_};
+	if ( reftype $value ) {
+	    $string .= "$_=" . join( ',', @$value ) . ' ';
+	} else {
+	    $string .= "$_=$value ";
+	}
+    }
+
+    if ( $ruleref->{target} ) {
+	$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
+	$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
+    }
+
+    $string;
+}
+
 sub calculate_digest( $ ) {
    my $chainref = shift;
    my $rules = '';
@@ -4051,7 +4080,7 @@ sub optimize_level8( $$$ ) {

 		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
 			#
-			# For simple use of the BLACKLIST section, we can end up with many identical
+			# For simple use of the blrules file, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
 			# these chains via the 'blacklistsection' member.
 			#
@@ -4190,10 +4219,10 @@ sub get_multi_sports( $ ) {
 }

 #
-# Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted;
+# Return an array of keys for the passed rule. 'dport', 'comment', 'origin' and 'digest' are omitted;
 #
 sub get_keys( $ ) {
-    my %skip = ( dport => 1, comment => 1, origin => 1 );
+    my %skip = ( dport => 1, comment => 1, origin => 1, digest => 1 );

    sort grep ! $skip{$_},  keys %{$_[0]};
 }
@@ -4374,51 +4403,42 @@ sub delete_duplicates {
    my @rules;
    my $chainref  = shift;
    my $lastrule  = @_;
-    my $baseref   = pop;
    my $ruleref;
    my %skip = ( comment => 1, origin => 1 );

+    for ( @_ ) {
+	$_->{digest} = sha1_hex irule_to_string1( $_ );
+    }
+
+    my $baseref   = pop;
+
    while ( @_ ) {
 	my $docheck;
 	my $duplicate = 0;

 	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
 	    my $ports1;
-	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
+	    my $bad_key;
 	    my $rulenum  = @_;
 	    my $adjacent = 1;
+	    my $digest   = $baseref->{digest};

-	    {
-	      RULE:
+	    for ( grep ! $skip{$_}, keys( %$baseref ) ) {
+		$bad_key = 1, last if $bad_match{$_};
+	    }

 	    while ( --$rulenum >= 0 ) {
 		$ruleref = $_[$rulenum];

 		last unless $ruleref->{mode} == CAT_MODE;

-		    my @keys2 = sort(grep ! $skip{$_}, keys( %$ruleref ) );
+		next unless $digest eq $ruleref->{digest};

-		    next unless @keys1 == @keys2 ;
-
-		    my $keynum = 0;
-
-		    if ( $adjacent > 0 ) {
-			#
-			# There are no non-duplicate rules between this rule and the base rule
-			#
-			for my $key (  @keys1 ) {
-			    next RULE unless $key eq $keys2[$keynum++];
-			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
-			}
-		    } else {
+		unless ( $adjacent > 0 ) {
 		    #
 		    # There are non-duplicate rules between this rule and the base rule
 		    #
-			for my $key ( @keys1 ) {
-			    next RULE unless $key eq $keys2[$keynum++];
-			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
-			    last RULE if $bad_match{$key};
-			}
+		    last if $bad_key;
 		}
 		#
 		# This rule is a duplicate
@@ -4433,7 +4453,6 @@ sub delete_duplicates {
 		$adjacent--;
 	    }
 	}
-	}

 	if ( $duplicate ) {
 	    trace( $chainref, 'D', $lastrule, $baseref ) if $debug;
@@ -4468,10 +4487,10 @@ sub get_conntrack( $ ) {
 }

 #
-# Return an array of keys for the passed rule. 'conntrack',  'comment' & 'origin' are omitted;
+# Return an array of keys for the passed rule. 'conntrack',  'comment', 'origin' and 'digest' are omitted;
 #
 sub get_keys1( $ ) {
-    my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
+    my %skip = ( comment => 1, origin => 1 , digest => 1, 'conntrack --ctstate' => 1 );

    sort grep ! $skip{$_},  keys %{$_[0]};
 }
@@ -7459,9 +7478,9 @@ sub have_address_variables() {
 #
 # Generate setting of run-time global shell variables
 #
-sub set_global_variables( $$ ) {
+sub set_global_variables( $$$ ) {

-    my ( $setall, $conditional ) = @_;
+    my ( $setall, $conditional, $call_generate_all_acasts ) = @_;

    if ( $conditional ) {
 	my ( $interface, @interfaces );
@@ -7494,16 +7513,17 @@ sub set_global_variables( $$ ) {
    }

    if ( $setall ) {
+	if ( $conditional ) {
 	    emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
 	    emit $interfacenets{$_}         for sortkeysiftest %interfacenets;
+	}

 	unless ( have_capability( 'ADDRTYPE' ) ) {
-
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
 		emit $interfacebcasts{$_} for sortkeysiftest %interfacebcasts;
 	    } else {
-		emit 'ALL_ACASTS="$(get_all_acasts)"';
+		emit $call_generate_all_acasts;
 		emit $interfaceacasts{$_} for sortkeysiftest %interfaceacasts;
 	    }
 	}
@@ -8872,7 +8892,7 @@ sub ensure_ipsets( @ ) {
    my $set;
    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';

-    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+    if ( $_[0] eq $globals{DBL_IPSET} ) {
 	shift;

 	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
@@ -8883,12 +8903,12 @@ sub ensure_ipsets( @ ) {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout 0${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) );
 	}

 	pop_indent;
@@ -9065,10 +9085,14 @@ sub create_load_ipsets() {
 	    # Requires V5 or later
 	    #
 	    emit( '' ,
-		  "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		  '    if  [ -f ${VARDIR}/ipsets.save ]; then' ,
+		  '        while read verb set rest; do' ,
+		  '            if [ $verb = create ]; then' ,
 		  '                $IPSET flush $set' ,
 		  '                $IPSET destroy $set' ,
-		  "    done" ,
+		  '            fi' ,
+		  '        done < ${VARDIR}/ipsets.save' ,
+		  '    fi',
 		);
 	} else {
 	    #
@@ -9111,7 +9135,7 @@ sub create_load_ipsets() {
 		emit( '        #',
 		      '        # Update the dynamic blacklisting ipset timeout value',
 		      '        #',
-		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout 0" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
 		      '        zap_ipsets',
 		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
 		      '    fi' );
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -276,12 +276,18 @@ sub generate_script_2() {

    emit "}\n"; # End of initialize()

+    #
+    # Conditionally emit the 'generate_all_acasts() function
+    #
+    my $call_generate_all_acasts = $family == F_IPV6 && ! have_capability( 'ADDRTYPE' ) ? generate_all_acasts : '';
+
    emit( '' ,
 	  '#' ,
 	  '# Set global variables holding detected IP information' ,
 	  '#' ,
 	  'detect_configuration()',
-	  '{' );
+	  '{'
+	);

    my $global_variables    = have_global_variables;
    my $optional_interfaces = find_interfaces_by_option( 'optional' );
@@ -312,7 +318,7 @@ sub generate_script_2() {

 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 		verify_required_interfaces(0);
-		set_global_variables(0, 0);
+		set_global_variables( $family == F_IPV6, 0, $call_generate_all_acasts );
 		handle_optional_interfaces;
 	    }

@@ -326,7 +332,7 @@ sub generate_script_2() {
 	}

 	verify_required_interfaces(1);
-	set_global_variables(1,1);
+	set_global_variables(1, 1, $call_generate_all_acasts );
 	handle_optional_interfaces;

 	if ( $global_variables & NOT_RESTORE ) {
@@ -543,13 +549,13 @@ date > ${VARDIR}/restarted

 case $COMMAND in
    start)
-        mylogger kern.info "$g_product started"
+        mylogger daemon.info "$g_product started"
        ;;
    reload)
-        mylogger kern.info "$g_product reloaded"
+        mylogger daemon.info "$g_product reloaded"
        ;;
    restore)
-        mylogger kern.info "$g_product restored"
+        mylogger daemon.info "$g_product restored"
        ;;
 esac
 EOF
@@ -858,13 +864,13 @@ sub compiler {
 	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
+	    # Optimize the ruleet
+	    #
+	    optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
-	    #
-	    # More Optimization
-	    #
-	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+	    optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
 	}

 	enable_script;
@@ -928,16 +934,16 @@ sub compiler {

 	    optimize_level0;

-	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
-		# Optimize Policy Chains
-		#
-		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
-		#
 		# Ruleset Optimization
 		#
 		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+		#
+		# Optimize Policy Chains
+		#
+		optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
 	    }

 	    enable_script if $debug;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -311,7 +311,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

 				       OPTIMIZE_MASK
 				       OPTIMIZE_POLICY_MASK
-				       OPTIMIZE_POLICY_MASK2n4
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_ALL
 				     ) , ] ,
@@ -503,6 +502,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
                 NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
+		 CONNMARK_ACTION => 'TC connmark support',
 		 #
 		 # Helpers
 		 #
@@ -555,7 +555,6 @@ use constant {
 #
 use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
-	       OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
 	       OPTIMIZE_RULESET_MASK   => 0x1C , # Call optimize_ruleset()
               OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
@@ -657,6 +656,30 @@ our %params;
 #
 our %compiler_params;
 #
+# Entries conditionally exported to the compiled script via the aux config file
+#
+our @exported_params = ( qw(
+			 VERBOSITY
+			 LOGFILE
+			 LOGFORMAT
+			 APRTABLES
+			 IPTABLES
+			 IP6TABLES
+			 IP
+			 TC
+			 IPSET
+			 PATH
+			 SHOREWALL_SHELL
+			 SHELL
+			 SUBSYSLOCK
+			 LOCKFILE
+			 RESTOREFILE
+			 RESTART
+			 DYNAMIC_BLACKLIST
+			 PAGER
+			 )
+    );
+#
 # Action parameters
 #
 our %actparams;
@@ -861,8 +884,8 @@ sub initialize($;$$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.4.1',
-		    CAPVERSION              => 50200 ,
+		    VERSION                 => '5.2.8-RC1',
+		    CAPVERSION              => 50207 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -1156,6 +1179,7 @@ sub initialize($;$$$$) {
 	       NFLOG_SIZE => undef,
 	       RESTORE_WAIT_OPTION => undef,
 	       NAT_INPUT_CHAIN => undef,
+	       CONNMARK_ACTION => undef ,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -4391,7 +4415,9 @@ sub validate_level( $;$ ) {
 sub default_log_level( $$ ) {
    my ( $level, $default ) = @_;

-    my $value = $config{$level};
+    my $value = $config{$level} || '';
+
+    $value = $config{LOG_LEVEL} if $value eq '$LOG_LEVEL';  #This can happen during update

    unless ( supplied $value ) {
 	$config{$level} = validate_level $default, $level;
@@ -5028,6 +5054,10 @@ sub Basic_Filter() {
    $tc && system( "$tc filter add basic help 2>&1 | grep -q ^Usage" ) == 0;
 }

+sub Connmark_Action() {
+    $tc && system( "$tc action add connmark help 2>&1 | grep -q ^Usage" ) == 0;
+}
+
 sub Basic_Ematch() {
    $tc && have_capability( 'BASIC_FILTER' ) && system( "$tc filter add basic help 2>&1 | egrep -q match" ) == 0;
 }
@@ -5157,6 +5187,7 @@ our %detect_capability =
      COMMENTS => \&Comments,
      CONNLIMIT_MATCH => \&Connlimit_Match,
      CONNMARK => \&Connmark,
+      CONNMARK_ACTION => \&Connmark_Action,
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
      CPU_FANOUT => \&Cpu_Fanout,
@@ -5350,17 +5381,12 @@ sub ensure_config_path() {

    my $chop = ( $path =~ s/^:// );

+    $path =~ s/:+/:/g;
+
    @config_path = split /:/, $path;

    shift @config_path if $chop && ( $export || $> != 0 );

-    #
-    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
-    # clash on a case-insensitive filesystem.
-    #
-    push @config_path, $globals{SHAREDIR}    . "/deprecated";
-    push @config_path, $shorewallrc{SHAREDIR}. '/shorewall/deprecated' unless $globals{PRODUCT} eq 'shorewall';
-
    for ( @config_path ) {
 	$_ .= '/' unless m|/$|;
        s|//|/|g;
@@ -5504,6 +5530,8 @@ sub update_config_file( $ ) {
    for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
 	my $policy = $config{ $_ };

+	$policy = '' unless defined $policy;
+
 	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
 	    if ( $family == F_IPV4 ) {
 		$policy =~ s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
@@ -5655,6 +5683,11 @@ sub process_shorewall_conf( $$ ) {
 	$globals{CONFIGDIR} =  $configfile = $file;
 	$globals{CONFIGDIR} =~ s/$product.conf//;

+	if ( $export ) {
+	    use Sys::Hostname;
+	    $globals{CONFIGDIR} = join( ':', hostname, $globals{CONFIGDIR} );
+	}
+
 	if ( -r _ ) {
 	    open_file $file;

@@ -6293,6 +6326,14 @@ sub get_configuration( $$$ ) {
    process_shorewall_conf( $update, $annotate );

    ensure_config_path;
+    #
+    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
+    # clash on a case-insensitive filesystem.
+    #
+    push @config_path, $globals{SHAREDIR}    . "/deprecated/" unless $config_path[-1] eq $globals{SHAREDIR} . "/deprecated/";
+    push @config_path, $shorewallrc{SHAREDIR}. '/shorewall/deprecated/' unless $globals{PRODUCT} eq 'shorewall';
+
+    $config{CONFIG_PATH} = join( ':', @config_path );

    @INC = @originalinc;

@@ -6671,7 +6712,7 @@ sub get_configuration( $$$ ) {

    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
-	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1, 'noupdate' => 1, );

 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );

@@ -6810,6 +6851,12 @@ sub get_configuration( $$$ ) {

    require_capability 'AUDIT_TARGET', "SMURF_DISPOSITION=$val", 's' if $val =~ /^A_/;

+    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
+	validate_level( $val );
+    } else {
+	$config{LOG_LEVEL} = 'info';
+    }
+
    default_log_level 'BLACKLIST_LOG_LEVEL',  '';
    default_log_level 'MACLIST_LOG_LEVEL',    '';
    default_log_level 'TCP_FLAGS_LOG_LEVEL',  '';
@@ -6818,12 +6865,6 @@ sub get_configuration( $$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';

-    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
-	validate_level( $val );
-    } else {
-	$config{LOG_LEVEL} = 'info';
-    }
-
    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
@@ -7196,8 +7237,8 @@ sub generate_aux_config() {

    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";

-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
-	conditionally_add_option $option;
+    for my $param ( @exported_params ) {
+	conditionally_add_option $param;
    }

    conditionally_add_option1 'TC_ENABLED';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -735,6 +735,7 @@ sub add_common_rules ( $ ) {
    my $dbl_tag;
    my $dbl_src_target;
    my $dbl_dst_target;
+    my $dbl_options;

    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -796,9 +797,10 @@ sub add_common_rules ( $ ) {

 	if ( $dbl_ipset ) {
 	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+		$dbl_options    = $globals{DBL_OPTIONS};
+		$dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log';

-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target );

 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -809,11 +811,11 @@ sub add_common_rules ( $ ) {
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ) unless $dbl_options =~ /noupdate/;
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );

 		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+		    $chainref = new_standard_chain( $dbl_dst_target = 'dbl_dst' );

 		    log_rule_limit( $dbl_level,
 				    $chainref,
@@ -830,7 +832,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' );

 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -2286,12 +2288,15 @@ sub generate_matrix() {
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
+
+	unless ( $zoneref->{type} == LOCAL ) {
 	    if ( @zones > 2 || $zoneref->{complex} ) {
 		handle_complex_zone( $zone, $zoneref );
 	    } else {
 		new_standard_chain zone_forward_chain( $zone ) if @zones > 1;
 	    }
 	}
+    }
    #
    # Main source-zone matrix-generation loop
    #
@@ -2580,13 +2585,13 @@ EOF
    emit <<'EOF';
            case $COMMAND in
 	        start)
-	            mylogger kern.err "ERROR:$g_product start failed"
+	            mylogger daemon.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            mylogger kern.err "ERROR:$g_product reload failed"
+	            mylogger daemon.err "ERROR:$g_product reload failed"
 	            ;;
                enable)
-                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger daemon.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
            esac

@@ -2809,7 +2814,7 @@ EOF
    emit '

    set_state "Stopped"
-    mylogger kern.info "$g_product Stopped"
+    mylogger daemon.info "$g_product Stopped"

    case $COMMAND in
    stop|clear)
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -2069,7 +2069,7 @@ sub compile_updown() {
 	      q(        COMMAND=enable) ,
 	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
-	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
+	      q(    else),
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
 	      q(        detect_configuration $1),
@@ -2110,7 +2110,7 @@ sub compile_updown() {
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
 	      '        define_firewall',
-	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
+	      '    else' ,
 	    );

 	push_indent;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -443,6 +443,7 @@ sub convert_to_policy_chain($$$$$$)
    my ($chainref, $source, $dest, $policy, $provisional, $audit ) = @_;

    $chainref->{is_policy}   = 1;
+    $chainref->{wild}        = $source eq 'all' || $dest eq 'all';
    $chainref->{policy}      = $policy;
    $chainref->{provisional} = $provisional;
    $chainref->{audit}       = $audit;
@@ -660,7 +661,7 @@ sub handle_nfqueue( $ ) {

    if ( supplied $queue2 ) {
 	require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
-	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
+	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}${fanout}";
    } else {
 	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
    }
@@ -1000,6 +1001,24 @@ sub determine_action_protocol( $$ ) {
    $proto;
 }

+sub determine_action_dport( $$$ ) {
+    my ( $action, $proto, $dport ) = @_;
+
+    if ( my $actiondport = $actions{$action}{dport} ) {
+	if ( $dport eq '-' ) {
+	    $dport = $actiondport;
+	} else {
+	    fatal_error( "The $action action is only usable with destination port $actiondport" ) if $dport =~ /[,]/;
+	    if ( ( my $portnum = validate_port( $proto, $dport ) ) ne '-' ) {
+		fatal_error( "The $action action is only usable with destination port $actiondport"  ) unless $actiondport = $portnum;
+		$dport = $portnum;
+	    }
+	}
+    }
+
+    $dport;
+}
+
 sub add_policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;

@@ -1014,7 +1033,11 @@ sub add_policy_rules( $$$$$ ) {
 		# Policy action is a regular action -- jump to the action chain
 		#
 		if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
+		    if ( my $dport = determine_action_dport( $action, $proto, '' ) ) {
+			add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto, dport => $dport );
+		    } else {
 			add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
+		    }
 		} else {
 		    add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
 		}
@@ -1147,7 +1170,7 @@ sub complete_policy_chains() {
 		}
 	    }

-	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+	    if ( $chainref->{wild} ) {
 		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
 	    }
 	}
@@ -1252,6 +1275,7 @@ sub finish_chain_section ($$$) {
 	$state )            = @_;
    my $chain               = $chainref->{name};
    my $save_comment        = push_comment;
+    my $wild                = $chainref->{wild} && ! $config{EXPAND_RULES};
    my %state;

    $state{$_} = 1 for split ',', $state;
@@ -1262,6 +1286,7 @@ sub finish_chain_section ($$$) {

    $chain1ref->{sections}{$_} = 1 for keys %state;

+    unless ( $wild ) {
 	for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
 	    if ( $state{$_} ) {
 		my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
@@ -1331,6 +1356,7 @@ sub finish_chain_section ($$$) {

 	    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
 	}
+    }

    if ($sections{NEW} ) {
 	if ( $chain1ref->{is_policy} ) {
@@ -1497,13 +1523,13 @@ sub external_name( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$$$$$ ) {
+sub new_action( $$$$$$$ ) {

-    my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
+    my ( $action , $type, $options , $actionfile , $state, $proto, $dport ) = @_;

    fatal_error "Reserved action name ($action)" if reserved_name( $action );

-    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
+    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto, dport => $dport };

    $targets{$action} = $type;
 }
@@ -1774,7 +1800,7 @@ sub isolate_basic_target( $ ) {

 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
-sub process_snat1( $$$$$$$$$$$$ );
+sub process_snat1( $$$$$$$$$$$$$ );
 sub perl_action_helper( $$;$$ );

 #
@@ -1968,13 +1994,17 @@ sub process_action(\$\$$) {
 		set_inline_matches( $matches );
 	    }
 	} else {
-	    my ( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
+	    my ( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability);
+
+	    if ( $file_format == 1 ) {
+		( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
 		    split_line2( 'snat file',
 				 { action =>0,
 				   source => 1,
 				   dest => 2,
 				   proto => 3,
 				   port => 4,
+				   dport => 4,
 				   ipsec => 5,
 				   mark => 6,
 				   user => 7,
@@ -1985,6 +2015,28 @@ sub process_action(\$\$$) {
 				 {},
 				 11,
 				 1 );
+		$sport = '-';
+	    } else {
+		( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability) =
+		    split_line2( 'snat file',
+				 { action =>0,
+				   source => 1,
+				   dest => 2,
+				   proto => 3,
+				   port => 4,
+				   dport => 4,
+				   sport => 5,
+				   ipsec => 6,
+				   mark => 7,
+				   user => 8,
+				   switch => 9,
+				   origdest => 10,
+				   probability => 11,
+				 },
+				 {},
+				 12,
+				 1 );
+	    }

 	    fatal_error 'ACTION must be specified' if $action eq '-';

@@ -2000,6 +2052,7 @@ sub process_action(\$\$$) {
 			       $dest,
 			       $proto,
 			       $port,
+			       $sport,
 			       $ipsec,
 			       $mark,
 			       $user,
@@ -2098,6 +2151,7 @@ sub process_actions() {

 	    my $state = '';
 	    my $proto = 0;
+	    my $dport = 0;

 	    if ( $action =~ /:/ ) {
 		warning_message 'Policy Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -2117,6 +2171,10 @@ sub process_actions() {
 		    } elsif ( /^proto=(.+)$/ ) {
 			fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
 			fatal_error "A protocol may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
+		    } elsif ( /^dport=(.+)$/ ) {
+			fatal_error "The 'dport' option requires the 'proto' option" unless $proto;
+			$dport = validate_port($proto, $1);
+			fatal_error "A destination port may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
 		    } else {
 			fatal_error "Invalid option ($_)" unless $options{$_};
 			$opts |= $options{$_};
@@ -2138,10 +2196,12 @@ sub process_actions() {
 		    }

 		    $proto = $actions{$action}{proto} unless $proto;
+		    $dport = $actions{$action}{dport} unless $dport;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} elsif ( ( $actiontype & INLINE ) && ( $type == ACTION ) && $opts & NOINLINE_OPT ) {
 		    $proto = $actions{$action}{proto} unless $proto;
+		    $dport = $actions{$action}{dport} unless $dport;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -2185,7 +2245,7 @@ sub process_actions() {

 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;

-		new_action ( $action, $type, $opts, $actionfile , $state , $proto );
+		new_action ( $action, $type, $opts, $actionfile , $state , $proto , $dport );
 	    }
 	}
    }
@@ -2888,6 +2948,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Invalid flags ($flags)"         unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;

 	    $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
+	    $log_action = "$basictarget($setname)";

 	    if ( supplied $timeout ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
@@ -3063,9 +3124,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {

    if ( $actiontype & ACTION ) {
 	#
-	# Verify action 'proto', if any
+	# Verify action 'proto', and 'dport' if any
 	#
-	$proto = determine_action_protocol( $basictarget, $proto );
+	if ( ( $proto = determine_action_protocol( $basictarget, $proto ) ) ne '-' ) {
+	    $ports = determine_action_dport( $basictarget, $proto, $ports );
+	}
 	#
 	# Save NAT-oriented column contents
 	#
@@ -3923,9 +3986,8 @@ sub process_rules() {
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{complex};

-	unless ( @zones <= 2 && ! $zoneref->{complex} ) {
+	unless ( $zoneref->{type} == LOCAL || ( @zones <= 2 && ! $zoneref->{complex} ) ) {
 	    #
 	    # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
 	    #
@@ -4817,9 +4879,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	function          => sub() {
 	    fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
 	    #
-	    # Verify action 'proto', if any
+	    # Verify action 'proto' and 'dport' if any
 	    #
-	    $proto = determine_action_protocol( $cmd, $proto );
+	    if ( ( $proto = determine_action_protocol( $cmd, $proto ) ) ne '-' ) {
+		$ports = determine_action_dport( $cmd, $proto, $ports );
+	    }
 	    #
 	    # Create the action:level:tag:param tuple.
 	    #
@@ -5363,8 +5427,8 @@ sub process_mangle_rule( $ ) {
    }
 }

-sub process_snat_inline( $$$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+sub process_snat_inline( $$$$$$$$$$$$$$$ ) {
+    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;

    my ( $level,
 	 $tag )    = split( ':', $loglevel, 2 );
@@ -5383,18 +5447,22 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {

    progress_message "..Expanding inline action $inlinefile...";

-    push_open $inlinefile, 2, 1, undef , 2;
+    push_open $inlinefile, 2, 1, undef , 1;

    my $save_comment = push_comment;

    while ( read_a_line( NORMAL_READ ) ) {
-	my ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
+	my ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability);
+
+	if ( $file_format == 1 ) {
+	    ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
 		split_line2( 'snat file',
 			     { action =>0,
 			       source => 1,
 			       dest => 2,
 			       proto => 3,
 			       port => 4,
+			       dport => 4,
 			       ipsec => 5,
 			       mark => 6,
 			       user => 7,
@@ -5405,6 +5473,28 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 			     {},
 			     11,
 			     1 );
+	    $msports = '-';
+	} else {
+	    ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
+		split_line2( 'snat file',
+			     { action =>0,
+			       source => 1,
+			       dest => 2,
+			       proto => 3,
+			       port => 4,
+			       dport => 4,
+			       sport => 5,
+			       ipsec => 6,
+			       mark => 7,
+			       user => 8,
+			       switch => 9,
+			       origdest => 10,
+			       probability => 11,
+			     },
+			     {},
+			     12,
+			     1 );
+	}

 	fatal_error 'ACTION must be specified' if $maction eq '-';

@@ -5432,6 +5522,7 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 			   $mdest,
 			   $proto,
 			   merge_macro_column( $mports,          $ports ),
+			   merge_macro_column( $msports,         $sports ),
 			   merge_macro_column( $mipsec,          $ipsec ),
 			   merge_macro_column( $mmark,           $mark ),
 			   merge_macro_column( $muser,           $user ),
@@ -5458,8 +5549,8 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 #
 # Process a record in the snat file
 #
-sub process_snat1( $$$$$$$$$$$$ ) {
-    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+sub process_snat1( $$$$$$$$$$$$$ ) {
+    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;

    my $inchain;
    my $inaction;
@@ -5479,6 +5570,13 @@ sub process_snat1( $$$$$$$$$$$$ ) {
    my ( $action, $loglevel ) = split_action( $origaction );
    my $logaction;
    my $param;
+    #
+    # Handle early matches
+    #
+    if ( $inlinematches =~ s/^s*\+// ) {
+	$prerule = $inlinematches;
+	$inlinematches = '';
+    }

    if ( $action =~ /^MASQUERADE(\+)?(?:\((.+)\))?$/ ) {
 	$target     = 'MASQUERADE';
@@ -5571,7 +5669,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
    #
    # Handle Protocol, Ports and Condition
    #
-    $baserule .= do_proto( $proto, $ports, '' );
+    $baserule .= do_proto( $proto, $ports, $sports );
    #
    # Handle Mark
    #
@@ -5818,6 +5916,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 				 supplied( $destnets ) && $destnets ne '-' ? $inaction || $interface ? join( ':', $interface, $destnets ) : $destnets : $inaction ? '-' : $interface,
 				 $proto,
 				 $ports,
+				 $sports,
 				 $ipsec,
 				 $mark,
 				 $user,
@@ -5828,9 +5927,11 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( $actiontype & ACTION ) {
 		fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
 		#
-		# Verify action 'proto', if any
+		# Verify action 'proto' and 'dport', if any
 		#
-		$proto = determine_action_protocol( $target, $proto );
+		if ( ( $proto = determine_action_protocol( $target, $proto ) ) ne '-' ) {
+		    $ports = determine_action_dport( $target, $proto, $ports );
+		}
 		#
 		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
 		# the interface name in the log tag
@@ -5928,18 +6029,30 @@ sub process_snat1( $$$$$$$$$$$$ ) {

 sub process_snat( )
 {
-    my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+    my ($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+
+    if ( $file_format == 1 ) {
+	($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 	    split_line2( 'snat file',
-		     { action => 0, source => 1, dest => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+			 { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
 			 {},    #Nopad
-		     undef, #Columns
+			 11,    #Columns
 			 1 );   #Allow inline matches
+	$sports = '-';
+    } else {
+	($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	    split_line2( 'snat file',
+			 { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, sport => 5, ipsec => 6, mark => 7, user => 8, switch => 9, origdest => 10, probability => 11 },
+			 {},    #Nopad
+			 12,    #Columns
+			 1 );   #Allow inline matches
+    }

    fatal_error 'ACTION must be specified' if $action eq '-';
    fatal_error 'DEST must be specified' if $dest eq '-';

    for my $proto ( split_list $protos, 'Protocol' ) {
-	process_snat1( undef, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	process_snat1( undef, $action, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
    }
 }

@@ -5954,7 +6067,7 @@ sub setup_snat()
 	#
 	# Masq file was empty or didn't exist
 	#
-	if ( $fn = open_file( 'snat', 1, 1 ) ) {
+	if ( $fn = open_file( 'snat', 2, 1, undef, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
 	    process_snat while read_a_line( NORMAL_READ );
 	}
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -72,6 +72,9 @@ our %flow_keys = ( 'src'            => 1,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
+#                              flow          => Comma-separated flow tupple
+#                              classify      => 0|1
+#                              pfifo         => 0|1
 #                              tablenumber   => <next u32 table to be allocated for this device>
 #                              default       => <default class mark value>
 #                              redirected    => [ <dev1>, <dev2>, ... ]
@@ -80,6 +83,13 @@ our %flow_keys = ( 'src'            => 1,
 #                              qdisc         => htb|hfsc
 #                              guarantee     => <total RATE of classes seen so far>
 #                              name          => <interface>
+#                              filters       => [ filter, ... ]
+#                              linklayer     => <type> (optional)
+#                              overhead      => <number>
+#                              mtu           => <number>
+#                              tsize         => <number>
+#                              filterpri     => <number> (initially 0)
+#                              connmark      => 0|1
 #                                               }
 #
 our @tcdevices;
@@ -365,9 +375,7 @@ sub process_simple_device() {

    emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
 	  "\\\n    match ip6 protocol 6 0xff" .
-	  "\\\n    match u8 0x05 0x0f at 0" .
-	  "\\\n    match u16 0x0000 0xffc0 at 2" .
-	  "\\\n    match u8 0x10 0xff at 33 flowid $number:1\n" );
+	  "\\\n    match u8 0x10 0xff at 53 flowid $number:1\n" );

    save_progress_message_short qq("   TC Device $physical defined.");

@@ -422,8 +430,8 @@ sub validate_tc_device( ) {
    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;

-    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize ) = 
-	(0,         0,      '',    'htb',  '',         0,         0,    0,    0);
+    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize, $connmark ) = 
+	(0,         0,      '',    'htb',  '',         0,         0,    0,    0,      0);

    if ( $options ne '-' ) {
 	for my $option ( split_list1 $options, 'option' ) {
@@ -458,6 +466,9 @@ sub validate_tc_device( ) {
 		$tsize = numeric_value( $1 );
 		fatal_error "Invalid tsize ($1)" unless defined $tsize;
 		fatal_error q('tsize' requires 'linklayer') unless $linklayer; 
+	    } elsif ( $option eq 'connmark' ) {
+		require_capability( 'CONNMARK_ACTION', q(The 'connmark' option), 's' );
+		$connmark = 1;
 	    } else {
 		fatal_error "Unknown device option ($option)";
 	    }
@@ -470,7 +481,7 @@ sub validate_tc_device( ) {

    if ( @redirected ) {
 	fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
-	$classify = 1;
+	$classify = 1 unless $connmark;

 	for my $rdevice ( @redirected ) {
 	    fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
@@ -478,6 +489,8 @@ sub validate_tc_device( ) {
 	    fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
 	    fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} != 0;
 	}
+    } elsif ( $connmark ) {
+	fatal_error "Option connmark can only be used when setting up a IFB device";
    }

    $inband = process_in_bandwidth( $inband );
@@ -503,6 +516,7 @@ sub validate_tc_device( ) {
 			    mpu           => $mpu,
 			    tsize         => $tsize,
 			    filterpri     => 0,
+			    connmark      => $connmark,
 			  } ,

    push @tcdevices, $device;
@@ -661,6 +675,7 @@ sub validate_tc_class( ) {

    if ( $mark ne '-' ) {
 	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
+	fatal_error "MARK may not be specified for an interface with the 'classify' option" if $devref->{classify};

 	( $mark, my $priority ) = split/:/, $mark, 2;

@@ -1639,8 +1654,8 @@ sub process_tcfilters() {
 #
 # Process a tcpri record
 #
-sub process_tc_priority1( $$$$$$ ) {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = @_;
+sub process_tc_priority1( $$$$$$$ ) {
+    my ( $band, $proto, $dports , $sports, $address, $interface, $helper ) = @_;

    my $val = numeric_value $band;

@@ -1651,7 +1666,7 @@ sub process_tc_priority1( $$$$$$ ) {
    $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );

    if ( $interface ne '-' ) {
-	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
+	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $dports eq '-' && $sports eq '-';

 	my $forwardref = $mangle_table->{tcfor};

@@ -1662,41 +1677,57 @@ sub process_tc_priority1( $$$$$$ ) {
 	my $postref = $mangle_table->{tcpost};

 	if ( $address ne '-' ) {
-	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
+	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $dports eq '-' && $sports eq '-';
 	    add_rule( $postref ,
 		      join( '', match_source_net( $address) , $rule ) ,
 		      1 );
 	} else {
 	    add_rule( $postref ,
-		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
+		      join( '', do_proto( $proto, $dports, $sports , 0 ) , $rule ) ,
 		      1 );

-	    if ( $ports ne '-' ) {
+	    if ( $dports ne '-' ) {
 		my $protocol = resolve_proto $proto;

 		if ( $proto =~ /^ipp2p/ ) {
 		    fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
 		    $ipp2p = 1;
-		}
-
+		} elsif ( $file_format == 1 ) {
 		    add_rule( $postref ,
-			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
+			      join( '' , do_proto( $proto, '-', $dports, 0 ) , $rule ) ,
 			      1 )
 			unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
 		}
 	    }
 	}
+    }
 }

 sub process_tc_priority() {
-    my ( $band, $protos, $ports , $address, $interface, $helper ) =
-	split_line1( 'tcpri',
-		     { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 } );
+    my ( $band, $protos, $dports , $sports, $address, $interface, $helper );
+
+    if ( $file_format == 1 ) {
+	( $band, $protos, $dports , $address, $interface, $helper ) =
+	    split_line2( 'tcpri',
+			 { band => 0, proto => 1, port => 2, dport => 2, address => 3, interface => 4, helper => 5 },
+			 {},
+			 6,
+			 1 );
+	$sports = '-';
+    } else {
+	( $band, $protos, $dports , $sports, $address, $interface, $helper ) =
+	    split_line2( 'tcpri',
+			 { band => 0, proto => 1, port => 2, dport => 2, sport => 3, address => 4, interface => 5, helper => 6 },
+			 {},
+			 7,
+			 1 );
+    };

    fatal_error 'BAND must be specified' if $band eq '-';

    fatal_error "Invalid tcpri entry" if ( $protos    eq '-' &&
-					   $ports     eq '-' &&
+					   $dports    eq '-' &&
+					   $sports    eq '-' &&
 					   $address   eq '-' &&
 					   $interface eq '-' &&
 					   $helper    eq '-' );
@@ -1706,7 +1737,7 @@ sub process_tc_priority() {
    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;

    for my $proto ( split_list $protos, 'Protocol' ) {
-	process_tc_priority1( $band, $proto, $ports , $address, $interface, $helper );
+	process_tc_priority1( $band, $proto, $dports , $sports, $address, $interface, $helper );
    }
 }

@@ -1728,7 +1759,7 @@ sub process_tcinterfaces() {
 #
 sub process_tcpri() {
    my $fn  = find_file 'tcinterfaces';
-    my $fn1 = open_file 'tcpri', 1,1;
+    my $fn1 = open_file 'tcpri', 2,1,0,1;

    if ( $fn1 ) {
 	first_entry
@@ -1865,7 +1896,7 @@ sub process_traffic_shaping() {
 	    for my $rdev ( @{$devref->{redirected}} ) {
 		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
-		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
+		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0".($devref->{'connmark'} ? ' action connmark' : '')." action mirred egress redirect dev $device > /dev/null" );
 	    }

 	    for my $class ( @tcclasses ) {
@@ -2371,7 +2402,6 @@ sub setup_tc( $ ) {
    }

    if ( $config{MANGLE_ENABLED} ) {
-
 	if ( $convert ) {
 	    my $have_tcrules;

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -103,6 +103,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_zone_hosts_by_option
 		    find_zones_by_option
 		    have_ipsec
+		    generate_all_acasts
 		 ),
 	      );

@@ -176,7 +177,8 @@ our %reservedName = ( all => 1,
 #				      number	  => <ordinal position in the interfaces file>
 #				      physical	  => <physical interface name>
 #				      base	  => <shell variable base representing this interface>
-#				      wildcard	  => undef|1 # Wildcard Name
+#				      wildcard	  => undef|1 # Wildcard Logical Name
+#				      physwild	  => undef|1 # Wildcard Physical Name
 #				      zones	  => { zone1 => 1, ... }
 #				      origin	  => <where defined>
 #				    }
@@ -418,7 +420,8 @@ sub initialize( $$ ) {
 		       32  => 'loopback',
 		       64  => 'local' );
    } else {
-	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
+	%validinterfaceoptions = (
+				    accept_ra	=> NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
@@ -430,6 +433,7 @@ sub initialize( $$ ) {
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+				    omitanycast	=> SIMPLE_IF_OPTION + IF_OPTION_WILDOK,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
@@ -560,7 +564,8 @@ sub process_zone( \$ ) {
 	@parents = split_list $2, 'zone';
    }

-    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
+    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i;
+    fatal_error "Zone name ($zone) too long"     unless length $zone <= $globals{MAXZONENAMELENGTH};
    fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
    fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};

@@ -1369,7 +1374,7 @@ sub process_interface( $$ ) {
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
 		if ( $option eq 'arp_ignore' ) {
-		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
+		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $physwild;
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
 			    $options{arp_ignore} = $value;
@@ -1486,7 +1491,7 @@ sub process_interface( $$ ) {

 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
-	    fatal_error "Bridges may not have wildcard names" if $wildcard;
+	    fatal_error "Bridges may not have wildcard names" if $physwild;
 	    $hostoptions{routeback} = $options{routeback} = 1 unless supplied $options{routeback};
 	}

@@ -1535,7 +1540,7 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
-						   physwild   => $physwild, # Currently unused
+						   physwild   => $physwild,
 					         };

    $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1716,6 +1721,7 @@ sub known_interface($)
 					       physical => $physical ,
 					       base     => $interfaceref->{base} ,
 					       wildcard => $interfaceref->{wildcard} ,
+					       physwild => $interfaceref->{physwild} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };
 		return $interfaceref;
@@ -2028,7 +2034,7 @@ sub verify_required_interfaces( $ ) {

 	push_indent;

-	emit( 'start|reload|restore)' );
+	emit( 'start|reload|restore|enable)' );

 	push_indent;

@@ -2384,4 +2390,110 @@ sub find_zones_by_option( $$ ) {
    \@zns;
 }

+#
+# Generate the shell code to populate the ALL_ACASTS run-time variable
+#
+
+sub generate_all_acasts() {
+    my ( @acasts, @noacasts, @wildacasts, @wildnoacasts );
+
+    for my $interface ( @interfaces ) {
+	my $interfaceref = $interfaces{$interface};
+	my $physical     = $interfaceref->{physical};
+
+	next if ( $interfaceref->{options}{port} ||
+		  $interfaceref->{options}{unmanaged} );
+
+	if ( $interfaceref->{physwild} ) {
+	    $physical =~ s/\+/*/;
+
+	    if ( $interfaceref->{options}{omitanycast} ) {
+		if ( $physical eq '*' ) {
+		    @wildnoacasts = ( '*' );
+		} else {
+		    push @wildnoacasts, $physical;
+		}
+	    } else {
+		if ( $physical eq '*' ) {
+		    @wildacasts = ( '*' );
+		} else {
+		    push @wildacasts, $physical;
+		}
+	    }
+	} else {
+	    if ( $interfaceref->{options}{omitanycast} ) {
+		push @noacasts, $physical;
+	    } else {
+		push @acasts, $physical;
+	    }
+	}
+    }
+
+    return 'ALL_ACASTS="$(get_all_acasts)"' unless @noacasts || @wildnoacasts;
+
+    @wildacasts = '*' unless @wildacasts;
+
+    emit( "#\n# Populate the ALL_ACASTS variable\n#",
+	  'generate_all_acasts()',
+	  '{' );
+    push_indent;
+
+    emit( 'ALL_ACASTS=',
+	  '',
+	  'for iface in $(find_all_interfaces1); do' );
+
+    push_indent;
+
+    emit( 'case $iface in' );
+
+    push_indent;
+
+    if ( @noacasts ) {
+	unless ( @wildacasts ) {
+	    push @noacasts, @wildnoacasts;
+	    @wildnoacasts = ();
+	}
+
+	emit( join( '|', @noacasts) . ')',
+	      '    ;;' );
+    }
+
+    if ( @wildnoacasts ) {
+	if ( @acasts ) {
+	    emit( join( '|', @acasts) . ')',
+		  '    if [ -n "$ALL_ACASTS" ]; then',
+		  '        ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
+		  '    else',
+		  '        ALL_ACASTS="$(get_interface_acasts $iface)"',
+		  '    fi',
+		  '    ;;' );
+	}
+
+	emit( join( '|', @wildnoacasts) . ')',
+	      '    ;;' );
+
+    } else {
+	@wildacasts = ( '*' );
+    }
+
+    if ( @wildacasts ) {
+	emit( join( '|', @wildacasts ) . ')',
+	      '    if [ -n "$ALL_ACASTS" ]; then',
+	      '        ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
+	      '    else',
+	      '        ALL_ACASTS="$(get_interface_acasts $iface)"',
+	      '    fi',
+	      '    ;;' );
+    }
+
+    pop_indent;
+    emit( 'esac');
+    pop_indent;
+    emit( 'done');
+    pop_indent;
+    emit( "}\n" );
+
+    return 'generate_all_acasts';
+}
+
 1;
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -47,7 +47,7 @@
 #
 use strict;
 use FindBin;
-use lib "$FindBin::Bin";
+use lib "$FindBin::Bin"; # Required to allow modules to reside in ${BASEDIR}/Shorewall/
 use Shorewall::Compiler;
 use Getopt::Long;

--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1089,7 +1089,7 @@ clear_firewall() {

    set_state "Cleared"

-    logger -p kern.info "$g_product Cleared"
+    logger -p daemon.info "$g_product Cleared"
 }

 #
@@ -1113,7 +1113,7 @@ interface_is_usable() # $1 = interface
    status=0

    if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -1389,7 +1389,7 @@ clear_firewall() {

    set_state "Cleared"

-    logger -p kern.info "$g_product Cleared"
+    logger -p daemon.info "$g_product Cleared"
 }

 ?endif # IPv6-specific functions.
--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -12,8 +12,9 @@
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+?FORMAT 2
+###################################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
 #
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -12,8 +12,9 @@
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+?FORMAT 2
+###################################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
 #
--- a/Shorewall/Shorewall-targetname
+++ b/Shorewall/Shorewall-targetname
@@ -1 +1 @@
-5.2.4.1
+5.2.8-base
--- a/Shorewall/configfiles/snat
+++ b/Shorewall/configfiles/snat
@@ -5,5 +5,6 @@
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
 #
-###########################################################################################################################################
-#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+?FORMAT 2
+###################################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall/configfiles/tcpri
+++ b/Shorewall/configfiles/tcpri
@@ -6,5 +6,6 @@
 # See https://shorewall.org/simple_traffic_shaping.htm for additional
 # information.
 #
+?FORMAT 2
 ###############################################################################
-#BAND	PROTO	PORT		ADDRESS		INTERFACE	HELPER
+#BAND	PROTO	DPORT	SPORT	ADDRESS		INTERFACE	HELPER
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -29,7 +29,7 @@
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
 #
-get_config() {
+std_get_config() {
    local prog
    local lib

@@ -216,6 +216,8 @@ get_config() {
 		echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
 		SHOREWALL_SHELL=/bin/sh
 	    fi
+	else
+	    SHOREWALL_SHELL=/bin/sh
 	fi

 	if [ -n "$IP" ]; then
@@ -332,13 +334,13 @@ get_config() {

 	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"

-	    g_pager="| $g_pager"
+	    g_pager="2>&1 | $g_pager"
 	fi
    fi

    if [ -n "$DYNAMIC_BLACKLIST" -a "$(id -u)" = 0 ]; then
 	case $COMMAND in
-	    blacklist|allow|drop|logdrop|reject)
+	    blacklist*|allow|drop|logdrop|reject)
 		setup_dbl
 		;;
 	esac
@@ -386,6 +388,7 @@ uptodate() {

    [ -n "${find}" ] || return 1
    [ -h "${find}" ] && busybox=Yes
+    find="${find} -L"

    for dir in $g_shorewalldir $(split $CONFIG_PATH); do
 	if [ -n "${busybox}" ]; then
@@ -565,7 +568,7 @@ compiler() {
 #
 # Start Command Executor
 #
-start_command() {
+std_start_command() {
    local finished
    finished=0
    local rc
@@ -964,7 +967,7 @@ update_command() {
 #
 # Reload/Restart Command Executor
 #
-restart_command() {
+std_restart_command() {
    local finished
    finished=0
    local rc
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -26,8 +26,8 @@
    <title>Description</title>

    <para>This file allows you to define new ACTIONS for use in rules (see
-    <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>).
-    You define the iptables rules to be performed in an ACTION in
+    <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>). You define
+    the iptables rules to be performed in an ACTION in
    /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>

    <para>Columns are:</para>
@@ -148,8 +148,8 @@
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
-                url="shorewall-mangle.html">shorewall-mangle(5)</ulink>
-                rather than <ulink
+                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
+                than <ulink
                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>
@@ -160,11 +160,11 @@
              <listitem>
                <para>Added in Shorewall 5.0.13. Specifies that this action is
                to be used in <ulink
-                url="shorewall-snat.html">shorewall-snat(5)</ulink>
-                rather than <ulink
-                url="shorewall-rules.html">shorewall-rules(5)</ulink>.
-                The <option>mangle</option> and <option>nat</option> options
-                are mutually exclusive.</para>
+                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
+                than <ulink
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
+                <option>mangle</option> and <option>nat</option> options are
+                mutually exclusive.</para>
              </listitem>
            </varlistentry>

@@ -212,6 +212,24 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><option>dport</option>=<replaceable>portorservice</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.6. Requires that the <emphasis
+                role="bold">proto</emphasis> option be previously given and
+                indicates that this action may only be applied to flows with
+                the specified <replaceable>protocol</replaceable> and
+                <replaceable>portorservice</replaceable>.
+                <replaceable>portorservice</replaceable> may be a valid port
+                number or the name of a service defined in /etc/services to be
+                usable with the specified <replaceable>protocol</replaceable>.
+                If a port or service is specified in the DPORT column of an
+                invocation, then it must match the named
+                <replaceable>portorservice</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><option>section</option></term>

--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -70,8 +70,7 @@
          in this column.</para>

          <para>If the interface serves multiple zones that will be defined in
-          the <ulink
-          url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
+          the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
          file, you should place "-" in this column.</para>

          <para>If there are multiple interfaces to the same zone, you must
@@ -109,8 +108,8 @@ loc     eth2            -</programlisting>
          <para>When using Shorewall versions before 4.1.4, care must be
          exercised when using wildcards where there is another zone that uses
          a matching specific interface. See <ulink
-          url="shorewall-nesting.html">shorewall-nesting</ulink>(5)
-          for a discussion of this problem.</para>
+          url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
+          discussion of this problem.</para>

          <para>Shorewall allows '+' as an interface name, but that usage is
          deprecated. A better approach is to specify
@@ -370,8 +369,7 @@ loc     eth2            -</programlisting>
                firewall through this interface and whether the source address
                and/or destination address is to be compared against the
                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
-                <ulink
-                url="shorewall.conf.html">shorewall.conf(5)</ulink>).
+                <ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>).
                The default is determine by the setting of
                DYNAMIC_BLACKLIST:</para>

@@ -459,8 +457,8 @@ loc     eth2            -</programlisting>

                  <listitem>
                    <para>the interface is a <ulink
-                    url="../SimpleBridge.html">simple bridge</ulink> with a DHCP
-                    server on one port and DHCP clients on another
+                    url="../SimpleBridge.html">simple bridge</ulink> with a
+                    DHCP server on one port and DHCP clients on another
                    port.</para>

                    <note>
@@ -585,8 +583,8 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Connection requests from this interface are compared
                against the contents of <ulink
-                url="shorewall-maclist.html">shorewall-maclist</ulink>(5).
-                If this option is specified, the interface must be an Ethernet
+                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+                this option is specified, the interface must be an Ethernet
                NIC and must be up before Shorewall is started.</para>
              </listitem>
            </varlistentry>
@@ -650,8 +648,58 @@ loc     eth2            -</programlisting>

                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5).
-                After logging, the packets are dropped.</para>
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
+                logging, the packets are dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>omitanycast</term>
+
+              <listitem>
+                <para>IPv6 only. Added in Shorewall 5.2.8.</para>
+
+                <para>Shorewall6 has traditionally generated rules for IPv6
+                <emphasis>anycast</emphasis> addresses. These rules
+                include:</para>
+
+                <orderedlist numeration="loweralpha">
+                  <listitem>
+                    <para>Packets with these destination IP addresses are
+                    dropped by REJECT rules.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these source IP addresses are dropped
+                    by the 'nosmurfs' interface option and by the 'dropSmurfs'
+                    action.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these destination IP addresses are not
+                    logged during policy enforcement.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these destination IP addresses are
+                    processes by the 'Broadcast' action.</para>
+                  </listitem>
+                </orderedlist>
+
+                <para>This can be inhibited for individual interfaces by
+                specifying <emphasis role="bold">noanycast</emphasis> for
+                those interfaces.</para>
+
+                <note>
+                  <para>RFC 2526 describes IPv6 subnet anycast addresses. The
+                  RFC makes a distinction between subnets with "IPv6 address
+                  types required to have 64-bit interface identifiers in
+                  EUI-64 format" and all other subnets. When generating these
+                  anycast addresses, the Shorewall compiler does not make this
+                  distinction and unconditionally assumes that the last 128
+                  addresses in the subnet are reserved as anycast
+                  addresses.</para>
+                </note>
              </listitem>
            </varlistentry>

@@ -659,6 +707,11 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">optional</emphasis></term>

              <listitem>
+                <para>This option indicates that the firewall should be able
+                to start, even if the interface is not usable for handling
+                traffic. It allows use of the <command>enable</command> and
+                <command>disable</command> commands on the interface.</para>
+
                <para>When <option>optional</option> is specified for an
                interface, Shorewall will be silent when:</para>

@@ -674,6 +727,16 @@ loc     eth2            -</programlisting>
                    <para>The first address of the interface cannot be
                    obtained.</para>
                  </listitem>
+
+                  <listitem>
+                    <para>The gateway of the interface can not be obtained
+                    (provider interface).</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The interface has been disabled using the
+                    <command>disable</command> command.</para>
+                  </listitem>
                </itemizedlist>

                <para>May not be specified with <emphasis
@@ -826,9 +889,9 @@ loc     eth2            -</programlisting>

                <important>
                  <para>If ROUTE_FILTER=Yes in <ulink
-                  url="shorewall.conf.html">shorewall.conf</ulink>(5),
-                  or if your distribution sets net.ipv4.conf.all.rp_filter=1
-                  in <filename>/etc/sysctl.conf</filename>, then setting
+                  url="shorewall.conf.html">shorewall.conf</ulink>(5), or if
+                  your distribution sets net.ipv4.conf.all.rp_filter=1 in
+                  <filename>/etc/sysctl.conf</filename>, then setting
                  <emphasis role="bold">routefilter</emphasis>=0 in an
                  <replaceable>interface</replaceable> entry will not disable
                  route filtering on that
@@ -848,8 +911,8 @@ loc     eth2            -</programlisting>
                  <itemizedlist>
                    <listitem>
                      <para>If USE_DEFAULT_RT=Yes in <ulink
-                      url="shorewall.conf.html">shorewall.conf</ulink>(5)
-                      and the interface is listed in <ulink
+                      url="shorewall.conf.html">shorewall.conf</ulink>(5) and
+                      the interface is listed in <ulink
                      url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
                    </listitem>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -79,13 +79,13 @@

        <listitem>
          <para>A FWMARK <emphasis>value</emphasis> used in your <ulink
-          url="shorewall-mangle.html">shorewall-mangle(5)</ulink>
-          file to direct packets to this provider.</para>
+          url="shorewall-mangle.html">shorewall-mangle(5)</ulink> file to
+          direct packets to this provider.</para>

          <para>If PROVIDER_OFFSET is non-zero in <ulink
-          url="shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases,
-          the number of significant bits may not exceed PROVIDER_OFFSET +
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
+          must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the number
+          of significant bits may not exceed PROVIDER_OFFSET +
          PROVIDER_BITS.</para>
        </listitem>
      </varlistentry>
@@ -111,8 +111,8 @@
        <listitem>
          <para>The name of the network interface to the provider. Must be
          listed in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
-          In general, that interface should not have the
+          url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. In
+          general, that interface should not have the
          <option>proxyarp</option> or <option>proxyndp</option> option
          specified unless <option>loose</option> is given in the OPTIONS
          column of this entry.</para>
@@ -190,9 +190,8 @@

                <para>Beginning with Shorewall 4.4.3, <option>track</option>
                defaults to the setting of the TRACK_PROVIDERS option in
-                <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>
-                (5). If you set TRACK_PROVIDERS=Yes and want to override that
+                <ulink url="shorewall.conf.html">shorewall.conf</ulink> (5).
+                If you set TRACK_PROVIDERS=Yes and want to override that
                setting for an individual provider, then specify
                <option>notrack</option> (see below).</para>
              </listitem>
@@ -343,7 +342,7 @@
                <replaceable>weight</replaceable> is given, a balanced route
                is added with the weight of this provider equal to the
                specified <replaceable>weight</replaceable>. If the option is
-                given without a <replaceable>weight</replaceable>, an separate
+                given without a <replaceable>weight</replaceable>, a separate
                default route is added through the provider's gateway; the
                route has a metric equal to the provider's NUMBER.</para>

--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -39,12 +39,26 @@
      <para>If you have more than one ISP link, adding entries to this file
      will <emphasis role="bold">not</emphasis> force connections to go out
      through a particular link. You must use entries in <ulink
-      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      PREROUTING entries in <ulink
+      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
+      entries in <ulink
      url="shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
      that.</para>
    </warning>

+    <para>Beginning with Shorewall 5.2.6, the snat file supports two different
+    formats:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>The SPORT (source port) column is omitted. This is the default
+        unless a "?FORMAT 2" compiler directive is included.</para>
+      </listitem>
+
+      <listitem>
+        <para>The SPORT column immediately follows the DPORT column.</para>
+      </listitem>
+    </orderedlist>
+
    <para>The columns in the file are as follows.</para>

    <variablelist>
@@ -68,10 +82,10 @@
              <listitem>
                <para>where <replaceable>action</replaceable> is an action
                declared in <ulink
-                url="shorewall-actions.html">shorewall-actions(5)</ulink>
-                with the <option>nat</option> option. See <ulink
-                url="../Actions.html">https://shorewall.org/Actions.html</ulink> for
-                further information.</para>
+                url="shorewall-actions.html">shorewall-actions(5)</ulink> with
+                the <option>nat</option> option. See <ulink
+                url="../Actions.html">https://shorewall.org/Actions.html</ulink>
+                for further information.</para>
              </listitem>
            </varlistentry>

@@ -165,9 +179,9 @@
                <para>If you specify an address here, matching packets will
                have their source address set to that address. If
                ADD_SNAT_ALIASES is set to Yes or yes in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5)
-                then Shorewall will automatically add this address to the
-                INTERFACE named in the first column (IPv4 only).</para>
+                url="shorewall.conf.html">shorewall.conf</ulink>(5) then
+                Shorewall will automatically add this address to the INTERFACE
+                named in the first column (IPv4 only).</para>

                <para>You may also specify a range of up to 256 IP addresses
                if you want the SNAT address to be assigned from that range in
@@ -193,9 +207,6 @@
                the IP addresses configured on the interface named in the DEST
                column and substitute them in this column.</para>

-                <para>Finally, you may also specify a comma-separated list of
-                ranges and/or addresses in this column.</para>
-
                <para>DNS Names names are not allowed.</para>

                <para>Normally, Netfilter will attempt to retain the source
@@ -237,10 +248,10 @@

          <para>Normally Masq/SNAT rules are evaluated after those for
          one-to-one NAT (defined in <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you
-          want the rule to be applied before one-to-one NAT rules, follow the
-          action name with "+": This feature should only be required if you
-          need to insert rules in this file that preempt entries in <ulink
+          url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
+          rule to be applied before one-to-one NAT rules, follow the action
+          name with "+": This feature should only be required if you need to
+          insert rules in this file that preempt entries in <ulink
          url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -279,23 +290,23 @@
          networks. Multiple interfaces may be listed when the ACTION is
          MASQUERADE, but this is usually just your internet interface. If
          ADD_SNAT_ALIASES=Yes in <ulink
-          url="shorewall.conf.html">shorewall.conf</ulink>(5), you
-          may add ":" and a <emphasis>digit</emphasis> to indicate that you
-          want the alias added with that name (e.g., eth0:0). This will allow
-          the alias to be displayed with ifconfig. <emphasis role="bold">That
-          is the only use for the alias name; it may not appear in any other
-          place in your Shorewall configuration.</emphasis></para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
+          and a <emphasis>digit</emphasis> to indicate that you want the alias
+          added with that name (e.g., eth0:0). This will allow the alias to be
+          displayed with ifconfig. <emphasis role="bold">That is the only use
+          for the alias name; it may not appear in any other place in your
+          Shorewall configuration.</emphasis></para>

          <para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
          nat table's INPUT chain by specifying $FW rather than one or more
-          interfaces. </para>
+          interfaces.</para>

          <para>Each interface must match an entry in <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
          Shorewall allows loose matches to wildcard entries in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          For example, <filename class="devicefile">ppp0</filename> in this
-          file will match a <ulink
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
+          example, <filename class="devicefile">ppp0</filename> in this file
+          will match a <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          entry that defines <filename
          class="devicefile">ppp+</filename>.</para>
@@ -315,8 +326,8 @@
          addresses to indicate that you only want to change the source IP
          address for packets being sent to those particular destinations.
          Exclusion is allowed (see <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
-          as are ipset names preceded by a plus sign '+';</para>
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
+          are ipset names preceded by a plus sign '+';</para>

          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
          entry then include the ":" but omit the digit:</para>
@@ -341,8 +352,7 @@
        <listitem>
          <para>If you wish to restrict this entry to a particular protocol
          then enter the protocol name (from protocols(5)) or number here. See
-          <ulink
-          url="shorewall-rules.html">shorewall-rules(5)</ulink> for
+          <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink> for
          details.</para>

          <para>Beginning with Shorewall 4.5.12, this column can accept a
@@ -356,10 +366,14 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">PORT</emphasis> (Optional) -
+        <term><emphasis role="bold">{PORT|DPORT}</emphasis> (Optional) -
        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>

        <listitem>
+          <para>The column was renamed to DPORT in Shorewall 5.2.6. Beginning
+          with that release, both PORT and DPORT are accepted in the
+          alternative input format,</para>
+
          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
          SCTP (132) or UDPLITE (136) then you may list one or more port
          numbers (or names from services(5)) or port ranges separated by
@@ -375,6 +389,27 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">SPORT
+        {-|[!]<replaceable>port-name-or-number</replaceable>[,<replaceable>port-name-or-number</replaceable>]...|+<replaceable>ipset</replaceable>}</emphasis></term>
+
+        <listitem>
+          <para>FORMAT 2 only.</para>
+
+          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
+          SCTP (132) or UDPLITE (136) then you may list one or more port
+          numbers (or names from services(5)) or port ranges separated by
+          commas.</para>
+
+          <para>Port ranges are of the form
+          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
+
+          <para>An <replaceable>ipset</replaceable> name can be specified in
+          this column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
        [<emphasis>option</emphasis>[<emphasis
@@ -767,21 +802,16 @@
        <term>IPv4 Example 6:</term>

        <listitem>
-          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
-          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
-          (Shorewall 4.5.9 and later).</para>
+          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 randomly
+          to addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 5.0.0 and
+          later).</para>

-          <programlisting>/etc/shorewall/tcrules:
-
-       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
-       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
-
-/etc/shorewall/snat:
+          <programlisting>/etc/shorewall/snat:

       #ACTION                 SOURCE          DEST
-       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { mark=1:C }
-       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { mark=2:C }
-       SNAT(1.1.1.9)           192.168.1.0/24  eth0  { mark=3:C }</programlisting>
+       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { probability=0.33 }
+       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { probability=0.50 }
+       SNAT(1.1.1.9)           192.168.1.0/24  eth0</programlisting>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@@ -200,6 +200,11 @@
          marks. You must do all classification using CLASSIFY rules in <ulink
          url="shorewall-mangle.html">shorewall-mangle</ulink>(5).</para>

+          <para><emphasis role="bold">connmark</emphasis> -- Added in
+          Shorewall 5.2.7. May only be specified if the REDIRECTED_INTERFACES
+          column is non-empty. It allows packet marks to be used to classify
+          traffic for these interfaces.</para>
+
          <para><option>htb</option> - Use the <firstterm>Hierarchical Token
          Bucket</firstterm> queuing discipline. This is the default.</para>

@@ -248,7 +253,9 @@
          enter each listed interface to be passed through the egress filters
          defined for this device, thus providing a form of incoming traffic
          shaping. When this column is non-empty, the <emphasis
-          role="bold">classify</emphasis> option is assumed.</para>
+          role="bold">classify</emphasis> option is assumed unless the
+          <emphasis role="bold">connmark</emphasis> option is
+          specified.</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-tcpri.xml
+++ b/Shorewall/manpages/shorewall-tcpri.xml
@@ -27,8 +27,11 @@

    <para>This file is used to specify the priority of traffic for simple
    traffic shaping (TC_ENABLED=Simple in <ulink
-    url="shorewall.conf.html">shorewall.conf</ulink>(5)). The
-    priority band of each packet is determined by the <emphasis
+    url="shorewall.conf.html">shorewall.conf</ulink>(5)). Beginning with
+    Shorewall 5.2.7, the file allows ?FORMAT 2 which inserts a SPORT column
+    immediately to the right of the DPORT column.</para>
+
+    <para>The priority band of each packet is determined by the <emphasis
    role="bold">last</emphasis> entry that the packet matches. If a packet
    doesn't match any entry in this file, then its priority will be determined
    by its TOS field. The default mapping is as follows but can be changed by
@@ -87,15 +90,36 @@
      </varlistentry>

      <varlistentry>
-        <term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
+        <term>DPORT - <replaceable>port</replaceable> [,...]</term>

        <listitem>
+          <para>This column was named PORT prior to Shorewall 5.2.7. Both
+          'port' and 'dport' may be used in the <ulink
+          url="../configuration_file_basics.htm#Pairs">alternate input
+          format</ulink>.</para>
+
          <para>Optional. May only be given if the the PROTO is TCP (6), UDP
          (17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
          port numbers or service names from /etc/services. Port ranges of the
          form
          <replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
-          may also be included.</para>
+          may also be included. In format 1, packets whose source or
+          destination port matches the specified
+          <replaceable>port</replaceable>(s) are assigned to the band given in
+          the BAND column.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SPORT - <replaceable>port</replaceable> [,...]</term>
+
+        <listitem>
+          <para>Only present in file format 2. Optional. May only be given if
+          the the PROTO is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
+          (136). A list of one or more port numbers or service names from
+          /etc/services. Port ranges of the form
+          <replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
+          may also be included. </para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -245,8 +245,8 @@
        <listitem>
          <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
          is enabled (see <ulink
-          url="shorewall-accounting.html">shorewall-accounting</ulink>(5)).
-          If not specified or set to the empty value, ACCOUNTING=Yes is
+          url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
+          not specified or set to the empty value, ACCOUNTING=Yes is
          assumed.</para>
        </listitem>
      </varlistentry>
@@ -271,8 +271,8 @@
        <listitem>
          <para>This parameter determines whether Shorewall automatically adds
          the external address(es) in <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5), and is
-          only available in IPv4 configurations. If the variable is set to
+          url="shorewall-nat.html">shorewall-nat</ulink>(5), and is only
+          available in IPv4 configurations. If the variable is set to
          <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis> then Shorewall automatically adds these
          aliases. If it is set to <emphasis role="bold">No</emphasis> or
@@ -300,8 +300,8 @@
        <listitem>
          <para>This parameter determines whether Shorewall automatically adds
          the SNAT ADDRESS in <ulink
-          url="shorewall-masq.html">shorewall-masq</ulink>(5), and
-          is only available in IPv4 configurations. If the variable is set to
+          url="shorewall-masq.html">shorewall-masq</ulink>(5), and is only
+          available in IPv4 configurations. If the variable is set to
          <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis> then Shorewall automatically adds these
          addresses. If it is set to <emphasis role="bold">No</emphasis> or
@@ -445,8 +445,7 @@

                <listitem>
                  <para>Specify the appropriate helper in the HELPER column in
-                  <ulink
-                  url="shorewall-rules.html">shorewall-rules</ulink>
+                  <ulink url="shorewall-rules.html">shorewall-rules</ulink>
                  (5).</para>

                  <note>
@@ -514,8 +513,8 @@
          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
          determines whether the <option>balance</option> provider option (see
          <ulink
-          url="shorewall-providers.html">shorewall-providers(5)</ulink>)
-          is the default. When BALANCE_PROVIDERS=Yes, then the
+          url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
+          the default. When BALANCE_PROVIDERS=Yes, then the
          <option>balance</option> option is assumed unless the
          <option>fallback</option>, <option>loose</option>,
          <option>load</option> or <option>tproxy</option> option is
@@ -531,8 +530,8 @@
        <listitem>
          <para>Added in Shorewall-4.6.0. When set to <emphasis
          role="bold">Yes</emphasis>, causes entries in <ulink
-          url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>
-          to generate a basic filter rather than a u32 filter. This setting
+          url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
+          generate a basic filter rather than a u32 filter. This setting
          requires the <firstterm>Basic Ematch</firstterm> capability in your
          kernel and iptables.</para>

@@ -589,8 +588,7 @@

          <para>The BLACKLIST_DISPOSITION setting determines the disposition
          of packets sent to the <emphasis role="bold">blacklog</emphasis>
-          target of <ulink
-          url="shorewall-blrules.html">shorewall-blrules
+          target of <ulink url="shorewall-blrules.html">shorewall-blrules
          </ulink>(5), but otherwise does not affect entries in that
          file.</para>
        </listitem>
@@ -652,8 +650,8 @@
          not supply an /etc/shorewall/tcstart file. That way, your traffic
          shaping rules can still use the “fwmark” classifier based on packet
          marking defined in <ulink
-          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
-          If not specified, CLEAR_TC=Yes is assumed.</para>
+          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
+          specified, CLEAR_TC=Yes is assumed.</para>

          <warning>
            <para>When you specify TC_ENABLED=shared (see below), then you
@@ -943,14 +941,37 @@
                </important>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term>log</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.5. When specified, successful
+                'blacklist' and 'allow' commands will log a message to the
+                system log.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>noupdate</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.5. Normally, once an address has
+                been blacklisted, each time that a packet is received from the
+                packet, the ipset's entry for the address is updated to reset
+                the timeout to the value specifyed in the
+                <option>timeout</option> option above. Setting the
+                <option>noupdate</option> option, inhibits this resetting of
+                the entry's timeout. This option is ignored when the
+                <option>timeout</option> option is not specified.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>

          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
          <command>stop</command>/<command>reboot</command>/<command>start</command>
-          sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
-          <replaceable>setname</replaceable> is included in the list of sets
-          to be saved in SAVE_IPSETS.</para>
+          sequences.</para>
        </listitem>
      </varlistentry>

@@ -1159,12 +1180,11 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'

          <para>Subzones are defined by following their name with ":" and a
          list of parent zones (in <ulink
-          url="shorewall-zones.html">shorewall-zones</ulink>(5)).
-          Normally, you want to have a set of special rules for the subzone
-          and if a connection doesn't match any of those subzone-specific
-          rules then you want the parent zone rules and policies to be
-          applied; see <ulink
-          url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
+          url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
+          you want to have a set of special rules for the subzone and if a
+          connection doesn't match any of those subzone-specific rules then
+          you want the parent zone rules and policies to be applied; see
+          <ulink url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
          With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>

          <para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@@ -1182,10 +1202,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          INVALID packets through the NEW section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5).
-          When a packet in INVALID state fails to match any rule in the
-          INVALID section, the packet is disposed of based on this setting.
-          The default value is CONTINUE for compatibility with earlier
+          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          packet in INVALID state fails to match any rule in the INVALID
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
@@ -1197,9 +1217,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
          do not match any rule in the INVALID section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
-          logged at this level. The default value is empty which means no
-          logging is performed.</para>
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
        </listitem>
      </varlistentry>

@@ -1482,8 +1502,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          sample configurations use this as the default log level and changing
          it will change all packet logging done by the configuration. In any
          configuration file (except <ulink
-          url="shorewall-params.html">shorewall-params(5)</ulink>),
-          $LOG_LEVEL will expand to this value.</para>
+          url="shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
+          will expand to this value.</para>
        </listitem>
      </varlistentry>

@@ -1635,8 +1655,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          <note>
            <para>The setting of LOGFORMAT has an effect of the permitted
            length of zone names. See <ulink
-            url="shorewall-zones.html">shorewall-zones</ulink>
-            (5).</para>
+            url="shorewall-zones.html">shorewall-zones</ulink> (5).</para>
          </note>

          <caution>
@@ -1793,8 +1812,8 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>The performance of configurations with a large numbers of
          entries in <ulink
-          url="shorewall-maclist.html">shorewall-maclist</ulink>(5)
-          can be improved by setting the MACLIST_TTL variable in <ulink
+          url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
+          improved by setting the MACLIST_TTL variable in <ulink
          url="shorewall.conf.html">shorewall[6].conf</ulink>(5).</para>

          <para>If your iptables and kernel support the "Recent Match" (see
@@ -1804,15 +1823,14 @@ LOG:info:,bar                        net                    fw</programlisting>

          <para>When a new connection arrives from a 'maclist' interface, the
          packet passes through then list of entries for that interface in
-          <ulink
-          url="shorewall-maclist.html">shorewall-maclist</ulink>(5).
-          If there is a match then the source IP address is added to the
-          'Recent' set for that interface. Subsequent connection attempts from
-          that IP address occurring within $MACLIST_TTL seconds will be
-          accepted without having to scan all of the entries. After
-          $MACLIST_TTL from the first accepted connection request from an IP
-          address, the next connection request from that IP address will be
-          checked against the entire list.</para>
+          <ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+          there is a match then the source IP address is added to the 'Recent'
+          set for that interface. Subsequent connection attempts from that IP
+          address occurring within $MACLIST_TTL seconds will be accepted
+          without having to scan all of the entries. After $MACLIST_TTL from
+          the first accepted connection request from an IP address, the next
+          connection request from that IP address will be checked against the
+          entire list.</para>

          <para>If MACLIST_TTL is not specified or is specified as empty (e.g,
          MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@@ -2386,13 +2404,12 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
        <listitem>
          <para>Added in Shorewall 4.4.27. Shorewall has traditionally
          ACCEPTed RELATED packets that don't match any rule in the RELATED
-          section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5).
-          Concern about the safety of this practice resulted in the addition
-          of this option. When a packet in RELATED state fails to match any
-          rule in the RELATED section, the packet is disposed of based on this
-          setting. The default value is ACCEPT for compatibility with earlier
-          versions.</para>
+          section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
+          (5). Concern about the safety of this practice resulted in the
+          addition of this option. When a packet in RELATED state fails to
+          match any rule in the RELATED section, the packet is disposed of
+          based on this setting. The default value is ACCEPT for compatibility
+          with earlier versions.</para>
        </listitem>
      </varlistentry>

@@ -2403,9 +2420,9 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
        <listitem>
          <para>Added in Shorewall 4.4.27. Packets in the related state that
          do not match any rule in the RELATED section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
-          logged at this level. The default value is empty which means no
-          logging is performed.</para>
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
        </listitem>
      </varlistentry>

@@ -2506,8 +2523,7 @@ INLINE          -       -       -       ;; -j REJECT
          <para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
          at least one optional interface must be up in order for the firewall
          to be in the started state. Intended to be used with the <ulink
-          url="shorewall-init.html">Shorewall Init
-          Package</ulink>.</para>
+          url="shorewall-init.html">Shorewall Init Package</ulink>.</para>
        </listitem>
      </varlistentry>

@@ -2593,18 +2609,17 @@ INLINE          -       -       -       ;; -j REJECT
          <para>During <emphasis role="bold">shorewall star</emphasis>t, IP
          addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
          ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5) and
-          <ulink url="shorewall-masq.html">shorewall-masq</ulink>(5)
-          are processed then are re-added later. This is done to help ensure
-          that the addresses can be added with the specified labels but can
-          have the undesirable side effect of causing routes to be quietly
-          deleted. When RETAIN_ALIASES is set to Yes, existing addresses will
-          not be deleted. Regardless of the setting of RETAIN_ALIASES,
-          addresses added during <emphasis role="bold">shorewall
-          start</emphasis> are still deleted at a subsequent <emphasis
-          role="bold">shorewall [stop</emphasis>, <emphasis
-          role="bold">shorewall reload</emphasis> or <emphasis
-          role="bold">shorewall restart</emphasis>.</para>
+          url="shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
+          url="shorewall-masq.html">shorewall-masq</ulink>(5) are processed
+          then are re-added later. This is done to help ensure that the
+          addresses can be added with the specified labels but can have the
+          undesirable side effect of causing routes to be quietly deleted.
+          When RETAIN_ALIASES is set to Yes, existing addresses will not be
+          deleted. Regardless of the setting of RETAIN_ALIASES, addresses
+          added during <emphasis role="bold">shorewall start</emphasis> are
+          still deleted at a subsequent <emphasis role="bold">shorewall
+          [stop</emphasis>, <emphasis role="bold">shorewall reload</emphasis>
+          or <emphasis role="bold">shorewall restart</emphasis>.</para>
        </listitem>
      </varlistentry>

@@ -2708,9 +2723,9 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.4.20. Determines the disposition of
          packets matching the <option>sfilter</option> option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          and of <firstterm>hairpin</firstterm> packets on interfaces without
-          the <option>routeback</option> option.<footnote>
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          of <firstterm>hairpin</firstterm> packets on interfaces without the
+          <option>routeback</option> option.<footnote>
              <para>Hairpin packets are packets that are routed out of the
              same interface that they arrived on.</para>
            </footnote></para>
@@ -2724,9 +2739,9 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added on Shorewall 4.4.20. Determines the logging of packets
          matching the <option>sfilter</option> option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          and of <firstterm>hairpin</firstterm> packets on interfaces without
-          the <option>routeback</option> option.<footnote>
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          of <firstterm>hairpin</firstterm> packets on interfaces without the
+          <option>routeback</option> option.<footnote>
              <para>Hairpin packets are packets that are routed out of the
              same interface that they arrived on.</para>
            </footnote> The default is <option>info</option>. If you don't
@@ -2754,9 +2769,9 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.4.20. The default setting is DROP which
          causes smurf packets (see the nosmurfs option in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          to be dropped. A_DROP causes the packets to be audited prior to
-          being dropped and requires AUDIT_TARGET support in the kernel and
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
+          be dropped. A_DROP causes the packets to be audited prior to being
+          dropped and requires AUDIT_TARGET support in the kernel and
          iptables.</para>
        </listitem>
      </varlistentry>
@@ -2768,8 +2783,8 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Specifies the logging level for smurf packets (see the
          nosmurfs option in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
-          If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
+          set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
          logged.</para>
        </listitem>
      </varlistentry>
@@ -2871,8 +2886,7 @@ INLINE          -       -       -       ;; -j REJECT
          <para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
          simple traffic shaping using <ulink
          url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
-          and <ulink
-          url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
+          and <ulink url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
          enabled.</para>

          <para>If you set TC_ENABLED=Internal or internal or leave the option
@@ -2936,10 +2950,10 @@ INLINE          -       -       -       ;; -j REJECT
          <para>Determines the disposition of TCP packets that fail the checks
          enabled by the <emphasis role="bold">tcpflags</emphasis> interface
          option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          and must have a value of ACCEPT (accept the packet), REJECT (send an
-          RST response) or DROP (ignore the packet). If not set or if set to
-          the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          must have a value of ACCEPT (accept the packet), REJECT (send an RST
+          response) or DROP (ignore the packet). If not set or if set to the
+          empty value (e.g., TCP_FLAGS_DISPOSITION="") then
          TCP_FLAGS_DISPOSITION=DROP is assumed.</para>

          <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
@@ -2968,8 +2982,8 @@ INLINE          -       -       -       ;; -j REJECT
          <para>Added in Shorewall 4.4.3. When set to Yes, causes the
          <option>track</option> option to be assumed on all providers defined
          in <ulink
-          url="shorewall-providers.html">shorewall-providers</ulink>(5).
-          May be overridden on an individual provider through use of the
+          url="shorewall-providers.html">shorewall-providers</ulink>(5). May
+          be overridden on an individual provider through use of the
          <option>notrack</option> option. The default value is 'No'.</para>

          <para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
@@ -3023,10 +3037,10 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          UNTRACKED packets through the NEW section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5).
-          When a packet in UNTRACKED state fails to match any rule in the
-          UNTRACKED section, the packet is disposed of based on this setting.
-          The default value is CONTINUE for compatibility with earlier
+          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          packet in UNTRACKED state fails to match any rule in the UNTRACKED
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
@@ -3038,9 +3052,9 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
          do not match any rule in the UNTRACKED section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
-          logged at this level. The default value is empty which means no
-          logging is performed.</para>
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
        </listitem>
      </varlistentry>

@@ -3062,8 +3076,8 @@ INLINE          -       -       -       ;; -j REJECT
          <orderedlist>
            <listitem>
              <para>Both the DUPLICATE and the COPY columns in <ulink
-              url="shorewall-providers.html">providers</ulink>(5)
-              file must remain empty (or contain "-").</para>
+              url="shorewall-providers.html">providers</ulink>(5) file must
+              remain empty (or contain "-").</para>
            </listitem>

            <listitem>
@@ -3083,9 +3097,9 @@ INLINE          -       -       -       ;; -j REJECT
            <listitem>
              <para>Packets are sent through the main routing table by a rule
              with priority 999. In <ulink
-              url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5),
-              the range 1-998 may be used for inserting rules that bypass the
-              main table.</para>
+              url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5), the
+              range 1-998 may be used for inserting rules that bypass the main
+              table.</para>
            </listitem>

            <listitem>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -149,7 +149,9 @@ if [ $configure -eq 1 ]; then
    fi
 fi

-remove_file ${SBINDIR}/$PRODUCT
+if [ $PRODUCT = shorewall6 ]; then
+    remove_file ${SBINDIR}/shorewall6
+fi

 if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
    FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
--- a/Shorewall6/configfiles/snat
+++ b/Shorewall6/configfiles/snat
@@ -5,5 +5,7 @@
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
 #
-###########################################################################################################################################
-#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+?FORMAT 2
+###################################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+
--- a/Shorewall6/configfiles/tcpri
+++ b/Shorewall6/configfiles/tcpri
@@ -6,5 +6,6 @@
 # See https://shorewall.org/simple_traffic_shaping.htm for additional
 # information.
 #
+?FORMAT 2
 ###############################################################################
-#BAND	PROTO	PORT		ADDRESS		INTERFACE	HELPER
+#BAND	PROTO	DPORT	SPORT	ADDRESS		INTERFACE	HELPER
--- a/docs/Build.xml
+++ b/docs/Build.xml
@@ -40,7 +40,11 @@

  <note>
    <para>This information is provided primarily for Shorewall developers.
-    Users are expected to install from pre-built tarballs or packages.</para>
+	    Users are expected to install from pre-built tarballs or packages.
+	    In addition to the below, it is also suggested to read the
+	    <ulink url="https://gitlab.com/shorewall/tools/raw/master/files/shorewall-release-process.txt">README file</ulink>
+	    located in the root directory of the tools repository.
+    </para>
  </note>

  <section>
@@ -98,6 +102,21 @@
      version.</para>
    </section>

+    <section>
+      <title>release (Clone of Release)</title>
+
+      <para>Added in Shorewall 4.4.22, this directory contains the files that
+      contain release-dependent information (change.txt, releasenotes.txt,
+      .spec files, etc). This is actually a symbolic link to ../release which
+      has its own Git repository.</para>
+    </section>
+
+    <section>
+      <title>testing (Clone of Testing)</title>
+
+      <para> This directory contains the regression library files.</para>
+    </section>
+
    <section>
      <title>tools (Clone of Tools)</title>

@@ -117,7 +136,8 @@
          <term>tools/files</term>

          <listitem>
-            <para>Files that are used during the release process.</para>
+		  <para>Files that are used during the release process.
+		  The license and readme files are also kept there.</para>
          </listitem>
        </varlistentry>

@@ -145,15 +165,6 @@
      <para>The files from the web site that are maintained in HTML format.
      are kept in this directory.</para>
    </section>
-
-    <section>
-      <title>release (Clone of Release)</title>
-
-      <para>Added in Shorewall 4.4.22, this directory contains the files that
-      contain release-dependent information (change.txt, releasenotes.txt,
-      .spec files, etc). This is actually a symbolic link to ../release which
-      has its own Git repository.</para>
-    </section>
  </section>

  <section>
@@ -180,10 +191,11 @@
    </section>

    <section>
-      <title>build45, build46 and build50</title>
+      <title>build45, build46, and build</title>

      <para>These are the scripts that respectively build Shorewall 4.5,
-      Shorewall 4.6 and Shorewall 5.[012] packages from Git.</para>
+      Shorewall 4.6 and Shorewall 5.[012] packages from Git.
+      Build is actually a symlink to the current build script.</para>

      <para>The scripts copy content from Git using the <command>git
      archive</command> command. They then use that content to build the
@@ -297,7 +309,7 @@
      <para>The general form of the build command is:</para>

      <blockquote>
-        <para><command>build</command>xx [ -<replaceable>options</replaceable>
+	      <para><command>build</command>[<replaceable>xx</replaceable>] [ -<replaceable>options</replaceable>
        ] <replaceable>release</replaceable> [ <replaceable>prior
        release</replaceable> ]</para>
      </blockquote>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -2592,7 +2592,7 @@ eth0            External        50mbit:200kb            5.0mbit:100kb:200ms:100m
      <programlisting><emphasis role="bold">ethtool -K eth<emphasis>N</emphasis> tso off gso off</emphasis></programlisting>
    </section>

-    <section>
+    <section id="faq97a">
      <title>(FAQ 97a) I enable Shorewall traffic shaping and now my download
      rate is way below what I specified</title>

--- a/docs/ISO-3661.xml
+++ b/docs/ISO-3661.xml
@@ -57,11 +57,8 @@
 </programlisting>

    <para>Using this feature requires the <firstterm>GeoIP Match</firstterm>
-    capability in your iptables and kernel. As of this writing, that
-    capability requires installing <ulink
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink> 1.33
-    or later and <ulink
-    url="http://xtables-addons.sourceforge.net/geoip.php">creating a
+    capability in your iptables and kernel. That capability requires <ulink
+    url="https://dev.maxmind.com/geoip/geoip2/geolite2/">creating a
    country-code database</ulink>.</para>

    <para>The Shorewall compiler uses the geoip country-code database to
@@ -83,11 +80,19 @@
    <para>To accomodate both big-endian and little-endian machines as well as
    any future ability to install the database at another location, Shorewall
    supports a GEOIPDIR option in <ulink
-    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
-    url="manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). The
-    default value of that option is
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and <ulink
+    url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5). The default
+    value of that option is
    <filename>/usr/share/xt_geoip/LE</filename>.</para>

+    <important>
+      <para>Recent versions of the country-code database are installed in
+      <filename>/usr/share/xt_geoip/, regardless of endian convention. This
+      requires modifying the setting of GEOIPDIR in <ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
+      url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</filename></para>
+    </important>
+
    <para>The country codes at the time of this writing are shown in the
    following two sections.</para>
  </section>
--- a/docs/SharedConfig.xml
+++ b/docs/SharedConfig.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
-  <!--mangle$Id$-->
+  <!--$Id$-->

  <articleinfo>
    <title>Shared Shorewall and Shorewall6 Configuration</title>
@@ -20,6 +20,8 @@
    <copyright>
      <year>2017</year>

+      <year>2020</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -37,7 +39,7 @@
  <section>
    <title>Introduction</title>

-    <para>Netfilter separates management of IPv4 and IPv6 configurations. Each
+    <para>Iptables separates management of IPv4 and IPv6 configurations. Each
    address family has its own utility (iptables and ip6tables), and changes
    made to the configuration of one address family do not affect the other.
    While Shorewall also separates the address families in this way, it is
@@ -66,9 +68,39 @@
    provides access to a container running irssi under screen, allowing
    constant access to and monitoring of IRC channels.</para>

+    <para>The firewall's local ethernet interface (eth2) is connected to a
+    Netgear GS108E smart switch with two vlans:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>VLAN 1 (eth2.1) is connected to a wireless access point
+        supporting both IPv4 (172.20.1.0/24) and IPv6
+        (2601:601:a000:16f2::/64).</para>
+      </listitem>
+
+      <listitem>
+        <para>VLAN 2 (eth2.2) is connected to devices located in my office
+        supporting both IPv4 (172.20.1.0/24) and IPv6
+        (2601:601:a000:16f2::/64).</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>The switch's management interface is accessed via eth2
+    (192.168.0.0/24).</para>
+
+    <note>
+      <para>The GS108E does not currently support restricting the management
+      interface to a particular VLAN -- it is accessible from any connected
+      host whose IP configuration allows unrouted access to the switch's IP
+      address.</para>
+    </note>
+
    <para>Here is a diagram of this installation:</para>

-    <graphic fileref="images/Network2017.png"/>
+    <graphic fileref="images/Network2020.png"/>
+
+    <para>The boxes in the diagram represent the six shorewall zones (The
+    firewall and IPSec vpn zone are not shown).</para>
  </section>

  <section>
@@ -76,35 +108,38 @@

    <para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>

-    <programlisting>root@gateway:~# ls -l /etc/shorewall/
-total 92
-rw-r--r-- 1 root root  201 Mar 19  2017 action.Mirrors
-rw-r--r-- 1 root root  109 Oct 20 09:18 actions
-rw-r--r-- 1 root root  654 Oct 13 13:46 conntrack
-rw-r--r-- 1 root root  104 Oct 13 13:21 hosts
-rw-r--r-- 1 root root  867 Jul  1 10:50 interfaces
-rw-r--r-- 1 root root  107 Jun 29 15:14 isusable
-rw-r--r-- 1 root root  240 Oct 13 13:34 macro.FTP
-rw-r--r-- 1 root root  559 Oct 19 12:56 mangle
-rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors
-rw-r--r-- 1 root root 2687 Oct 15 14:20 params
-rw-r--r-- 1 root root  738 Oct 15 12:16 policy
-rw-r--r-- 1 root root 1838 Oct 11 08:29 providers
+    <programlisting>root@gateway:~# ls -l /etc/shorewall
+total 132
+-rw-r--r-- 1 root root 1152 May 18 10:51 action.NotSyn
+-rw-r--r-- 1 root root  180 Jun 27 09:24 actions
+-rw-r--r-- 1 root root   60 May 31 17:55 action.SSHLIMIT
+-rw-r--r-- 1 root root   82 Oct  5  2018 arprules
+-rw-r--r-- 1 root root  528 May 25 15:39 blrules
+-rw-r--r-- 1 root root 1797 Sep 16  2019 capabilities
+-rw-r--r-- 1 root root  722 Jul  2 13:49 conntrack
+-rw-r--r-- 1 root root  104 Oct 13  2017 hosts
+-rw-r--r-- 1 root root 1119 Jul  4 14:02 interfaces
+-rw-r--r-- 1 root root  107 Jun 29  2017 isusable
+-rw-r--r-- 1 root root  240 Oct 13  2017 macro.FTP
+-rw-r--r-- 1 root root  773 Jul  2 15:04 mangle
+-rw-r--r-- 1 root root 3108 Jul  3 15:51 params
+-rw-r--r-- 1 root root 1108 Jul  3 16:25 policy
+-rw-r--r-- 1 root root 2098 Apr 23 17:19 providers
 -rw-r--r-- 1 root root  398 Mar 18  2017 proxyarp
-rw-r--r-- 1 root root  738 Nov  8 09:34 routes
-rw-r--r-- 1 root root  729 Nov  7 12:52 rtrules
-rw-r--r-- 1 root root 6367 Oct 13 13:21 rules
-rw-r--r-- 1 root root 5520 Oct 19 10:01 shorewall.conf
-rw-r--r-- 1 root root 1090 Oct 25 15:17 snat
-rw-r--r-- 1 root root  181 Jun 29 15:12 started
-rw-r--r-- 1 root root  435 Oct 13 13:21 tunnels
-rw-r--r-- 1 root root  941 Oct 15 11:27 zones
-root@gateway:~# ls -l /etc/shorewall6/
-total 8
-lrwxrwxrwx 1 root root   20 Jul  6 16:35 mirrors -&gt; ../shorewall/mirrors
-lrwxrwxrwx 1 root root   19 Jul  6 12:48 params -&gt; ../shorewall/params
-rw-r--r-- 1 root root 5332 Oct 14 11:53 shorewall6.conf
-root@gateway:~# 
+-rw-r--r-- 1 root root  726 Oct 24  2018 routes
+-rw-r--r-- 1 root root  729 Mar  1 11:08 rtrules
+-rw-r--r-- 1 root root 8589 Jul  4 09:34 rules
+-rw-r--r-- 1 root root 5503 Jun  5 17:29 shorewall.conf
+-rw-r--r-- 1 root root 1090 Jul  2 14:32 snat
+-rw-r--r-- 1 root root  180 Jan 30  2018 started
+-rw-r--r-- 1 root root  468 Apr 25 14:42 stoppedrules
+-rw-r--r-- 1 root root  435 Oct 13  2017 tunnels
+-rw-r--r-- 1 root root  978 Jul  3 12:28 zones
+root@gateway:~# ls -l /etc/shorewall6
+total 12
+-rw-r--r-- 1 root root 1786 Sep 16  2019 capabilities
+lrwxrwxrwx 1 root root   19 Jul  6  2017 params -&gt; ../shorewall/params
+-rw-r--r-- 1 root root 5338 Jun  7 16:40 shorewall6.conf
 </programlisting>

    <para>The various configuration files are described in the sections that
@@ -171,7 +206,7 @@ DEFAULT_PAGER=/usr/bin/less
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Manpage also online at https://shorewall.org/manpages/shorewall.conf.html
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -197,14 +232,15 @@ INVALID_LOG_LEVEL=
 LOG_BACKEND=netlink
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=1
+LOG_ZONE=Src
 LOGALLNEW=
 LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
-LOGFORMAT=": %s %s"
+LOGFORMAT="%s %s"
 LOGTAGONLY=Yes
 LOGLIMIT="s:5/min"
 MACLIST_LOG_LEVEL="$LOG_LEVEL"
-RELATED_LOG_LEVEL="$LOG_LEVEL:,related"
-RPFILTER_LOG_LEVEL="$LOG_LEVEL:,rpfilter"
+RELATED_LOG_LEVEL="$LOG_LEVEL:"
+RPFILTER_LOG_LEVEL="$LOG_LEVEL:"
 SFILTER_LOG_LEVEL="$LOG_LEVEL"
 SMURF_LOG_LEVEL="$LOG_LEVEL"
 STARTUP_LOG=/var/log/shorewall-init.log
@@ -246,7 +282,7 @@ RSH_COMMAND='ssh ${root}@${system} ${command}'
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
-ACCOUNTING_TABLE=mangle
+ACCOUNTING_TABLE=filter
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
@@ -256,7 +292,7 @@ AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
-CLAMPMSS=Yes
+CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=No
 DEFER_DNS_RESOLUTION=No
@@ -265,23 +301,20 @@ DETECT_DNAT_IPADDRS=No
 DISABLE_IPV6=No
 DOCKER=No
 DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323"
-DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
-EXPAND_POLICIES=Yes
+DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200,log,noupdate"
+EXPAND_POLICIES=No
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
 FORWARD_CLEAR_MARK=No
 HELPERS="ftp,irc"
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
-INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Yes
 KEEP_RT_TABLES=Yes
-LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=60
 MANGLE_ENABLED=Yes
-MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
 MULTICAST=No
@@ -291,6 +324,7 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=12345
 REJECT_ACTION=
+RENAME_COMBINED=No
 REQUIRE_INTERFACE=No
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=No
@@ -332,8 +366,7 @@ TC_BITS=8
 PROVIDER_BITS=2
 PROVIDER_OFFSET=16
 MASK_BITS=8
-ZONE_BITS=0
-</programlisting>
+ZONE_BITS=0</programlisting>
      </section>

      <section>
@@ -348,7 +381,7 @@ ZONE_BITS=0
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
 #  Manpage also online at
-#  https://shorewall.org/manpages/shorewall.conf.html
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -373,13 +406,14 @@ BLACKLIST_LOG_LEVEL="none"
 INVALID_LOG_LEVEL=
 LOG_BACKEND=netlink
 LOG_VERBOSITY=2
+LOG_ZONE=Src
 LOGALLNEW=
 LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
-LOGFORMAT="%s %s "
+LOGFORMAT="%s %s"
 LOGLIMIT="s:5/min"
 LOGTAGONLY=Yes
 MACLIST_LOG_LEVEL="$LOG_LEVEL"
-RELATED_LOG_LEVEL=
+RELATED_LOG_LEVEL="$LOG_LEVEL"
 RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 SFILTER_LOG_LEVEL="$LOG_LEVEL"
 SMURF_LOG_LEVEL="$LOG_LEVEL"
@@ -407,7 +441,7 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),NotSyn(DROP):$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -435,19 +469,17 @@ COMPLETE=No
 DEFER_DNS_RESOLUTION=Yes
 DELETE_THEN_ADD=No
 DONT_LOAD=
-DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
-EXPAND_POLICIES=Yes
+DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200,log,noupdate"
+EXPAND_POLICIES=No
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
 FORWARD_CLEAR_MARK=No
 HELPERS=ftp
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
-INLINE_MATCHES=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Keep
 KEEP_RT_TABLES=Yes
-LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
@@ -458,6 +490,7 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=0
 REJECT_ACTION=
+RENAME_COMBINED=No
 REQUIRE_INTERFACE=No
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=No
@@ -470,7 +503,7 @@ TRACK_PROVIDERS=Yes
 TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=Yes
-USE_PHYSICAL_NAMES=No
+USE_PHYSICAL_NAMES=Yes
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=No
 WARNOLDCAPVERSION=Yes
@@ -515,9 +548,7 @@ ZONE_BITS=0

      <para>The contents of /etc/shorewall/params is as follows:</para>

-      <programlisting>INCLUDE mirrors #Sets the MIRRORS variable for the Mirrors action
-
-#
+      <programlisting>#
 # Set compile-time variables depending on the address family
 #
 if [ $g_family = 4 ]; then
@@ -526,24 +557,29 @@ if [ $g_family = 4 ]; then
    #
    FALLBACK=Yes           # Make FAST_IF the primary and PROD_IF the fallback interface
 			   # See /etc/shorewall/providers
-    STATISTICAL=No	   # Don't use statistical load balancing
+    STATISTICAL=	   # Use statistical load balancing
    LISTS=70.90.191.124	   # IP address of lists.shorewall.net (MX)
    MAIL=70.90.191.122	   # IP address of mail.shorewall.net  (IMAPS)
-    SERVER=70.90.191.125   # IP address of shorewall.org
-    PROXY=		   # Use TPROXY for local web access
+    SERVER=70.90.191.125   # IP address of www.shorewall.org
+    IRSSIEXT=10.2.10.2 	   # External address of irssi.shorewall.net
+    IRSSIINT=172.20.2.44   # Internal IP address of irssi.shorewall.net
+    PROXY=Yes		   # Use TPROXY for local web access
    ALL=0.0.0.0/0	   # Entire address space
    LOC_ADDR=172.20.1.253  # IP address of the local LAN interface
    FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface
    FAST_MARK=0x20000	   # Multi-ISP mark setting for IF_FAST
    IPSECMSS=1460
+    DBL_SET=SW_DBL4
    #
    # Interface Options
    #
-    LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,routeback,tcpflags=0,nodbl,physical=eth2
-    FAST_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth0
-    PROD_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth1
-    DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,dhcp,nodbl,physical=br0
+    LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,tcpflags=0,nodbl,physical=eth2.2
+    WLAN_OPTIONS=dhcp,ignore=1,wait=5,routefilter,tcpflags=0,nodbl,physical=eth2.1
+    FAST_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,nosmurfs,rpfilter,physical=eth0
+    PROD_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,nosmurfs,rpfilter,physical=eth1
+    DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,nodbl,physical=br0
    IRC_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=172.20.2.0/24,dhcp,nodbl,physical=br1
+    SWCH_OPTIONS=dhcp,tcpflags=0,nodbl,physical=eth2
 else
    #
    # IPv6 compilation
@@ -553,21 +589,24 @@ else
    STATISTICAL=No			      # Don't use statistical load balancing
    LISTS=[2001:470:b:227::42]		      # IP address of lists.shorewall.net (MX and HTTPS)
    MAIL=[2001:470:b:227::45]		      # IP address of mail.shorewall.net  (IMAPS and HTTPS)
-    SERVER=[2001:470:b:227::43]		      # IP address of shorewall.org   (HTTP, FTP and RSYNC)
-    PROXY=3				      # Use TPROXY for local web access
+    SERVER=[2001:470:b:227::43]		      # IP address of server.shorewall.net(FTP)
+    IRSSI=[2601:601:a000:16f1::]/64	      # IP address of irssi.shorewall.net
+    PROXY=Yes				      # Use TPROXY for local web access
    ALL=[::]/0				      # Entire address space
    LOC_ADDR=[2601:601:a000:16f0::1]	      # IP address of the local LAN interface
-    FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf    # Default gateway through the IF_FAST interface
+    FAST_GATEWAY=2601:601:a000:1600:22e5:2aff:feb7:f2cf
    FAST_MARK=0x100			      # Multi-ISP mark setting for IF_FAST
    IPSECMSS=1440
+    DBL_SET=SW_DBL6
    #
    # Interface Options
    #
-    PROD_OPTIONS=forward=1,optional,physical=sit1
-    FAST_OPTIONS=forward=1,optional,dhcp,upnp,physical=eth0
-    LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2
+    PROD_OPTIONS=forward=1,optional,rpfilter,routeback,physical=sit1
+    FAST_OPTIONS=forward=1,optional,dhcp,rpfilter,physical=eth0
+    LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2.2
    DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0
    IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1
+    WLAN_OPTIONS=forward=1,nodbl,routeback,physical=eth2.1
 fi</programlisting>
    </section>

@@ -576,8 +615,7 @@ fi</programlisting>

      <para>Here is the /etc/shorewall/zones file:</para>

-      <programlisting>###############################################################################
-#ZONE	TYPE	OPTIONS			IN			OUT
+      <programlisting>#ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

 #
@@ -590,7 +628,10 @@ loc	{ TYPE=ip }
 dmz	{ TYPE=ip }
 apps	{ TYPE=ip }
 vpn	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
-</programlisting>
+wlan    { TYPE=ip }
+?if __IPV4
+swch	{ TYPE=local }
+?endif</programlisting>
    </section>

    <section>
@@ -599,7 +640,11 @@ vpn	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
      <para>/etc/shorewall/interfaces makes heavy use of variables set in
      /etc/shorewall/params:</para>

-      <programlisting>#
+      <programlisting>?FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+
+#
 # The two address families use different production interfaces and different 
 #
 # LOC_IF is the local LAN for both families
@@ -609,13 +654,18 @@ vpn	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
 #     For IPv6, it is sit1 (Hurricane Electric 6in4 link)
 # DMZ_IF is a bridge to the production containers
 # IRC_IF is a bridge to a container that currently runs irssi under screen
+# WLAN_IF is a vlan interface that connects to the wireless networks
+# SWCH_IF is the vlan trunk interface used for switch management

 loc  { INTERFACE=LOC_IF,  OPTIONS=$LOC_OPTIONS }
+wlan { INTERFACE=WLAN_IF, OPTIONS=$WLAN_OPTIONS }
 net  { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS }
 net  { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS }
 dmz  { INTERFACE=DMZ_IF,  OPTIONS=$DMZ_OPTIONS }
 apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }
-</programlisting>
+?if __IPV4
+swch { INTERFACE=SWCH_IF, OPTIONS=$SWCH_OPTIONS }
+?endif</programlisting>
    </section>

    <section>
@@ -623,11 +673,10 @@ apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }

      <para>/etc/shorewall/hosts is used to define the vpn zone:</para>

-      <programlisting>#ZONE		HOSTS				OPTIONS
+      <programlisting>##ZONE		HOSTS				OPTIONS
 vpn { HOSTS=PROD_IF:$ALL }
 vpn { HOSTS=FAST_IF:$ALL }
-vpn { HOSTS=LOC_IF:$ALL }
-</programlisting>
+vpn { HOSTS=LOC_IF:$ALL }</programlisting>
    </section>

    <section>
@@ -635,23 +684,31 @@ vpn { HOSTS=LOC_IF:$ALL }

      <para>The same set of policies apply to both address families:</para>

-      <programlisting>#SOURCE	       DEST		 POLICY									  LOGLEVEL	      RATE
+      <programlisting>SOURCE	       DEST		 POLICY									  LOGLEVEL	      RATE

 $FW	      { DEST=dmz,net,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
-$FW	     { DEST=all,	 POLICY=ACCEPT }

-loc	     { DEST=net,	 POLICY=ACCEPT }
+?if __IPV4
+$FW	      { DEST=all,	 POLICY=ACCEPT:Broadcast(ACCEPT),Multicast(ACCEPT),			  LOGLEVEL=$LOG_LEVEL }
+?else
+$FW	      { DEST=all,	 POLICY=ACCEPT:AllowICMPs,Broadcast(ACCEPT),Multicast(ACCEPT)		  LOGLEVEL=$LOG_LEVEL }
+?endif
+
+loc,apps,wlan { DEST=net,	 POLICY=ACCEPT }
 loc,vpn,apps  { DEST=loc,vpn,apps POLICY=ACCEPT }
 loc	      { DEST=fw,		 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }

+?if __IPV4
 net	      { DEST=net,	 POLICY=NONE }
+?else
+net	      { DEST=net,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+?endif
 net	      { DEST=fw,	 POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
 net	      { DEST=all,	 POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL,				  LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }

 dmz	      { DEST=fw, 	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
-
-all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
-</programlisting>
+dmz	      { DEST=dmz, 	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+all	      { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }</programlisting>
    </section>

    <section>
@@ -676,7 +733,9 @@ all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
        </listitem>
      </orderedlist>

-      <programlisting>#
+      <programlisting>#NAME		NUMBER   MARK    DUPLICATE  INTERFACE	GATEWAY         OPTIONS               COPY
+
+#
 # This could be cleaned up a bit, but I'm leaving it as is for now
 #
 #   - The two address families use different fw mark geometry
@@ -687,7 +746,9 @@ all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 ?if $FALLBACK
    # FAST_IF is primary, PROD_IF is fallback
    #
+    ?if $VERBOSITY &gt; 0
        ?info Compiling with FALLBACK
+    ?endif
    IPv6Beta	    { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,primary,persistent,noautosrc }
    ?if __IPV4
 	ComcastB    { NUMBER=4, MARK=0x10000,	 INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,fallback,persistent }
@@ -696,25 +757,29 @@ all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
    ?endif
 ?elsif $STATISTICAL
    # Statistically balance traffic between FAST_IF and PROD_IF
+    ?if $VERBOSITY &gt; 0
        ?info Compiling with STATISTICAL
+    ?endif
    ?if __IPV4
-    	IPv6Beta    { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary }
+    	IPv6Beta    { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary,persistent }
+	ComcastB    { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,load=0.33333333,fallback,persistent }
    ?else
 	HE	    { NUMBER=2, MARK=0x200,   INTERFACE=PROD_IF,                        OPTIONS=track,load=0.33333333,persistent }
    ?endif
 ?else
-    ?INFO Compiling with BALANCE
-    IPv6Beta	 { NUMBER=1, MARK=0x100,   INTERFACE=eth0,    GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
+    ?if $VERBOSITY &gt; 0
+        ?info Compiling with BALANCE
+    ?endif
+    IPv6Beta	 { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
    ?if __IPV4
-	ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=IPV4_IF, GATEWAY=10.1.10.1,     OPTIONS=nohostroute,loose,balance,persistent }
+	ComcastB { NUMBER=4, MARK=0x10000,    INTERFACE=PROD_IF, GATEWAY=10.1.10.1,     OPTIONS=nohostroute,loose,balance,persistent }
    ?else
        ?warning No BALANCE IPv6 configuration
 	HE	 { NUMBER=2, MARK=0x200,   INTERFACE=PROD_IF,			     OPTIONS=fallback,persistent }
    ?endif    
 ?endif

-Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
-</programlisting>
+Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }</programlisting>
    </section>

    <section>
@@ -754,28 +819,23 @@ Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
    # not effective in routing the 'ping' request packets out of FAST_IF.
    # The following route solves that problem.
    #
-    { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=fe80::22e5:2aff:feb7:f2cf, DEVICE=FAST_IF, OPTIONS=persistent }
+    { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=$FAST_GATEWAY, DEVICE=FAST_IF, OPTIONS=persistent }
 ?endif</programlisting>
    </section>

    <section>
      <title>actions</title>

-      <para>/etc/shorewall/actions defines one action:</para>
+      <para>/etc/shorewall/actions defines a single action:</para>

-      <programlisting>#ACTION                         COMMENT
-Mirrors	   	                # Accept traffic from Shorewall Mirrors
-</programlisting>
+      <programlisting>#ACTION      OPTIONS            COMMENT
+SSHLIMIT     proto=tcp,\	# Blacklist overzealous SSHers
+	     dport=ssh</programlisting>

-      <para>/etc/shorewall/action.Mirrors:</para>
+      <para>/etc/shorewall/action.SSHLIMIT:</para>

-      <programlisting>#TARGET SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE
-#                       	        	PORT    PORT(S)    DEST		LIMIT
-?COMMENT Accept traffic from Mirrors
-?FORMAT  2
-DEFAULTS -
-$1	$MIRRORS
-</programlisting>
+      <programlisting>ACCEPT { RATE=s:3/min:3 }
+BLACKLIST:$LOG_LEVEL:net_SSHLIMIT</programlisting>
    </section>

    <section>
@@ -798,7 +858,9 @@ PARAM	-	-	tcp	21
      <para>In addition to invoking the FTP helper on TCP port 21, this file
      notracks some IPv4 traffic:</para>

-      <programlisting>#ACTION			SOURCE		DEST		PROTO	DPORT		SPORT	USER	SWITCH
+      <programlisting>?FORMAT 3
+######################################################################################################
+#ACTION			SOURCE		DEST		PROTO	DPORT		SPORT	USER	SWITCH

 CT:helper:ftp:P	 { PROTO=tcp, DPORT=21 }
 CT:helper:ftp:O  { PROTO=tcp, DPORT=21 }
@@ -810,10 +872,10 @@ CT:helper:ftp:O { PROTO=tcp, DPORT=21 }
    NOTRACK:P       { SOURCE=LOC_IF, DEST=172.20.1.255,   PROTO=udp }
    NOTRACK:P       { DEST=255.255.255.255, 	          PROTO=udp }
    NOTRACK:O       { DEST=255.255.255.255, 	          PROTO=udp }
-    NOTRACK:O       { DEST=172.20.1.255,    	          PROTO=udp }
-    NOTRACK:O       { DEST=70.90.191.127,                 PROTO=udp }
-?endif
-</programlisting>
+    NOTRACK:O       { DEST=LOC_IF:172.20.0.255,    	  PROTO=udp }
+    NOTRACK:O       { DEST=LOC_IF:172.20.1.255,    	  PROTO=udp }
+    NOTRACK:O       { DEST=PROD_IF:70.90.191.127,         PROTO=udp }
+?endif</programlisting>
    </section>

    <section>
@@ -822,12 +884,13 @@ CT:helper:ftp:O { PROTO=tcp, DPORT=21 }
      <para>/etc/shorewall/rules has only a couple of rules that are
      conditional based on address family:</para>

-      <programlisting>#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+      <programlisting>##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER

 ?SECTION ALL

-Ping(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 }
-Trcrt(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 }
+Ping(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 }
+Trcrt(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 }

 ?SECTION ESTABLISHED

@@ -841,12 +904,13 @@ ACCEPT		{ SOURCE=loc, DEST=$FW,		PROTO=tcp,  helper=ftp }
 ACCEPT		{ SOURCE=all, DEST=all,		PROTO=icmp }
 RST(ACCEPT)	{ SOURCE=all, DEST=all }
 ACCEPT		{ SOURCE=dmz, DEST=dmz }
+ACCEPT		{ SOURCE=$FW, DEST=$FW }

 ?SECTION INVALID

 RST(ACCEPT)	{ SOURCE=all, DEST=all }
+FIN(ACCEPT)	{ SOURCE=all, DEST=all }
 DROP		{ SOURCE=net, DEST=all }
-FIN		{ SOURCE=all, DEST=all }

 ?SECTION UNTRACKED

@@ -863,17 +927,26 @@ CONTINUE	  { SOURCE=$FW, DEST=all }
 # Stop certain outgoing traffic to the net
 #
 REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=tcp, DPORT=25 }		#Stop direct loc-&gt;net SMTP (Comcast uses submission).
-REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 }	#MS Messaging
+#REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 }	#MS Messaging

-REJECT		{ SOURCE=all, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" }
-REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" }
+REJECT		{ SOURCE=all!dmz,apps, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" }
+REJECT		{ SOURCE=all!dmz,apps, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" }

 REJECT		{ SOURCE=all, DEST=net, PROTO=tcp, DPORT=3333, comment="Disallow port 3333" }

 REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" }

+?if __IPV6
+DROP		{ SOURCE=net:PROD_IF, DEST=net:PROD_IF }
+?endif
+
 ?COMMENT

+######################################################################################################
+# SACK
+#
+DROP:$LOG_LEVEL	 { SOURCE=net, DEST=all } ;;+ -p tcp -m tcpmss --mss 1:535
+
 ######################################################################################################
 # 6in4
 #
@@ -884,22 +957,36 @@ REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" }
 ######################################################################################################
 # Ping
 #
-Ping(ACCEPT)	  { SOURCE=$FW,loc,dmz,vpn, DEST=$FW,loc,dmz,vpn }
-Ping(ACCEPT)	  { SOURCE=all,              DEST=net }
+Ping(ACCEPT)	  { SOURCE=all!net, DEST=all }
+Ping(ACCEPT)	  { SOURCE=dmz, DEST=dmz }
+?if __IPV4
+Ping(ACCEPT)	  { source=$FW, DEST=swch }
+?endif
+######################################################################################################
+# Logging
+#
+Syslog(ACCEPT)	  { SOURCE=dmz, DEST=$FW }
 ######################################################################################################
 # SSH
 #
-AutoBL(SSH,60,-,-,-,-,$LOG_LEVEL)\
-		  { SOURCE=net,              DEST=all,         PROTO=tcp, DPORT=22 }
-SSH(ACCEPT)	  { SOURCE=all, DEST=all }
+SSH(DROP)	  { SOURCE=net, DEST=dmz:$SERVER }
+SSHLIMIT	  { SOURCE=net, DEST=all }
 ?if __IPV4
+SSH(ACCEPT)	  { SOURCE=all+!swch, DEST=all+ }
 SSH(DNAT-)	  { SOURCE=net,              DEST=172.20.2.44, PROTO=tcp, DPORT=ssh, ORIGDEST=70.90.191.123 }
+?else
+SSH(ACCEPT)	  { SOURCE=all+, DEST=all+ }
 ?endif
 ######################################################################################################
 # DNS
 #
-DNS(ACCEPT)	  { SOURCE=loc,dmz,vpn,apps, DEST=$FW }
+DNS(ACCEPT)	  { SOURCE=loc,dmz,vpn,apps,wlan, DEST=$FW }
 DNS(ACCEPT)	  { SOURCE=$FW,  DEST=net }
+?if $TEST
+DNS(REDIRECT)	  loc		53	 -	53	-	!&amp;LOC_IF
+DNS(REDIRECT)	  fw		53	 -	53	-	!::1
+?endif
+DropDNSrep        { SOURCE=net, DEST=all }
 ######################################################################################################
 # Traceroute
 #
@@ -910,35 +997,37 @@ Trcrt(ACCEPT)	  { SOURCE=net, DEST=$FW,dmz }
 #
 SMTP(ACCEPT)	   { SOURCE=net,$FW, DEST=dmz:$LISTS }
 SMTP(ACCEPT)	   { SOURCE=dmz:$LISTS, DEST=net:PROD_IF }
+SMTP(ACCEPT)	   { SOURCE=dmz, DEST=dmz:$LISTS }
 SMTP(REJECT)	   { SOURCE=dmz:$LISTS, DEST=net }
 IMAPS(ACCEPT)  	   { SOURCE=all, DEST=dmz:$MAIL }
 Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS }
 SMTPS(ACCEPT) 	   { SOURCE=all, DEST=dmz:$LISTS }
-IMAP(ACCEPT)	   { SOURCE=loc,vpn, DEST=net }
+IMAP(REJECT)	   { SOURCE=net, DEST=all }
 ######################################################################################################
 # NTP
 #
 NTP(ACCEPT)	   { SOURCE=all, DEST=net }
-NTP(ACCEPT)	   { SOURCE=loc,vpn,dmz,apps DEST=$FW }
 ######################################################################################################
 # Squid
-ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 } 
+ACCEPT { SOURCE=loc,vpn,wlan, DEST=$FW, PROTO=tcp, DPORT=3128 } 
 ######################################################################################################
 # HTTP/HTTPS
 #
-Web(ACCEPT)	   { SOURCE=loc,vpn DEST=$FW }
+Web(ACCEPT)	   { SOURCE=loc,vpn,wlan DEST=$FW }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=proxy }
 Web(DROP)	   { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist web crawlers" }
-HTTP(ACCEPT)	   { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
-HTTPS(ACCEPT)	   { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$LISTS,$MAIL }
-Web(ACCEPT)	   { SOURCE=dmz,apps DEST=net,$FW }
+HTTP(ACCEPT)	   { SOURCE=net,loc,vpn,wlan,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
+HTTPS(ACCEPT)	   { SOURCE=net,loc,vpn,wlan,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
+Web(ACCEPT)	   { SOURCE=dmz,apps,loc,wlan, DEST=net,$FW }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=root }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=teastep }
+?if __IPV4
+Web(ACCEPT)	   { SOURCE=$FW, DEST=swch, USER=teastep }
+?endif
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=_apt }
 ######################################################################################################
 # FTP
 #
-FTP(ACCEPT)	   { SOURCE=loc,vpn,apps DEST=net }
 FTP(ACCEPT)	   { SOURCE=dmz,               DEST=net }
 FTP(ACCEPT)	   { SOURCE=$FW,               DEST=net, USER=root }
 FTP(ACCEPT)	   { SOURCE=all,               DEST=dmz:$SERVER }
@@ -952,23 +1041,52 @@ FTP(ACCEPT)	   { SOURCE=all,          DEST=dmz:$SERVER }
 #
 ACCEPT:$LOG_LEVEL  { SOURCE=dmz, DEST=net, PROTO=tcp, DPORT=1024:, SPORT=20 }
 ######################################################################################################
+# Git
+#
+Git(ACCEPT)        { source=all, DEST=dmz:$SERVER }
+######################################################################################################
 # whois
 #
 Whois(ACCEPT)	   { SOURCE=all, DEST=net }
 ######################################################################################################
 # SMB
 #
-SMBBI(ACCEPT)	    { SOURCE=loc, DEST=$FW }
+SMBBI(ACCEPT)	    { SOURCE=loc,wlan, DEST=$FW }
 SMBBI(ACCEPT)	    { SOURCE=vpn,      DEST=$FW }
 ######################################################################################################
 # IRC
 #
-IRC(ACCEPT)	    { SOURCE=loc,apps, DEST=net }
+SetEvent(IRC)	                      { SOURCE=loc,apps,wlan, DEST=net, PROTO=tcp, DPORT=6667 }
+IfEvent(IRC,ACCEPT,10,1,dst,reset)    { SOURCE=net, DEST=loc,apps,wlan, PROTO=tcp, DPORT=113 }
 ######################################################################################################
-# Rsync
+# AUTH
+Auth(REJECT)	{ SOURCE=net, DEST=all }
+######################################################################################################
+# IPSEC
 #
-Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
-</programlisting>
+?if __IPV4
+DNAT		{ SOURCE=loc,net,wlan, DEST=apps:172.20.2.44, PROTO=udp, DPORT=500,4500, ORIGDEST=70.90.191.123 }
+?else
+ACCEPT		{ SOURCE=loc,net,wlan, DEST=apps, PROTO=udp, DPORT=500,4500 }
+ACCEPT		{ SOURCE=loc,net,wlan, DEST=apps, PROTO=esp }
+?endif
+ACCEPT		{ SOURCE=$FW,     DEST=net,  PROTO=udp, SPORT=4500 }
+######################################################################################################
+# VNC
+ACCEPT		{ SOURCE=loc,	  DEST=$FW,	  PROTO=tcp,		DPORT=5900 }
+######################################################################################################
+# FIN &amp; RST
+RST(ACCEPT)	{ SOURCE=all, DEST=all }
+FIN(ACCEPT)	{ SOURCE=all, DEST=all }
+######################################################################################################
+# Multicast
+?if __IPV4
+Multicast(ACCEPT) { SOURCE=all, DEST=$FW }
+?endif
+######################################################################################################
+?if __IPV4
+ACCEPT		{ SOURCE=fw, DEST=all, PROTO=icmp, DPORT=host-unreachable }
+?endif</programlisting>
    </section>

    <section>
@@ -979,6 +1097,10 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }

      <programlisting>#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP

+?if $VERSION &gt;= 50109
+TCPMSS(pmtu,none) { PROTO=tcp }
+?endif
+
 ?if __IPV4
    #
    # I've had a checksum issue with certain IPv4 UDP packets
@@ -994,8 +1116,11 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
    DIVERT:R { PROTO=tcp, SPORT=80 }
    DIVERT:R { PROTO=tcp, DPORT=80 }
    TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF,  PROTO=tcp, DPORT=80 }
-?endif
-</programlisting>
+    TPROXY(3129,$LOC_ADDR) { SOURCE=WLAN_IF, PROTO=tcp, DPORT=80 }
+#    DIVERT:R { PROTO=tcp, SPORT=443 }
+#    DIVERT:R { PROTO=tcp, DPORT=443 }
+#    TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=443 }
+?endif</programlisting>
    </section>

    <section>
@@ -1006,16 +1131,15 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
      <programlisting>#ACTION         SOURCE			DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY

 ?if __IPV4
-    MASQUERADE		{ SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF }
+    MASQUERADE			{ SOURCE=172.20.0.0/22,               DEST=FAST_IF }
    MASQUERADE			{ SOURCE=70.90.191.120/29, 	      DEST=FAST_IF }
    SNAT(70.90.191.121) 	{ SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,  PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
    SNAT(70.90.191.123) 	{ SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,                    COMMENT="Masquerade Local Network" }
-    SNAT(172.20.1.253)  { SOURCE=172.20.3.0/24,	 	      DEST=LOC_IF:172.20.1.100 }
+    SNAT(172.20.1.253)  	{ SOURCE=!172.20.1.0/24, 	      DEST=LOC_IF:172.20.1.100 }
 ?else
-    SNAT(&amp;PROD_IF)	{ SOURCE=2601:601:8b00:bf0::/60,                DEST=PROD_IF }
+    SNAT(&amp;PROD_IF)		{ SOURCE=2601:601:a000:16f0::/60,               DEST=PROD_IF }
    SNAT(&amp;FAST_IF)		{ SOURCE=2001:470:b:227::/64,2001:470:a:227::2,	DEST=FAST_IF }
-?endif
-</programlisting>
+?endif</programlisting>
    </section>

    <section>
@@ -1026,14 +1150,12 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
      <programlisting>#TYPE			ZONE		GATEWAY			GATEWAY_ZONE
 ipsecnat {ZONE=net,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
 ipsecnat {ZONE=loc,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
-</programlisting>
+ipsecnat {ZONE=wlan, GATEWAY=$ALL, GATEWAY_ZONE=vpn }</programlisting>
    </section>

    <section>
      <title>proxyarp</title>

-      <para>This file is only used in the IPv4 configuration:</para>
-
      <programlisting>#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT

 70.90.191.122 { INTERFACE=br0, EXTERNAL=eth1, HAVEROUTE=yes, PERSISTENT=no }
@@ -1066,6 +1188,17 @@ return $status
    qt $IP -4 route replace 70.90.191.124 dev br0
    qt $IP -4 route replace 70.90.191.125 dev br0
 fi
+</programlisting>
+    </section>
+
+    <section>
+      <title>stoppedrules</title>
+
+      <para>/etc/shorewall/stoppedrules allow SSH connections into the
+      firewall system when Shorewall[6] is in the stopped state.</para>
+
+      <programlisting>#ACTION		SOURCE			DEST		PROTO	DPORT	SPORT
+ACCEPT		-			$FW		tcp	22
 </programlisting>
    </section>
  </section>
--- a/docs/Shorewall-Lite.xml
+++ b/docs/Shorewall-Lite.xml
@@ -547,6 +547,18 @@
            <command>remote-reload</command> command (e.g., <command>shorewall
            remote-reload -c gateway</command>).</para>
          </listitem>
+
+          <listitem>
+            <para>Shorewall6-lite works with Shorewall6 in the same way that
+            Shorewall-lite works with Shorewall. Beginning with Shorewall
+            5.0.0, running 'shorewall &lt;cmd&gt;" is the same as running
+            "shorewall-lite &lt;cmd&gt;" when Shorewall is not installed.. To
+            continue to use the "shorewall6" command after switching to
+            Shoerwall6-lite, you need to add this to your .profile (or to
+            .bashrc if root's shell is bash):</para>
+
+            <programlisting>    alias shorewall6=shorewall6-lite</programlisting>
+          </listitem>
        </orderedlist>
      </section>
    </section>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -250,14 +250,36 @@ DROP            net:200.55.14.18        all
          </important>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>log</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.5. When specified, successful
+          'blacklist' and 'allow' commands will log a message to the system
+          log.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>noupdate</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.5. Normally, once an address has been
+          blacklisted, each time that a packet is received from the packet,
+          the ipset's entry for the address is updated to reset the timeout to
+          the value specifyed in the <option>timeout</option> option above.
+          Setting the <option>noupdate</option> option, inhibits this
+          resetting of the entry's timeout. This option is ignored when the
+          <option>timeout</option> option is not specified.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>

    <para>When ipset-based dynamic blacklisting is enabled, the contents of
    the blacklist will be preserved over
    <command>stop</command>/<command>reboot</command>/<command>start</command>
-    sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
-    <replaceable>setname</replaceable> is included in the list of sets to be
-    saved in SAVE_IPSETS.</para>
+    sequences.</para>
  </section>

  <section>
@@ -275,4 +297,69 @@ DROP            net:200.55.14.18        all
    <command>shorewall show action BLACKLIST</command> command for
    details.</para>
  </section>
+
+  <section id="fail2ban">
+    <title>BLACKLIST and Fail2ban</title>
+
+    <para>The BLACKLIST command can be used as 'blocktype' in
+    /etc/fail2ban/actions.d/shorewall.conf. Prior to Shorewall 5.2.5, this
+    works best if there is no <emphasis role="bold">timeout</emphasis>
+    specified in the DYNAMIC_BLACKLIST setting or if <emphasis
+    role="bold">timeout=0</emphasis> is given.</para>
+
+    <para>Beginning with Shorewall 5.2.5, Shorewall includes new features that
+    allow fail2ban to work most seamlessly with Shorewall's ipset-based
+    dynamic blacklisting:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>When a <emphasis role="bold">timeout</emphasis> is specified in
+        the DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset is
+        created with default timeout 0. As entries are added by BLACKLIST
+        policies or by the <emphasis role="bold">blacklist</emphasis> command,
+        the created entry is given the specified timeout value.</para>
+      </listitem>
+
+      <listitem>
+        <para>The <emphasis role="bold">noupdate</emphasis> option has been
+        added. Specifying this option prevents 'timeout 0' ipset entries from
+        being changed to finite timeout entries as a result of blacklisted ip
+        addresses continuing to send packets to the firewall.</para>
+      </listitem>
+
+      <listitem>
+        <para>The <emphasis role="bold">blacklist!</emphasis> command has been
+        added. specifying that command as the fail2ban 'blocktype' causes
+        entries created by fail2ban to persist until fail2ban unbans them
+        using the Shorewall <emphasis role="bold">allow</emphasis>
+        comand.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>There are a couple of additional things to note:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>The documentation in /etc/fail2ban/action.d/shorewall.conf
+        states that you should set BLACKLIST=All. A better approach when using
+        BLACKLIST as the 'blocktype' is to specify the <emphasis
+        role="bold">disconnect</emphasis> option in the setting of
+        DYNAMIC_BLACKLIST. With BLACKLIST=All, every packet entering the
+        firewall from the net must be checked against the dynamic-blacklisting
+        ipset. That is not required when you specify <emphasis
+        role="bold">disconnect</emphasis>.</para>
+      </listitem>
+
+      <listitem>
+        <para>The <emphasis role="bold">noupdate</emphasis> option allows
+        fail2ban full control when a host is 'unbanned'. The cost of using
+        this option is that after the specified <emphasis
+        role="bold">timeout</emphasis>, the entry for an attacking host will
+        be removed from the dynamic-blacklisting ipset, even if the host has
+        continued the attack while blacklisted. This isn't a great concern, as
+        the first attempt to access an unauthorized service will result in the
+        host being re-blacklisted.</para>
+      </listitem>
+    </itemizedlist>
+  </section>
 </article>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -663,7 +663,7 @@ ACCEPT      net:\
          <row>
            <entry>mangle</entry>

-            <entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
+            <entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers,probability,dscp,switch</entry>
          </row>

          <row>
@@ -738,6 +738,14 @@ ACCEPT      net:\
            <entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
          </row>

+          <row>
+            <entry>snat</entry>
+
+            <entry>action,source,dest,proto,port,sport,ipsec,mark,user,switch,origdest,probability
+            (Note: 'port' may be specified as 'dport', beginning with
+            Shorewall 5.2.6).</entry>
+          </row>
+
          <row>
            <entry>tcclasses</entry>

@@ -1867,6 +1875,9 @@ SSH(ACCEPT)    net:$MYIP      $FW
      </listitem>
    </itemizedlist>

+    <para>They may also be used as the parameter to SNAT() in <ulink
+    url="manpages/shorewall-snat.html">shorewall-snat</ulink>(5).</para>
+
    <para>For optional interfaces, if the interface is not usable at the time
    that the firewall starts, one of two approaches are taken, depending on
    the context:</para>
--- a/docs/docs-targetname
+++ b/docs/docs-targetname
@@ -1 +1 @@
-5.2.4.1
+5.2.8-RC1
--- a/docs/images/Network2017.dia
+++ b/docs/images/Network2017.dia
--- a/docs/images/Network2017.png
+++ b/docs/images/Network2017.png
--- a/docs/images/Network2020.dia
+++ b/docs/images/Network2020.dia
--- a/docs/images/Network2020.png
+++ b/docs/images/Network2020.png
--- a/docs/images/docs-images-targetname
+++ b/docs/images/docs-images-targetname
@@ -1 +1 @@
-5.2.4-Beta1
+5.2.7-Beta1
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -145,7 +145,8 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
    <para>Beginning with Shorewall 4.4.14, multiple source or destination
    matches may be specified by placing multiple set names in '+[...]' (e.g.,
    +[myset,myotherset]). When so enclosed, the set names need not be prefixed
-    with a plus sign.</para>
+    with a plus sign. When such a list of sets is specified, matching packets
+    must match all of the listed sets.</para>

    <para>Shorewall can save/restore your ipset contents with certain
    restrictions:</para>
@@ -192,11 +193,19 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
    ipv4 ipsets are saved. Both features require ipset version 5 or
    later.</para>

+    <caution>
+      <para>After setting SAVE_IPSETS, it is important to recompile the
+      firewall script (e.g., 'shorewall compile', 'shorewall reload' or
+      'shorewall restart') before rebooting</para>
+    </caution>
+
    <para>Although Shorewall can save the definition of your ipsets and
    restore them when Shorewall starts, in most cases you must use the ipset
    utility to initially create and load your ipsets. The exception is that
    Shorewall will automatically create an empty iphash ipset to back each
-    dynamic zone.</para>
+    dynamic zone. It will also create the ipset required by the
+    DYNAMIC_BLACKLIST=ipset:.. setting in <ulink
+    url="manpages/shorewall.conf.html">shorewall[6].conf(5)</ulink>,</para>
  </section>

  <section>
@@ -220,6 +229,32 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
    the ipsets will be save to and restored from. Shorewall-init will create
    any necessary directories during the first 'save' operation.</para>

+    <caution>
+      <para>If you set SAVE_IPSETS in /etc/sysconfig/shorewall-init
+      (/etc/default/shorewall-init on Debian and derivatives) when
+      shorewall-init has not been started by systemd, then when the system is
+      going down during reboot, the ipset contents will not be saved. You can
+      work around that as follows:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Suppose that you have set
+          SAVE_IPSETS=/var/lib/shorewall/init-save-ipsets.</para>
+        </listitem>
+
+        <listitem>
+          <para>Before rebooting, execute this command:</para>
+
+          <programlisting>ipset save &gt; /var/lib/shorewall/init-save-ipsets</programlisting>
+        </listitem>
+
+        <listitem>
+          <para>Be sure to enable shoewall-init (e.g., <emphasis
+          role="bold">systemctl enable shorewall-init</emphasis>).</para>
+        </listitem>
+      </itemizedlist>
+    </caution>
+
    <para>If you configure Shorewall-init to save/restore ipsets, be sure to
    set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para>

--- a/docs/simple_traffic_shaping.xml
+++ b/docs/simple_traffic_shaping.xml
@@ -93,6 +93,13 @@
    qdisc but seems to provide a benefit when the actual link output
    temporarily drops below the limit imposed by tbf or when tbf allows a
    burst of traffic to be released.</para>
+
+    <caution>
+      <para>IPSec traffic passes through traffic shaping twice - once en clair
+      and once encrypted and encapsulated. As a result, throughput may be
+      significantly less than configured if IPSEC packets form a significant
+      percentage of the traffic being shaped.</para>
+    </caution>
  </section>

  <section>
@@ -187,8 +194,9 @@ eth0                   External</programlisting>
        <para>Assign traffic entering the firewall on a particular interface
        to a specific priority band:</para>

-        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
-2               -             -                -                eth1</programlisting>
+        <programlisting>?FORMAT 2
+#BAND         PROTO         DPORT    SPORT     ADDRESS             INTERFACE        HELPER
+2               -             -        -          -                eth1</programlisting>

        <para>In this example, traffic from eth1 will be assigned to priority
        band 2.</para>
@@ -203,15 +211,17 @@ eth0                   External</programlisting>
        <para>Assign traffic from a particular IP address to a specific
        priority band:</para>

-        <programlisting>#BAND         PROTO         DPORT           ADDRESS             INTERFACE        HELPER
-1               -             -             192.168.1.44</programlisting>
+        <programlisting>?FORMAT 2
+#BAND         PROTO         DPORT    SPORT     ADDRESS             INTERFACE        HELPER
+
+1               -             -        -       192.168.1.44</programlisting>

        <para>In this example, traffic from 192.168.1.44 will be assigned to
        priority band 1.</para>

        <note>
-          <para>When an ADDRESS is specified, the PROTO, DPORT and INTERFACE
-          columns must be empty.</para>
+          <para>When an ADDRESS is specified, the PROTO, DPORT, SPORT and
+          INTERFACE columns must be empty.</para>
        </note>
      </listitem>

@@ -219,11 +229,19 @@ eth0                   External</programlisting>
        <para>Assign traffic to/from a particular application to a specific
        priority band:</para>

-        <programlisting>#BAND         PROTO         DPORT           ADDRESS             INTERFACE        HELPER
+        <programlisting>#BAND         PROTO         PORT            ADDRESS             INTERFACE        HELPER
 1             udp           1194</programlisting>

-        <para>In that example, OpenVPN traffic is assigned to priority band
-        1.</para>
+        <para>In that example, SSH traffic is assigned to priority band 1. In
+        file format 2, the above would be as follows:</para>
+
+        <programlisting>#BAND         PROTO         DPORT       SPORT     ADDRESS             INTERFACE        HELPER
+1             tcp           22
+1             tcp             -         22</programlisting>
+
+        <para>In other words, in file format 1, the compiler generates rules
+        for traffic from client to server and from server to client. In format
+        2, separate tcpri rules are required.</para>
      </listitem>

      <listitem>
@@ -355,5 +373,9 @@ COMMENT And place echo requests in band 1 to avoid false line-down reports
      <para>Please note that Shorewall numbers the bands 1-3 whereas PRIO(8)
      refers to them as bands 0-2.</para>
    </caution>
+
+    <para>If you encounter performance problems after enabling simple traffic
+    shaping, check out <ulink url="FAQ.htm#faq97">FAQ 97</ulink> and <ulink
+    url="FAQ.htm#faq97a">FAQ97a</ulink></para>
  </section>
 </article>
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -42,10 +42,10 @@
    <itemizedlist>
      <listitem>
        <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink>s are 5.0 , 5.1 and 5.2.</para>
+        url="ReleaseModel.html">major release</ulink>s are , 5.1 and 5.2.</para>

        <note>
-          <para>Shorewall versions earlier than 5.0.0 are no longer supported;
+          <para>Shorewall versions earlier than 5.1.0 are no longer supported;
          we will try to help but we will not spend time reading earlier code
          to try to help you solve a problem and we will not release a patch
          to correct any defect found.</para>
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -26,6 +26,8 @@
    <copyright>
      <year>2001-2013</year>

+      <year>2020</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -214,24 +216,6 @@
    article</ulink>.</para>
  </section>

-  <section id="Kernel">
-    <title>Linux Kernel Configuration</title>
-
-    <para>You will need at least kernel 2.4.18 for this to work, please take a
-    look at the following screenshot for what settings you need to enable. For
-    builtin support, you need the HTB scheduler, the Ingress scheduler, the
-    PRIO pseudoscheduler and SFQ queue. The other scheduler or queue
-    algorithms are not needed.</para>
-
-    <para>This screen shot shows how I configured QoS in a 2.6.16
-    Kernel:</para>
-
-    <graphic align="center" fileref="images/traffic_shaping2.6.png"/>
-
-    <para>And here's my recommendation for a 2.6.21 kernel:<graphic
-    align="center" fileref="images/traffic_shaping2.6.21.png"/></para>
-  </section>
-
  <section id="Shorewall">
    <title>Enable TC support in Shorewall</title>

@@ -298,6 +282,15 @@
        <para>Assign traffic to HTB and/or HFSC classes based on packet mark
        value or based on packet contents.</para>
      </listitem>
+
+      <listitem>
+        <para>Throttle incoming traffic</para>
+      </listitem>
+
+      <listitem>
+        <para>Use an <emphasis>Intermediate functional block </emphasis>(IFB)
+        to shape incoming traffic<emphasis> </emphasis></para>
+      </listitem>
    </itemizedlist>

    <para>Those few features are really all that builtin traffic
@@ -392,6 +385,14 @@
            The default burst is 10kb, but on my 50mbit line, I specify 200kb.
            (50mbit:200kb).</para>
          </note>
+
+          <caution>
+            <para>Incoming IPSec traffic traverses traffic shaping twice -
+            firs as encrypted and encapsulated ESP packets and then en clair.
+            As a result, incoming bandwidth can be significantly less than
+            specified if IPSEC packets form a significant part of inoming
+            traffic.</para>
+          </caution>
        </listitem>

        <listitem>
@@ -482,6 +483,16 @@
                </variablelist>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">connmark</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.7. May be specified on IFB
+                devices to enable use of firewall marks to select the
+                appropriate traffic shaping class.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>

@@ -496,7 +507,8 @@
          column.</para>

          <para>IFB devices automatically get the <emphasis
-          role="bold">classify</emphasis> option.</para>
+          role="bold">classify</emphasis> option unless the <emphasis
+          role="bold">connmark</emphasis> option is specified.</para>
        </listitem>
      </itemizedlist>

@@ -1577,9 +1589,11 @@ ip link set ifb0 up</command></programlisting>

    <para>Entries in <filename>/etc/shorewall/mangle</filename> or
    <filename>/etc/shorewall/tcrules</filename> have no effect on shaping
-    traffic through an IFB. To allow classification of such traffic, the
-    /etc/shorewall/tcfilters file has been added. Entries in that file create
-    <ulink url="http://b42.cz/notes/u32_classifier/">u32 classification
+    traffic through an IFB unless the IFB is defined in shorewall-tcclasses(5)
+    with the <emphasis role="bold">connmark</emphasis> option. To allow
+    classification of such traffic, the /etc/shorewall/tcfilters file has been
+    added. Entries in that file create <ulink
+    url="http://b42.cz/notes/u32_classifier/">u32 classification
    rules</ulink>.</para>

    <section id="tcfilters">
@@ -1937,6 +1951,93 @@ filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800:</emphasis
            role="bold">&lt;========= PROTO TCP</emphasis>
    offset 0f00&gt;&gt;6 at 0  eat </programlisting></para>
    </section>
+
+    <section>
+      <title>IFBs and SNAT/MASQUERADE</title>
+
+      <para>IFB traffic shaping takes place immediately after the traffic is
+      received by the incoming interface and before it has been passed to any
+      Netfilter hook. This has two consequences:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>There is no opportunity to mark the packets before they are
+          processed by the IFBs traffic shaping rules.</para>
+        </listitem>
+
+        <listitem>
+          <para>The DEST IP address is still the IP address of the external
+          interface on which the traffic arrived.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>As a result, in the tcdevices file description above, a <emphasis
+      role="bold">connmark</emphasis> option was added to that file in
+      Shorewall 5.2.7. The <emphasis role="bold">connmark</emphasis> option
+      allows firewall marks to be used to segregate traffic by DEST IP.</para>
+
+      <para>Example (based closely on one supplied by Rodrigo Araujo, who also
+      wrote much of the code supporting the <emphasis
+      role="bold">connmark</emphasis> option):</para>
+
+      <para><emphasis
+      role="bold">/etc/shorewall/shorewall.conf:</emphasis></para>
+
+      <programlisting>...
+TC_ENABLED=Internal
+...</programlisting>
+
+      <para><emphasis role="bold">/etc/shorewall/interfaces:</emphasis></para>
+
+      <programlisting>##############################################################################
+?FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1</programlisting>
+
+      <para><emphasis role="bold">/etc/shorewall/snat:</emphasis></para>
+
+      <programlisting>?FORMAT 2
+#ACTION       SOURCE      DEST    PROTO    PORT        IPSEC    MARK   
+USER    SWITCH    ORIGDEST    PROBABILITY
+MASQUERADE    -           NET_IF</programlisting>
+
+      <para><emphasis role="bold">/etc/shorewall/tcdevices:</emphasis></para>
+
+      <programlisting>#INTERFACE	IN_BANDWITH	OUT_BANDWIDTH	OPTIONS		REDIRECT
+## net upload
+10:NET_IF	-               1000mbit         htb
+## net download
+11:ifb0         -               1000mbit         htb,connmark   NET_IF</programlisting>
+
+      <para><emphasis role="bold">/etc/shorewall/tcclasses:</emphasis></para>
+
+      <programlisting>#INTERFACE	MARK	RATE		CEIL		PRIO	OPTIONS
+10:5000           111       500kbit            full       10     tcp-ack,tos-minimize-delay
+11:5000           110       500kbit            full       10     tcp-ack,tos-minimize-delay
+
+10:1000           100       full-50500         full       20      default
+11:1000           101       full-100500        full       20      default
+
+10:50             10        50mbit             50mbit     101     flow=nfct-src
+11:100            11        100mbit            100mbit    101     flow=dst</programlisting>
+
+      <para><emphasis role="bold">/etc/shorewall/tcfilters:</emphasis></para>
+
+      <programlisting>#CLASS		SOURCE		DEST		PROTO	DPORT	SPORT	TOS	LENGTH
+## limit LAN upload - works
+10:50          10.100.100.0/24
+## limit LAN download - DOESN'T WORK BECAUSE OF MASQUERADE ON eth0 !!!! (snat file)
+#11:100        -                  10.100.100.0/24</programlisting>
+
+      <para><emphasis role="bold">/etc/shorewall/mangle:</emphasis></para>
+
+      <programlisting>#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP	SWITCH
+## this only works with the aforementioned conntrack option
+## and LAN users' download traffic will get the 11:100 class (defined in tcclasses) applied
+CONNMARK(11):F       10.100.100.0/24    - { TEST=0x0/0xff }</programlisting>
+    </section>
  </section>

  <section id="show">