Reflect changes in tools repository

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2020-05-21 10:41:19 -07:00
30 changed files with 402 additions and 716 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +0,0 @@
 *targetname export-ignore
--- a/Shorewall-core/Shorewall-core-targetname
+++ b/Shorewall-core/Shorewall-core-targetname
@@ -1 +1 @@
-5.2.5-Beta2
+5.2.4.1
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1109,7 +1109,7 @@ show_blacklists() {
 }
 show_actions_sorted() {
-    show_actions | sort -u -k 1,1
+    show_actions | sort
 }
 show_macros() {
@@ -2651,7 +2651,6 @@ allow_command() {
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
 			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 		    fi
 		fi
@@ -2668,7 +2667,6 @@ allow_command() {
 	    *)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 			allowed=Yes
 		    fi
 		fi
@@ -3624,7 +3622,6 @@ reject_command() {
 blacklist_command() {
    local family
    local timeout
    [ $# -gt 0 ] || fatal_error "Missing address"
@@ -3642,17 +3639,10 @@ blacklist_command() {
 	    ;;
    esac
-    if [ $COMMAND = 'blacklist!' ]; then
+    if $IPSET -A $g_blacklistipset $@ -exist; then
 	timeout='timeout 0'
    else
 	echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
    fi
    if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
 	local message
 	progress_message2 "$1 Blacklisted"
 	[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Blacklisted"
 	if [ -n "$g_disconnect" ]; then
 	    message="$(conntrack -D -s $1 2>&1)"
@@ -3907,7 +3897,7 @@ setup_dbl() {
    case $DYNAMIC_BLACKLIST in
 	ipset*,src-dst*)
 	    #
-	    # Capture 'src-dst'
+	    # This utility doesn't need to know about 'src-dst'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
@@ -3915,49 +3905,11 @@ setup_dbl() {
 	    ;;
    esac
    case $DYNAMIC_BLACKLIST in
 	ipset*,log*)
 	    #
 	    # Capture 'log'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,log//')
 	    g_dbllog=Yes
 	    ;;
    esac
    case $DYNAMIC_BLACKLIST in
 	ipset*,noupdate*)
 	    #
 	    # This utility doesn't use this option
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,noupdate//')
 	    ;;
    esac
    case $DYNAMIC_BLACKLIST in
 	ipset*,timeout*)
 	    #
-	    # Capture timeout
+	    # This utility doesn't need to know about 'timeout=nnn'
 	    #
 	    local ifs
 	    local f
 	    ifs=$IFS
 	    IFS=','
 	    for f in $DYNAMIC_BLACKLIST; do
 		case $f in
 		    timeout=*)
 			g_dbltimeout=${f#timeout=}
 			g_dbltimeout=${g_dbltimeout%%:*}
 			break
 			;;
 		esac
 	    done
 	    IFS=$ifs
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
 	    ;;
    esac
@@ -4175,7 +4127,7 @@ start_command() {
 	    rc=$?
 	else
 	    error_message "$g_firewall is missing or is not executable"
-	    mylogger daemon.err "ERROR:$g_product start failed"
+	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4308,7 +4260,7 @@ restart_command() {
 	rc=$?
    else
 	error_message "$g_firewall is missing or is not executable"
-	mylogger daemon.err "ERROR:$g_product $COMMAND failed"
+	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi
@@ -4506,8 +4458,6 @@ shorewall_cli() {
    g_disconnect=
    g_havemutex=
    g_trace=
    g_dbltimeout=
    g_dbllog=
    VERBOSE=
    VERBOSITY=1
@@ -4729,7 +4679,7 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	blacklist|blacklist!)
+	blacklist)
 	    only_root
 	    get_config Yes
 	    shift
@@ -4807,7 +4757,7 @@ shorewall_cli() {
 	    ;;
 	allow)
 	    only_root
-	    get_config Yes
+	    get_config
 	    allow_command $@
 	    ;;
 	add)
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -55,13 +55,13 @@ startup_error() # $* = Error Message
    case $COMMAND in
        start)
-	    mylogger daemon.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    mylogger daemon.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    mylogger daemon.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -48,7 +48,7 @@
      <arg>options</arg>
-      <arg choice="plain"><option>blacklist[!]</option></arg>
+      <arg choice="plain"><option>blacklist</option></arg>
      <arg
      choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
@@ -1151,7 +1151,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">blacklist[!]</emphasis>
+        <term><emphasis role="bold">blacklist</emphasis>
        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
        ... ]</term>
@@ -1165,17 +1165,7 @@
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
          <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
-          add</command> command. Probably the most useful
+          add</command> command.</para>
          <replaceable>option</replaceable> is the <option>timeout</option>
          option. For example, to permanently blacklist 192.0.2.22, the
          command would be:</para>
          <programlisting>    shorewall blacklist 192.0.2.22 timeout 0</programlisting>
          <para>Beginning with Shorewall 5.2.5, the above command can be
          shortened to:</para>
          <programlisting>    shorewall blacklist! 192.0.2.22</programlisting>
          <para>If the <option>disconnect</option> option is specified in the
          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
@@ -2901,18 +2891,25 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">stop</emphasis></term>
+        <term><emphasis role="bold">stop</emphasis>
        [-<option>f</option>]</term>
        <listitem>
          <para>Stops the firewall. All existing connections, except those
          listed in <ulink
-          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
+          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          or permitted by the ADMINISABSENTMINDED option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> The only
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are
-          new traffic permitted through the firewall is from systems listed in
+          taken down. The only new traffic permitted through the firewall is
-          <ulink
+          from systems listed in <ulink
-          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
+          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
          <para>If <option>-f</option> is given, the command will be processed
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
          role="bold">reload</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -169,7 +169,7 @@ if [ -z "$BUILD" ]; then
 	    ;;
 	*)
 	    if [ -f /etc/os-release ]; then
-		ID=$(grep '^ID=' /etc/os-release | sed 's/ID=//; s/"//g;')
+		eval $(cat /etc/os-release | grep ^ID=)
 		case $ID in
 		    fedora|rhel|centos|foobar)
@@ -357,11 +357,12 @@ fi
 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
 	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
 	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
    elif [ $configure -eq 0 ]; then
-	make_parent_directory ${CONFDIR}/network/if-up.d 0755
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
-	make_parent_directory ${CONFDIR}/network/if-post-down.d 0755
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
-	rm -f ${CONFDIR}/network/if-down.d/shorewall
+	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
    fi
    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
@@ -387,7 +388,7 @@ else
 	    elif [ $HOST = openwrt ]; then
 		# Not implemented on OpenWRT
 		/bin/true
-	    elif [ "$HOST" != debian ]; then
+	    else
 		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
@@ -416,22 +417,19 @@ if [ $HOST != openwrt ]; then
 fi
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    if [ "$HOST" = debian ]; then
+    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
-	rm -f ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall
+    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
    else
 	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
 	install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
    fi
 fi
 case $HOST in
    debian)
 	if [ $configure -eq 1 ]; then
 	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	    rm -f ${DESTDIR}/etc/network/if-down.d/shorewall
 	else
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
 	fi
 	;;
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -43,6 +43,23 @@ setstatedir() {
    fi
 }
 #
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]; then
    . $SYSCONFDIR/shorewall-init
    if [ -z "$PRODUCTS" ]; then
 	echo "ERROR: No products configured" >&2
 	exit 1
    fi
 else
    echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
    exit 1
 fi
 # Initialize the firewalls
 shorewall_init_start () {
@@ -104,23 +121,6 @@ shorewall_init_stop () {
    return 0
 }
 #
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]; then
    . $SYSCONFDIR/shorewall-init
    if [ -z "$PRODUCTS" ]; then
 	echo "ERROR: No products configured" >&2
 	exit 1
    fi
 else
    echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
    exit 1
 fi
 case "$1" in
    start)
 	shorewall_init_start
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -320,7 +320,6 @@ our $VERSION = 'MODULEVERSION';
 #    %chain_table { <table> => { <chain1>  => { name         => <chain name>
 #                                               table        => <table name>
 #                                               is_policy    => undef|1 -- if 1, this is a policy chain
 #                                               wild         => undef|1 -- If 1, source or dest is 'all'. Only applies to policy chains
 #                                               provisional  => undef|1 -- See below.
 #                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
@@ -4080,7 +4079,7 @@ sub optimize_level8( $$$ ) {
 		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
 			#
-			# For simple use of the blrules file, we can end up with many identical
+			# For simple use of the BLACKLIST section, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
 			# these chains via the 'blacklistsection' member.
 			#
@@ -8891,7 +8890,7 @@ sub ensure_ipsets( @ ) {
    my $set;
    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
-    if ( $_[0] eq $globals{DBL_IPSET} ) {
+    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
 	shift;
 	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
@@ -8902,12 +8901,12 @@ sub ensure_ipsets( @ ) {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout 0${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
 	}
 	pop_indent;
@@ -9134,7 +9133,7 @@ sub create_load_ipsets() {
 		emit( '        #',
 		      '        # Update the dynamic blacklisting ipset timeout value',
 		      '        #',
-		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout 0" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
 		      '        zap_ipsets',
 		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
 		      '    fi' );
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -543,13 +543,13 @@ date > ${VARDIR}/restarted
 case $COMMAND in
    start)
-        mylogger daemon.info "$g_product started"
+        mylogger kern.info "$g_product started"
        ;;
    reload)
-        mylogger daemon.info "$g_product reloaded"
+        mylogger kern.info "$g_product reloaded"
        ;;
    restore)
-        mylogger daemon.info "$g_product restored"
+        mylogger kern.info "$g_product restored"
        ;;
 esac
 EOF
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -657,30 +657,6 @@ our %params;
 #
 our %compiler_params;
 #
 # Entries conditionally exported to the compiled script via the aux config file
 #
 our @exported_params = ( qw(
 			 VERBOSITY
 			 LOGFILE
 			 LOGFORMAT
 			 APRTABLES
 			 IPTABLES
 			 IP6TABLES
 			 IP
 			 TC
 			 IPSET
 			 PATH
 			 SHOREWALL_SHELL
 			 SHELL
 			 SUBSYSLOCK
 			 LOCKFILE
 			 RESTOREFILE
 			 RESTART
 			 DYNAMIC_BLACKLIST
 			 PAGER
 			 )
    );
 #
 # Action parameters
 #
 our %actparams;
@@ -6695,7 +6671,7 @@ sub get_configuration( $$$ ) {
    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
-	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1, 'noupdate' => 1, );
+	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
@@ -7220,8 +7196,8 @@ sub generate_aux_config() {
    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
-    for my $param ( @exported_params ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
-	conditionally_add_option $param;
+	conditionally_add_option $option;
    }
    conditionally_add_option1 'TC_ENABLED';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -735,7 +735,6 @@ sub add_common_rules ( $ ) {
    my $dbl_tag;
    my $dbl_src_target;
    my $dbl_dst_target;
    my $dbl_options;
    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -797,10 +796,9 @@ sub add_common_rules ( $ ) {
 	if ( $dbl_ipset ) {
 	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_options    = $globals{DBL_OPTIONS};
+		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
 		$dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
-		my $chainref = new_standard_chain( $dbl_src_target );
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -811,11 +809,11 @@ sub add_common_rules ( $ ) {
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ) unless $dbl_options =~ /noupdate/;
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = new_standard_chain( $dbl_dst_target = 'dbl_dst' );
+		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
 		    log_rule_limit( $dbl_level,
 				    $chainref,
@@ -832,7 +830,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' );
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -2582,13 +2580,13 @@ EOF
    emit <<'EOF';
            case $COMMAND in
 	        start)
-	            mylogger daemon.err "ERROR:$g_product start failed"
+	            mylogger kern.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            mylogger daemon.err "ERROR:$g_product reload failed"
+	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
                enable)
-                    mylogger daemon.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
            esac
@@ -2811,7 +2809,7 @@ EOF
    emit '
    set_state "Stopped"
-    mylogger daemon.info "$g_product Stopped"
+    mylogger kern.info "$g_product Stopped"
    case $COMMAND in
    stop|clear)
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -2069,7 +2069,7 @@ sub compile_updown() {
 	      q(        COMMAND=enable) ,
 	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
-	      q(    else),
+	      q(    elif [ "$PHASE" != pre-down ]; then # post-down or not Debian) ,
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
 	      q(        detect_configuration $1),
@@ -2110,7 +2110,7 @@ sub compile_updown() {
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
 	      '        define_firewall',
-	      '    else' ,
+	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
 	    );
 	push_indent;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -443,7 +443,6 @@ sub convert_to_policy_chain($$$$$$)
    my ($chainref, $source, $dest, $policy, $provisional, $audit ) = @_;
    $chainref->{is_policy}   = 1;
    $chainref->{wild}        = $source eq 'all' || $dest eq 'all';
    $chainref->{policy}      = $policy;
    $chainref->{provisional} = $provisional;
    $chainref->{audit}       = $audit;
@@ -1148,7 +1147,7 @@ sub complete_policy_chains() {
 		}
 	    }
-	    if ( $chainref->{wild} ) {
+	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
 	    }
 	}
@@ -1253,7 +1252,6 @@ sub finish_chain_section ($$$) {
 	$state )            = @_;
    my $chain               = $chainref->{name};
    my $save_comment        = push_comment;
    my $wild                = $chainref->{wild} && ! $config{EXPAND_RULES};
    my %state;
    $state{$_} = 1 for split ',', $state;
@@ -1264,76 +1262,74 @@ sub finish_chain_section ($$$) {
    $chain1ref->{sections}{$_} = 1 for keys %state;
-    unless ( $wild ) {
+    for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
-	for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
+	if ( $state{$_} ) {
-	    if ( $state{$_} ) {
+	    my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
-		my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
+	    my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
 		my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
-		if ( $twochains || $level || $target ne 'ACCEPT' ) {
+	    if ( $twochains || $level || $target ne 'ACCEPT' ) {
-		    if ( $level ) {
+		if ( $level ) {
-			my $chain2ref;
+		    my $chain2ref;
 			if ( $twochains ) {
 			    $chain2ref = $chainref;
 			} else {
 			    $chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
 			}
 			log_rule_limit( $level,
 					$chain2ref,
 					$chain2ref->{logname},
 					uc $target,
 					$globals{LOGLIMIT},
 					$tag ,
 					'add' ,
 					'',
 					$level_origin );
 			$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
 			add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
 			$target = $chain2ref->{name} unless $twochains;
 		    }
 		    if ( $twochains ) {
-			add_ijump_extended $chainref, g => $target , $origin if $target;
+			$chain2ref = $chainref;
-			delete $state{$_};
+		    } else {
-			last;
+			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
 		    }
-		    if ( $target ) {
+		    log_rule_limit( $level,
-			$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+				    $chain2ref,
-			#
+				    $chain2ref->{logname},
-			# Always handle ESTABLISHED first
+				    uc $target,
-			#
+				    $globals{LOGLIMIT},
-			if ( $state{ESTABLISHED} && $_ ne 'ESTABLISHED' ) {
+				    $tag ,
-			    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch 'ESTABLISHED' );
+				    'add' ,
-			    delete $state{ESTABLISHED};
+				    '',
-			}
+				    $level_origin );
-			add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
+		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
 		    }
 		    add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
 		    $target = $chain2ref->{name} unless $twochains;
 		}
 		if ( $twochains ) {
 		    add_ijump_extended $chainref, g => $target , $origin if $target;
 		    delete $state{$_};
 		    last;
 		}
 		if ( $target ) {
 		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
 		    #
 		    # Always handle ESTABLISHED first
 		    #
 		    if ( $state{ESTABLISHED} && $_ ne 'ESTABLISHED' ) {
 			add_ijump( $chain1ref, j => 'ACCEPT', state_imatch 'ESTABLISHED' );
 			delete $state{ESTABLISHED};
 		    }
 		    add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
 		}
 		delete $state{$_};
 	    }
 	}
    }
    if ( keys %state ) {
 	my @state;
 	unless ( $config{FASTACCEPT} ) {
 	    for ( qw/ESTABLISHED RELATED/ ) {
 		push @state, $_ if $state{$_};
 	    }
 	}
-	if ( keys %state ) {
+	push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
 	    my @state;
-	    unless ( $config{FASTACCEPT} ) {
+	add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
 		for ( qw/ESTABLISHED RELATED/ ) {
 		    push @state, $_ if $state{$_};
 		}
 	    }
 	    push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
 	    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
 	}
    }
    if ($sections{NEW} ) {
@@ -2892,7 +2888,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Invalid flags ($flags)"         unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
 	    $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
 	    $log_action = "$basictarget($setname)";
 	    if ( supplied $timeout ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -560,8 +560,7 @@ sub process_zone( \$ ) {
 	@parents = split_list $2, 'zone';
    }
-    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i;
+    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
    fatal_error "Zone name ($zone) too long"     unless length $zone <= $globals{MAXZONENAMELENGTH};
    fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
    fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1089,7 +1089,7 @@ clear_firewall() {
    set_state "Cleared"
-    logger -p daemon.info "$g_product Cleared"
+    logger -p kern.info "$g_product Cleared"
 }
 #
@@ -1389,7 +1389,7 @@ clear_firewall() {
    set_state "Cleared"
-    logger -p daemon.info "$g_product Cleared"
+    logger -p kern.info "$g_product Cleared"
 }
 ?endif # IPv6-specific functions.
--- a/Shorewall/Shorewall-targetname
+++ b/Shorewall/Shorewall-targetname
@@ -1 +1 @@
-5.2.5.1
+5.2.4.5
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -338,7 +338,7 @@ get_config() {
    if [ -n "$DYNAMIC_BLACKLIST" -a "$(id -u)" = 0 ]; then
 	case $COMMAND in
-	    blacklist*|allow|drop|logdrop|reject)
+	    blacklist|allow|drop|logdrop|reject)
 		setup_dbl
 		;;
 	esac
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -79,13 +79,13 @@
        <listitem>
          <para>A FWMARK <emphasis>value</emphasis> used in your <ulink
-          url="shorewall-mangle.html">shorewall-mangle(5)</ulink> file to
+          url="shorewall-mangle.html">shorewall-mangle(5)</ulink>
-          direct packets to this provider.</para>
+          file to direct packets to this provider.</para>
          <para>If PROVIDER_OFFSET is non-zero in <ulink
-          url="shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the number
+          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases,
-          of significant bits may not exceed PROVIDER_OFFSET +
+          the number of significant bits may not exceed PROVIDER_OFFSET +
          PROVIDER_BITS.</para>
        </listitem>
      </varlistentry>
@@ -111,8 +111,8 @@
        <listitem>
          <para>The name of the network interface to the provider. Must be
          listed in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. In
+          url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
-          general, that interface should not have the
+          In general, that interface should not have the
          <option>proxyarp</option> or <option>proxyndp</option> option
          specified unless <option>loose</option> is given in the OPTIONS
          column of this entry.</para>
@@ -190,8 +190,9 @@
                <para>Beginning with Shorewall 4.4.3, <option>track</option>
                defaults to the setting of the TRACK_PROVIDERS option in
-                <ulink url="shorewall.conf.html">shorewall.conf</ulink> (5).
+                <ulink
-                If you set TRACK_PROVIDERS=Yes and want to override that
+                url="shorewall.conf.html">shorewall.conf</ulink>
                (5). If you set TRACK_PROVIDERS=Yes and want to override that
                setting for an individual provider, then specify
                <option>notrack</option> (see below).</para>
              </listitem>
@@ -342,7 +343,7 @@
                <replaceable>weight</replaceable> is given, a balanced route
                is added with the weight of this provider equal to the
                specified <replaceable>weight</replaceable>. If the option is
-                given without a <replaceable>weight</replaceable>, a separate
+                given without a <replaceable>weight</replaceable>, an separate
                default route is added through the provider's gateway; the
                route has a metric equal to the provider's NUMBER.</para>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -245,8 +245,8 @@
        <listitem>
          <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
          is enabled (see <ulink
-          url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
+          url="shorewall-accounting.html">shorewall-accounting</ulink>(5)).
-          not specified or set to the empty value, ACCOUNTING=Yes is
+          If not specified or set to the empty value, ACCOUNTING=Yes is
          assumed.</para>
        </listitem>
      </varlistentry>
@@ -271,8 +271,8 @@
        <listitem>
          <para>This parameter determines whether Shorewall automatically adds
          the external address(es) in <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5), and is only
+          url="shorewall-nat.html">shorewall-nat</ulink>(5), and is
-          available in IPv4 configurations. If the variable is set to
+          only available in IPv4 configurations. If the variable is set to
          <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis> then Shorewall automatically adds these
          aliases. If it is set to <emphasis role="bold">No</emphasis> or
@@ -300,8 +300,8 @@
        <listitem>
          <para>This parameter determines whether Shorewall automatically adds
          the SNAT ADDRESS in <ulink
-          url="shorewall-masq.html">shorewall-masq</ulink>(5), and is only
+          url="shorewall-masq.html">shorewall-masq</ulink>(5), and
-          available in IPv4 configurations. If the variable is set to
+          is only available in IPv4 configurations. If the variable is set to
          <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis> then Shorewall automatically adds these
          addresses. If it is set to <emphasis role="bold">No</emphasis> or
@@ -445,7 +445,8 @@
                <listitem>
                  <para>Specify the appropriate helper in the HELPER column in
-                  <ulink url="shorewall-rules.html">shorewall-rules</ulink>
+                  <ulink
                  url="shorewall-rules.html">shorewall-rules</ulink>
                  (5).</para>
                  <note>
@@ -513,8 +514,8 @@
          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
          determines whether the <option>balance</option> provider option (see
          <ulink
-          url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
+          url="shorewall-providers.html">shorewall-providers(5)</ulink>)
-          the default. When BALANCE_PROVIDERS=Yes, then the
+          is the default. When BALANCE_PROVIDERS=Yes, then the
          <option>balance</option> option is assumed unless the
          <option>fallback</option>, <option>loose</option>,
          <option>load</option> or <option>tproxy</option> option is
@@ -530,8 +531,8 @@
        <listitem>
          <para>Added in Shorewall-4.6.0. When set to <emphasis
          role="bold">Yes</emphasis>, causes entries in <ulink
-          url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
+          url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>
-          generate a basic filter rather than a u32 filter. This setting
+          to generate a basic filter rather than a u32 filter. This setting
          requires the <firstterm>Basic Ematch</firstterm> capability in your
          kernel and iptables.</para>
@@ -588,7 +589,8 @@
          <para>The BLACKLIST_DISPOSITION setting determines the disposition
          of packets sent to the <emphasis role="bold">blacklog</emphasis>
-          target of <ulink url="shorewall-blrules.html">shorewall-blrules
+          target of <ulink
          url="shorewall-blrules.html">shorewall-blrules
          </ulink>(5), but otherwise does not affect entries in that
          file.</para>
        </listitem>
@@ -650,8 +652,8 @@
          not supply an /etc/shorewall/tcstart file. That way, your traffic
          shaping rules can still use the “fwmark” classifier based on packet
          marking defined in <ulink
-          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
+          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
-          specified, CLEAR_TC=Yes is assumed.</para>
+          If not specified, CLEAR_TC=Yes is assumed.</para>
          <warning>
            <para>When you specify TC_ENABLED=shared (see below), then you
@@ -941,37 +943,14 @@
                </important>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>log</term>
              <listitem>
                <para>Added in Shorewall 5.2.5. When specified, successful
                'blacklist' and 'allow' commands will log a message to the
                system log.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>noupdate</term>
              <listitem>
                <para>Added in Shorewall 5.2.5. Normally, once an address has
                been blacklisted, each time that a packet is received from the
                packet, the ipset's entry for the address is updated to reset
                the timeout to the value specifyed in the
                <option>timeout</option> option above. Setting the
                <option>noupdate</option> option, inhibits this resetting of
                the entry's timeout. This option is ignored when the
                <option>timeout</option> option is not specified.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
          <command>stop</command>/<command>reboot</command>/<command>start</command>
-          sequences.</para>
+          sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
          <replaceable>setname</replaceable> is included in the list of sets
          to be saved in SAVE_IPSETS.</para>
        </listitem>
      </varlistentry>
@@ -1180,11 +1159,12 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          <para>Subzones are defined by following their name with ":" and a
          list of parent zones (in <ulink
-          url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
+          url="shorewall-zones.html">shorewall-zones</ulink>(5)).
-          you want to have a set of special rules for the subzone and if a
+          Normally, you want to have a set of special rules for the subzone
-          connection doesn't match any of those subzone-specific rules then
+          and if a connection doesn't match any of those subzone-specific
-          you want the parent zone rules and policies to be applied; see
+          rules then you want the parent zone rules and policies to be
-          <ulink url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
+          applied; see <ulink
          url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
          With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
          <para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@@ -1202,10 +1182,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          INVALID packets through the NEW section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          url="shorewall-rules.html">shorewall-rules</ulink> (5).
-          packet in INVALID state fails to match any rule in the INVALID
+          When a packet in INVALID state fails to match any rule in the
-          section, the packet is disposed of based on this setting. The
+          INVALID section, the packet is disposed of based on this setting.
-          default value is CONTINUE for compatibility with earlier
+          The default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
@@ -1217,9 +1197,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
          do not match any rule in the INVALID section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
-          this level. The default value is empty which means no logging is
+          logged at this level. The default value is empty which means no
-          performed.</para>
+          logging is performed.</para>
        </listitem>
      </varlistentry>
@@ -1502,8 +1482,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          sample configurations use this as the default log level and changing
          it will change all packet logging done by the configuration. In any
          configuration file (except <ulink
-          url="shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
+          url="shorewall-params.html">shorewall-params(5)</ulink>),
-          will expand to this value.</para>
+          $LOG_LEVEL will expand to this value.</para>
        </listitem>
      </varlistentry>
@@ -1655,7 +1635,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          <note>
            <para>The setting of LOGFORMAT has an effect of the permitted
            length of zone names. See <ulink
-            url="shorewall-zones.html">shorewall-zones</ulink> (5).</para>
+            url="shorewall-zones.html">shorewall-zones</ulink>
            (5).</para>
          </note>
          <caution>
@@ -1812,8 +1793,8 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>The performance of configurations with a large numbers of
          entries in <ulink
-          url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
+          url="shorewall-maclist.html">shorewall-maclist</ulink>(5)
-          improved by setting the MACLIST_TTL variable in <ulink
+          can be improved by setting the MACLIST_TTL variable in <ulink
          url="shorewall.conf.html">shorewall[6].conf</ulink>(5).</para>
          <para>If your iptables and kernel support the "Recent Match" (see
@@ -1823,14 +1804,15 @@ LOG:info:,bar                        net                    fw</programlisting>
          <para>When a new connection arrives from a 'maclist' interface, the
          packet passes through then list of entries for that interface in
-          <ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+          <ulink
-          there is a match then the source IP address is added to the 'Recent'
+          url="shorewall-maclist.html">shorewall-maclist</ulink>(5).
-          set for that interface. Subsequent connection attempts from that IP
+          If there is a match then the source IP address is added to the
-          address occurring within $MACLIST_TTL seconds will be accepted
+          'Recent' set for that interface. Subsequent connection attempts from
-          without having to scan all of the entries. After $MACLIST_TTL from
+          that IP address occurring within $MACLIST_TTL seconds will be
-          the first accepted connection request from an IP address, the next
+          accepted without having to scan all of the entries. After
-          connection request from that IP address will be checked against the
+          $MACLIST_TTL from the first accepted connection request from an IP
-          entire list.</para>
+          address, the next connection request from that IP address will be
          checked against the entire list.</para>
          <para>If MACLIST_TTL is not specified or is specified as empty (e.g,
          MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@@ -2404,12 +2386,13 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
        <listitem>
          <para>Added in Shorewall 4.4.27. Shorewall has traditionally
          ACCEPTed RELATED packets that don't match any rule in the RELATED
-          section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
+          section of <ulink
-          (5). Concern about the safety of this practice resulted in the
+          url="shorewall-rules.html">shorewall-rules</ulink> (5).
-          addition of this option. When a packet in RELATED state fails to
+          Concern about the safety of this practice resulted in the addition
-          match any rule in the RELATED section, the packet is disposed of
+          of this option. When a packet in RELATED state fails to match any
-          based on this setting. The default value is ACCEPT for compatibility
+          rule in the RELATED section, the packet is disposed of based on this
-          with earlier versions.</para>
+          setting. The default value is ACCEPT for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
@@ -2420,9 +2403,9 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
        <listitem>
          <para>Added in Shorewall 4.4.27. Packets in the related state that
          do not match any rule in the RELATED section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
-          this level. The default value is empty which means no logging is
+          logged at this level. The default value is empty which means no
-          performed.</para>
+          logging is performed.</para>
        </listitem>
      </varlistentry>
@@ -2523,7 +2506,8 @@ INLINE          -       -       -       ;; -j REJECT
          <para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
          at least one optional interface must be up in order for the firewall
          to be in the started state. Intended to be used with the <ulink
-          url="shorewall-init.html">Shorewall Init Package</ulink>.</para>
+          url="shorewall-init.html">Shorewall Init
          Package</ulink>.</para>
        </listitem>
      </varlistentry>
@@ -2609,17 +2593,18 @@ INLINE          -       -       -       ;; -j REJECT
          <para>During <emphasis role="bold">shorewall star</emphasis>t, IP
          addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
          ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
+          url="shorewall-nat.html">shorewall-nat</ulink>(5) and
-          url="shorewall-masq.html">shorewall-masq</ulink>(5) are processed
+          <ulink url="shorewall-masq.html">shorewall-masq</ulink>(5)
-          then are re-added later. This is done to help ensure that the
+          are processed then are re-added later. This is done to help ensure
-          addresses can be added with the specified labels but can have the
+          that the addresses can be added with the specified labels but can
-          undesirable side effect of causing routes to be quietly deleted.
+          have the undesirable side effect of causing routes to be quietly
-          When RETAIN_ALIASES is set to Yes, existing addresses will not be
+          deleted. When RETAIN_ALIASES is set to Yes, existing addresses will
-          deleted. Regardless of the setting of RETAIN_ALIASES, addresses
+          not be deleted. Regardless of the setting of RETAIN_ALIASES,
-          added during <emphasis role="bold">shorewall start</emphasis> are
+          addresses added during <emphasis role="bold">shorewall
-          still deleted at a subsequent <emphasis role="bold">shorewall
+          start</emphasis> are still deleted at a subsequent <emphasis
-          [stop</emphasis>, <emphasis role="bold">shorewall reload</emphasis>
+          role="bold">shorewall [stop</emphasis>, <emphasis
-          or <emphasis role="bold">shorewall restart</emphasis>.</para>
+          role="bold">shorewall reload</emphasis> or <emphasis
          role="bold">shorewall restart</emphasis>.</para>
        </listitem>
      </varlistentry>
@@ -2723,9 +2708,9 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.4.20. Determines the disposition of
          packets matching the <option>sfilter</option> option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          of <firstterm>hairpin</firstterm> packets on interfaces without the
+          and of <firstterm>hairpin</firstterm> packets on interfaces without
-          <option>routeback</option> option.<footnote>
+          the <option>routeback</option> option.<footnote>
              <para>Hairpin packets are packets that are routed out of the
              same interface that they arrived on.</para>
            </footnote></para>
@@ -2739,9 +2724,9 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added on Shorewall 4.4.20. Determines the logging of packets
          matching the <option>sfilter</option> option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          of <firstterm>hairpin</firstterm> packets on interfaces without the
+          and of <firstterm>hairpin</firstterm> packets on interfaces without
-          <option>routeback</option> option.<footnote>
+          the <option>routeback</option> option.<footnote>
              <para>Hairpin packets are packets that are routed out of the
              same interface that they arrived on.</para>
            </footnote> The default is <option>info</option>. If you don't
@@ -2769,9 +2754,9 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.4.20. The default setting is DROP which
          causes smurf packets (see the nosmurfs option in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          be dropped. A_DROP causes the packets to be audited prior to being
+          to be dropped. A_DROP causes the packets to be audited prior to
-          dropped and requires AUDIT_TARGET support in the kernel and
+          being dropped and requires AUDIT_TARGET support in the kernel and
          iptables.</para>
        </listitem>
      </varlistentry>
@@ -2783,8 +2768,8 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Specifies the logging level for smurf packets (see the
          nosmurfs option in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
-          set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
+          If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
          logged.</para>
        </listitem>
      </varlistentry>
@@ -2886,7 +2871,8 @@ INLINE          -       -       -       ;; -j REJECT
          <para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
          simple traffic shaping using <ulink
          url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
-          and <ulink url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
+          and <ulink
          url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
          enabled.</para>
          <para>If you set TC_ENABLED=Internal or internal or leave the option
@@ -2950,10 +2936,10 @@ INLINE          -       -       -       ;; -j REJECT
          <para>Determines the disposition of TCP packets that fail the checks
          enabled by the <emphasis role="bold">tcpflags</emphasis> interface
          option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          must have a value of ACCEPT (accept the packet), REJECT (send an RST
+          and must have a value of ACCEPT (accept the packet), REJECT (send an
-          response) or DROP (ignore the packet). If not set or if set to the
+          RST response) or DROP (ignore the packet). If not set or if set to
-          empty value (e.g., TCP_FLAGS_DISPOSITION="") then
+          the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
          TCP_FLAGS_DISPOSITION=DROP is assumed.</para>
          <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
@@ -2982,8 +2968,8 @@ INLINE          -       -       -       ;; -j REJECT
          <para>Added in Shorewall 4.4.3. When set to Yes, causes the
          <option>track</option> option to be assumed on all providers defined
          in <ulink
-          url="shorewall-providers.html">shorewall-providers</ulink>(5). May
+          url="shorewall-providers.html">shorewall-providers</ulink>(5).
-          be overridden on an individual provider through use of the
+          May be overridden on an individual provider through use of the
          <option>notrack</option> option. The default value is 'No'.</para>
          <para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
@@ -3037,10 +3023,10 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          UNTRACKED packets through the NEW section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          url="shorewall-rules.html">shorewall-rules</ulink> (5).
-          packet in UNTRACKED state fails to match any rule in the UNTRACKED
+          When a packet in UNTRACKED state fails to match any rule in the
-          section, the packet is disposed of based on this setting. The
+          UNTRACKED section, the packet is disposed of based on this setting.
-          default value is CONTINUE for compatibility with earlier
+          The default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
@@ -3052,9 +3038,9 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
          do not match any rule in the UNTRACKED section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
-          this level. The default value is empty which means no logging is
+          logged at this level. The default value is empty which means no
-          performed.</para>
+          logging is performed.</para>
        </listitem>
      </varlistentry>
@@ -3076,8 +3062,8 @@ INLINE          -       -       -       ;; -j REJECT
          <orderedlist>
            <listitem>
              <para>Both the DUPLICATE and the COPY columns in <ulink
-              url="shorewall-providers.html">providers</ulink>(5) file must
+              url="shorewall-providers.html">providers</ulink>(5)
-              remain empty (or contain "-").</para>
+              file must remain empty (or contain "-").</para>
            </listitem>
            <listitem>
@@ -3097,9 +3083,9 @@ INLINE          -       -       -       ;; -j REJECT
            <listitem>
              <para>Packets are sent through the main routing table by a rule
              with priority 999. In <ulink
-              url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5), the
+              url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5),
-              range 1-998 may be used for inserting rules that bypass the main
+              the range 1-998 may be used for inserting rules that bypass the
-              table.</para>
+              main table.</para>
            </listitem>
            <listitem>
--- a/docs/SharedConfig.xml
+++ b/docs/SharedConfig.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
-  <!--$Id$-->
+  <!--mangle$Id$-->
  <articleinfo>
    <title>Shared Shorewall and Shorewall6 Configuration</title>
@@ -20,8 +20,6 @@
    <copyright>
      <year>2017</year>
      <year>2020</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -39,7 +37,7 @@
  <section>
    <title>Introduction</title>
-    <para>Iptables separates management of IPv4 and IPv6 configurations. Each
+    <para>Netfilter separates management of IPv4 and IPv6 configurations. Each
    address family has its own utility (iptables and ip6tables), and changes
    made to the configuration of one address family do not affect the other.
    While Shorewall also separates the address families in this way, it is
@@ -70,7 +68,7 @@
    <para>Here is a diagram of this installation:</para>
-    <graphic fileref="images/Network2020.png"/>
+    <graphic fileref="images/Network2017.png"/>
  </section>
  <section>
@@ -78,40 +76,36 @@
    <para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
-    <programlisting>root@gateway:~# ls -l /etc/shorewall
+    <programlisting>root@gateway:~# ls -l /etc/shorewall/
-total 120
+total 92
 -rw-r--r-- 1 root root  201 Mar 19  2017 action.Mirrors
-rw-r--r-- 1 root root  109 Oct 20  2017 actions
+-rw-r--r-- 1 root root  109 Oct 20 09:18 actions
-rw-r--r-- 1 root root   82 Oct  5  2018 arprules
+-rw-r--r-- 1 root root  654 Oct 13 13:46 conntrack
-rw-r--r-- 1 root root  528 Oct  7  2019 blrules
+-rw-r--r-- 1 root root  104 Oct 13 13:21 hosts
-rw-r--r-- 1 root root 1797 Sep 16  2019 capabilities
+-rw-r--r-- 1 root root  867 Jul  1 10:50 interfaces
-rw-r--r-- 1 root root  656 Jun 10  2018 conntrack
+-rw-r--r-- 1 root root  107 Jun 29 15:14 isusable
-rw-r--r-- 1 root root  104 Oct 13  2017 hosts
+-rw-r--r-- 1 root root  240 Oct 13 13:34 macro.FTP
-rw-r--r-- 1 root root  867 Jun 10  2018 interfaces
+-rw-r--r-- 1 root root  559 Oct 19 12:56 mangle
-rw-r--r-- 1 root root  107 Jun 29  2017 isusable
+-rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors
-rw-r--r-- 1 root root  240 Oct 13  2017 macro.FTP
+-rw-r--r-- 1 root root 2687 Oct 15 14:20 params
-rw-r--r-- 1 root root  705 Oct 22  2019 mangle
+-rw-r--r-- 1 root root  738 Oct 15 12:16 policy
-rw-r--r-- 1 root root 1308 Apr  2  2018 mirrors
+-rw-r--r-- 1 root root 1838 Oct 11 08:29 providers
 -rw-r--r-- 1 root root 2889 Apr 23 17:13 params
 -rw-r--r-- 1 root root 1096 Oct 14  2019 policy
 -rw-r--r-- 1 root root 2098 Apr 23 17:19 providers
 -rw-r--r-- 1 root root  398 Mar 18  2017 proxyarp
-rw-r--r-- 1 root root  726 Oct 24  2018 routes
+-rw-r--r-- 1 root root  738 Nov  8 09:34 routes
-rw-r--r-- 1 root root  729 Mar  1 11:08 rtrules
+-rw-r--r-- 1 root root  729 Nov  7 12:52 rtrules
-rw-r--r-- 1 root root 8593 Feb 25 08:49 rules
+-rw-r--r-- 1 root root 6367 Oct 13 13:21 rules
-rw-r--r-- 1 root root 5490 Mar  1 18:34 shorewall.conf
+-rw-r--r-- 1 root root 5520 Oct 19 10:01 shorewall.conf
-rw-r--r-- 1 root root 1090 Sep 16  2019 snat
+-rw-r--r-- 1 root root 1090 Oct 25 15:17 snat
-rw-r--r-- 1 root root  180 Jan 30  2018 started
+-rw-r--r-- 1 root root  181 Jun 29 15:12 started
-rw-r--r-- 1 root root  539 Feb  6 14:33 stoppedrules
+-rw-r--r-- 1 root root  435 Oct 13 13:21 tunnels
-rw-r--r-- 1 root root  435 Oct 13  2017 tunnels
+-rw-r--r-- 1 root root  941 Oct 15 11:27 zones
-rw-r--r-- 1 root root  941 Oct 15  2017 zones
+root@gateway:~# ls -l /etc/shorewall6/
-root@gateway:~# ls -l /etc/shorewall6
+total 8
-total 12
+lrwxrwxrwx 1 root root   20 Jul  6 16:35 mirrors -&gt; ../shorewall/mirrors
-rw-r--r-- 1 root root 1786 Sep 16  2019 capabilities
+lrwxrwxrwx 1 root root   19 Jul  6 12:48 params -&gt; ../shorewall/params
-lrwxrwxrwx 1 root root   20 Jul  6  2017 mirrors -&gt; ../shorewall/mirrors
+-rw-r--r-- 1 root root 5332 Oct 14 11:53 shorewall6.conf
-lrwxrwxrwx 1 root root   19 Jul  6  2017 params -&gt; ../shorewall/params
+root@gateway:~# 
-rw-r--r-- 1 root root 5324 Oct 18  2019 shorewall6.conf
+</programlisting>
 root@gateway:~#</programlisting>
    <para>The various configuration files are described in the sections that
    follow. Note that in all cases, these files use the <ulink
@@ -177,7 +171,7 @@ DEFAULT_PAGER=/usr/bin/less
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
+#  Manpage also online at https://shorewall.org/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -191,11 +185,11 @@ VERBOSITY=1
 ###############################################################################
 PAGER=pager
 ###############################################################################
-#                            F I R E W A L L
+#			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
-#                             L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 LOG_LEVEL="NFLOG(0,64,1)"
 BLACKLIST_LOG_LEVEL="none"
@@ -203,10 +197,9 @@ INVALID_LOG_LEVEL=
 LOG_BACKEND=netlink
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=1
 LOG_ZONE=Src
 LOGALLNEW=
 LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
-LOGFORMAT="%s %s"
+LOGFORMAT=": %s %s"
 LOGTAGONLY=Yes
 LOGLIMIT="s:5/min"
 MACLIST_LOG_LEVEL="$LOG_LEVEL"
@@ -218,7 +211,7 @@ STARTUP_LOG=/var/log/shorewall-init.log
 TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
-#     L O C A T I O N    O F    F I L E S   A N D   D I R E C T O R I E S
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 ARPTABLES=
 CONFIG_PATH="/etc/shorewall:/usr/share/shorewall:/usr/share/shorewall/Shorewall"
@@ -236,7 +229,7 @@ SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
 TC=
 ###############################################################################
-#               D E F A U L T   A C T I O N S / M A C R O S
+#		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="NotSyn(DROP):$LOG_LEVEL"
@@ -245,15 +238,15 @@ NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
-#                    R S H / R C P    C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 ###############################################################################
-#                    F I R E W A L L  O P T I O N S
+#			F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
-ACCOUNTING_TABLE=filter
+ACCOUNTING_TABLE=mangle
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
@@ -263,7 +256,7 @@ AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
-CLAMPMSS=No
+CLAMPMSS=Yes
 CLEAR_TC=Yes
 COMPLETE=No
 DEFER_DNS_RESOLUTION=No
@@ -273,19 +266,22 @@ DISABLE_IPV6=No
 DOCKER=No
 DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323"
 DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
-EXPAND_POLICIES=No
+EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
 FORWARD_CLEAR_MARK=No
 HELPERS="ftp,irc"
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Yes
 KEEP_RT_TABLES=Yes
 LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=60
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
 MULTICAST=No
@@ -295,7 +291,6 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=12345
 REJECT_ACTION=
 RENAME_COMBINED=No
 REQUIRE_INTERFACE=No
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=No
@@ -319,7 +314,7 @@ WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
-#                        P A C K E T   D I S P O S I T I O N
+#			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
@@ -331,13 +326,14 @@ SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=DROP
 ################################################################################
-#                        P A C K E T  M A R K  L A Y O U T
+#			P A C K E T  M A R K  L A Y O U T
 ################################################################################
 TC_BITS=8
 PROVIDER_BITS=2
 PROVIDER_OFFSET=16
 MASK_BITS=8
-ZONE_BITS=0</programlisting>
+ZONE_BITS=0
 </programlisting>
      </section>
      <section>
@@ -352,35 +348,34 @@ ZONE_BITS=0</programlisting>
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
 #  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+#  https://shorewall.org/manpages/shorewall.conf.html
 ###############################################################################
-#                        S T A R T U P   E N A B L E D
+#		       S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=Yes
 ###############################################################################
-#                               V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 VERBOSITY=1
 ###############################################################################
-#                                  P A G E R
+#			        P A G E R
 ###############################################################################
 PAGER=pager
 ###############################################################################
-#                                F I R E W A L L
+#			     F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
-#                               L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 LOG_LEVEL="NFLOG(0,64,1)"
 BLACKLIST_LOG_LEVEL="none"
 INVALID_LOG_LEVEL=
 LOG_BACKEND=netlink
 LOG_VERBOSITY=2
 LOG_ZONE=Src
 LOGALLNEW=
 LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
-LOGFORMAT="%s %s"
+LOGFORMAT="%s %s "
 LOGLIMIT="s:5/min"
 LOGTAGONLY=Yes
 MACLIST_LOG_LEVEL="$LOG_LEVEL"
@@ -392,7 +387,7 @@ STARTUP_LOG=/var/log/shorewall6-init.log
 TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
-#     L O C A T I O N  O F   F I L E S   A N D   D I R E C T O R I E S
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -409,7 +404,7 @@ SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=/var/lock/subsys/shorewall6
 TC=
 ###############################################################################
-#             D E F A U L T   A C T I O N S / M A C R O S
+#		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
@@ -418,12 +413,12 @@ NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
-#                     R S H / R C P   C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 ###############################################################################
-#                     F I R E W A L L	  O P T I O N S
+#			F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
 ACCOUNTING_TABLE=mangle
@@ -448,9 +443,11 @@ FORWARD_CLEAR_MARK=No
 HELPERS=ftp
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Keep
 KEEP_RT_TABLES=Yes
 LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
@@ -461,7 +458,6 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=No
 REQUIRE_INTERFACE=No
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=No
@@ -474,7 +470,7 @@ TRACK_PROVIDERS=Yes
 TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=Yes
-USE_PHYSICAL_NAMES=Yes
+USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=No
 WARNOLDCAPVERSION=Yes
@@ -482,7 +478,7 @@ WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
-#                    P A C K E T   D I S P O S I T I O N
+#			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
@@ -494,14 +490,13 @@ SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=DROP
 ################################################################################
-#                     P A C K E T  M A R K  L A Y O U T
+#			P A C K E T  M A R K  L A Y O U T
 ################################################################################
 TC_BITS=8
 PROVIDER_BITS=2
 PROVIDER_OFFSET=8
 MASK_BITS=8
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
 </programlisting>
      </section>
    </section>
@@ -529,50 +524,47 @@ if [ $g_family = 4 ]; then
    #
    # IPv4 compilation
    #
-    FALLBACK=Yes           # Make FAST_IF the primary and PROD_IF the fallback interface
+    FALLBACK=Yes	   # Make FAST_IF the primary and PROD_IF the fallback interface
 			   # See /etc/shorewall/providers
-    STATISTICAL=           # Use statistical load balancing
+    STATISTICAL=No	   # Don't use statistical load balancing
-    LISTS=70.90.191.124    # IP address of lists.shorewall.net (MX)
+    LISTS=70.90.191.124	   # IP address of lists.shorewall.net (MX)
-    MAIL=70.90.191.122     # IP address of mail.shorewall.net  (IMAPS)
+    MAIL=70.90.191.122	   # IP address of mail.shorewall.net  (IMAPS)
-    SERVER=70.90.191.125   # IP address of www.shorewall.org
+    SERVER=70.90.191.125   # IP address of shorewall.org
-    IRSSIEXT=10.2.10.2     # External address of irssi.shorewall.net
+    PROXY=		   # Use TPROXY for local web access
-    IRSSIINT=172.20.2.44   # Internal IP address of irssi.shorewall.net
+    ALL=0.0.0.0/0	   # Entire address space
    PROXY=Yes              # Use TPROXY for local web access
    ALL=0.0.0.0/0          # Entire address space
    LOC_ADDR=172.20.1.253  # IP address of the local LAN interface
    FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface
-    FAST_MARK=0x20000      # Multi-ISP mark setting for IF_FAST
+    FAST_MARK=0x20000	   # Multi-ISP mark setting for IF_FAST
    IPSECMSS=1460
    #
    # Interface Options
    #
    LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,routeback,tcpflags=0,nodbl,physical=eth2
-    FAST_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,nosmurfs,rpfilter,physical=eth0
+    FAST_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth0
-    PROD_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,nosmurfs,rpfilter,physical=eth1
+    PROD_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth1
-    DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,nodbl,physical=br0
+    DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,dhcp,nodbl,physical=br0
    IRC_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=172.20.2.0/24,dhcp,nodbl,physical=br1
 else
    #
    # IPv6 compilation
    #
-    FALLBACK=Yes                           # Make FAST_IF the primary and PROD_IF the fallback interface
+    FALLBACK=Yes			      # Make FAST_IF the primary and PROD_IF the fallback interface
-                                           # See /etc/shorewall/providers
+					      # See /etc/shorewall/providers
-    STATISTICAL=No                         # Don't use statistical load balancing
+    STATISTICAL=No			      # Don't use statistical load balancing
-    LISTS=[2001:470:b:227::42]             # IP address of lists.shorewall.net (MX and HTTPS)
+    LISTS=[2001:470:b:227::42]		      # IP address of lists.shorewall.net (MX and HTTPS)
-    MAIL=[2001:470:b:227::45]              # IP address of mail.shorewall.net  (IMAPS and HTTPS)
+    MAIL=[2001:470:b:227::45]		      # IP address of mail.shorewall.net  (IMAPS and HTTPS)
-    SERVER=[2001:470:b:227::43]            # IP address of www.shorewall.org   (HTTP, FTP and RSYNC)
+    SERVER=[2001:470:b:227::43]		      # IP address of shorewall.org   (HTTP, FTP and RSYNC)
-    IRSSI=[2601:601:a000:16f1::]/64        # IP address of asus.shorewall.org  (Bit Torrent)
+    PROXY=3				      # Use TPROXY for local web access
-    PROXY=Yes                              # Use TPROXY for local web access
+    ALL=[::]/0				      # Entire address space
-    ALL=[::]/0                             # Entire address space
+    LOC_ADDR=[2601:601:a000:16f0::1]	      # IP address of the local LAN interface
-    LOC_ADDR=[2601:601:a000:16f0::1]       # IP address of the local LAN interface
+    FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf    # Default gateway through the IF_FAST interface
-    FAST_GATEWAY=2601:601:a000:1600:22e5:2aff:feb7:f2cf
+    FAST_MARK=0x100			      # Multi-ISP mark setting for IF_FAST
    FAST_MARK=0x100                        # Multi-ISP mark setting for IF_FAST
    IPSECMSS=1440
    #
    # Interface Options
    #
-    PROD_OPTIONS=forward=1,optional,rpfilter,routeback,physical=sit1
+    PROD_OPTIONS=forward=1,optional,physical=sit1
-    FAST_OPTIONS=forward=1,optional,dhcp,rpfilter,physical=eth0
+    FAST_OPTIONS=forward=1,optional,dhcp,upnp,physical=eth0
    LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2
    DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0
    IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1
@@ -587,9 +579,11 @@ fi</programlisting>
      <programlisting>###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
 #
 # By using the 'ip' type, both Shorewall and Shorewall6 can share this file
 #
 fw	{ TYPE=firewall }
 net	{ TYPE=ip }
 loc	{ TYPE=ip }
@@ -605,11 +599,7 @@ vpn	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
      <para>/etc/shorewall/interfaces makes heavy use of variables set in
      /etc/shorewall/params:</para>
-      <programlisting>?FORMAT 2
+      <programlisting>#
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 #
 # The two address families use different production interfaces and different 
 #
 # LOC_IF is the local LAN for both families
@@ -624,7 +614,8 @@ loc  { INTERFACE=LOC_IF,  OPTIONS=$LOC_OPTIONS }
 net  { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS }
 net  { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS }
 dmz  { INTERFACE=DMZ_IF,  OPTIONS=$DMZ_OPTIONS }
-apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }</programlisting>
+apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }
 </programlisting>
    </section>
    <section>
@@ -632,10 +623,11 @@ apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }</programlisting>
      <para>/etc/shorewall/hosts is used to define the vpn zone:</para>
-      <programlisting>##ZONE		HOSTS				OPTIONS
+      <programlisting>#ZONE		HOSTS				OPTIONS
 vpn { HOSTS=PROD_IF:$ALL }
 vpn { HOSTS=FAST_IF:$ALL }
-vpn { HOSTS=LOC_IF:$ALL }</programlisting>
+vpn { HOSTS=LOC_IF:$ALL }
 </programlisting>
    </section>
    <section>
@@ -646,29 +638,20 @@ vpn { HOSTS=LOC_IF:$ALL }</programlisting>
      <programlisting>#SOURCE	       DEST		 POLICY									  LOGLEVEL	      RATE
 $FW	     { DEST=dmz,net,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 $FW	     { DEST=all,	 POLICY=ACCEPT }
-?if __IPV4
+loc	     { DEST=net,	 POLICY=ACCEPT }
 $FW	     { DEST=all,	 POLICY=ACCEPT:Broadcast(ACCEPT),Multicast(ACCEPT),			  LOGLEVEL=$LOG_LEVEL }
 ?else
 $FW	     { DEST=all,	 POLICY=ACCEPT:AllowICMPs,Broadcast(ACCEPT),Multicast(ACCEPT)		  LOGLEVEL=$LOG_LEVEL }
 ?endif
 loc,apps     { DEST=net,	 POLICY=ACCEPT }
 loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT }
 loc	     { DEST=fw,		 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 ?if __IPV4
 net	     { DEST=net,	 POLICY=NONE }
 ?else
 net	     { DEST=net,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 ?endif
 net	     { DEST=fw,		 POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
 net	     { DEST=all,	 POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL,				  LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
-dmz	     { DEST=fw	 	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+dmz	     { DEST=fw,		 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 dmz	     { DEST=dmz 	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
-all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }</programlisting>
+all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 </programlisting>
    </section>
    <section>
@@ -693,9 +676,7 @@ all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }</programlist
        </listitem>
      </orderedlist>
-      <programlisting>#NAME		NUMBER   MARK    DUPLICATE  INTERFACE	GATEWAY         OPTIONS               COPY
+      <programlisting>#
 #
 # This could be cleaned up a bit, but I'm leaving it as is for now
 #
 #   - The two address families use different fw mark geometry
@@ -706,9 +687,7 @@ all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }</programlist
 ?if $FALLBACK
    # FAST_IF is primary, PROD_IF is fallback
    #
-    ?if $VERBOSITY &gt; 0
+    ?info Compiling with FALLBACK
        ?info Compiling with FALLBACK
    ?endif
    IPv6Beta	    { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,primary,persistent,noautosrc }
    ?if __IPV4
 	ComcastB    { NUMBER=4, MARK=0x10000,	 INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,fallback,persistent }
@@ -717,29 +696,25 @@ all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }</programlist
    ?endif
 ?elsif $STATISTICAL
    # Statistically balance traffic between FAST_IF and PROD_IF
-    ?if $VERBOSITY &gt; 0
+    ?info Compiling with STATISTICAL
        ?info Compiling with STATISTICAL
    ?endif
    ?if __IPV4
-    	IPv6Beta    { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary,persistent }
+    	IPv6Beta    { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary }
 	ComcastB    { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,load=0.33333333,fallback,persistent }
    ?else
 	HE	    { NUMBER=2, MARK=0x200,   INTERFACE=PROD_IF,                        OPTIONS=track,load=0.33333333,persistent }
    ?endif
 ?else
-    ?if $VERBOSITY &gt; 0
+    ?INFO Compiling with BALANCE
-        ?info Compiling with BALANCE
+    IPv6Beta	 { NUMBER=1, MARK=0x100,   INTERFACE=eth0,    GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
    ?endif
    IPv6Beta	 { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
    ?if __IPV4
-	ComcastB { NUMBER=4, MARK=0x10000,    INTERFACE=PROD_IF, GATEWAY=10.1.10.1,     OPTIONS=nohostroute,loose,balance,persistent }
+	ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=IPV4_IF, GATEWAY=10.1.10.1,     OPTIONS=nohostroute,loose,balance,persistent }
    ?else
        ?warning No BALANCE IPv6 configuration
 	HE	 { NUMBER=2, MARK=0x200,   INTERFACE=PROD_IF,			     OPTIONS=fallback,persistent }
    ?endif    
 ?endif
-Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }</programlisting>
+Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
 </programlisting>
    </section>
    <section>
@@ -779,7 +754,7 @@ Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }</programlisting>
    # not effective in routing the 'ping' request packets out of FAST_IF.
    # The following route solves that problem.
    #
-    { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=$FAST_GATEWAY, DEVICE=FAST_IF, OPTIONS=persistent }
+    { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=fe80::22e5:2aff:feb7:f2cf, DEVICE=FAST_IF, OPTIONS=persistent }
 ?endif</programlisting>
    </section>
@@ -847,13 +822,12 @@ CT:helper:ftp:O { PROTO=tcp, DPORT=21 }
      <para>/etc/shorewall/rules has only a couple of rules that are
      conditional based on address family:</para>
-      <programlisting>##############################################################################################################################################################
+      <programlisting>#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
 ?SECTION ALL
-Ping(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 }
+Ping(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 }
-Trcrt(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 }
+Trcrt(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 }
 ?SECTION ESTABLISHED
@@ -871,8 +845,8 @@ ACCEPT		{ SOURCE=dmz, DEST=dmz }
 ?SECTION INVALID
 RST(ACCEPT)	{ SOURCE=all, DEST=all }
 FIN(ACCEPT)	{ SOURCE=all, DEST=all }
 DROP		{ SOURCE=net, DEST=all }
 FIN		{ SOURCE=all, DEST=all }
 ?SECTION UNTRACKED
@@ -889,26 +863,17 @@ CONTINUE	  { SOURCE=$FW, DEST=all }
 # Stop certain outgoing traffic to the net
 #
 REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=tcp, DPORT=25 }		#Stop direct loc-&gt;net SMTP (Comcast uses submission).
-#REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 }	#MS Messaging
+REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 }	#MS Messaging
-REJECT		{ SOURCE=all!dmz,apps, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" }
+REJECT		{ SOURCE=all, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" }
-REJECT		{ SOURCE=all!dmz,apps, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" }
+REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" }
 REJECT		{ SOURCE=all, DEST=net, PROTO=tcp, DPORT=3333, comment="Disallow port 3333" }
 REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" }
 ?if __IPV6
 DROP		{ SOURCE=net:PROD_IF, DEST=net:PROD_IF }
 ?endif
 ?COMMENT
 ######################################################################################################
 # SACK
 #
 DROP:$LOG_LEVEL	 { SOURCE=net, DEST=all } ;;+ -p tcp -m tcpmss --mss 1:535
 ######################################################################################################
 # 6in4
 #
@@ -919,9 +884,8 @@ DROP:$LOG_LEVEL	 { SOURCE=net, DEST=all } ;;+ -p tcp -m tcpmss --mss 1:535
 ######################################################################################################
 # Ping
 #
-Ping(ACCEPT)	  { SOURCE=$FW,loc,dmz,vpn,apps, DEST=$FW,loc,dmz,vpn,apps }
+Ping(ACCEPT)	  { SOURCE=$FW,loc,dmz,vpn, DEST=$FW,loc,dmz,vpn }
-Ping(ACCEPT)	  { SOURCE=dmz, DEST=dmz }
+Ping(ACCEPT)	  { SOURCE=all,              DEST=net }
 Ping(ACCEPT)	  { SOURCE=all, DEST=net }
 ######################################################################################################
 # SSH
 #
@@ -936,11 +900,6 @@ SSH(DNAT-)	  { SOURCE=net,              DEST=172.20.2.44, PROTO=tcp, DPORT=ssh,
 #
 DNS(ACCEPT)	  { SOURCE=loc,dmz,vpn,apps, DEST=$FW }
 DNS(ACCEPT)	  { SOURCE=$FW, DEST=net }
 ?if $TEST
 DNS(REDIRECT)	  loc		53	 -	53	-	!&amp;LOC_IF
 DNS(REDIRECT)	  fw		53	 -	53	-	!::1
 ?endif
 DropDNSrep        { SOURCE=net, DEST=all }
 ######################################################################################################
 # Traceroute
 #
@@ -951,7 +910,6 @@ Trcrt(ACCEPT)	  { SOURCE=net, DEST=$FW,dmz }
 #
 SMTP(ACCEPT)	   { SOURCE=net,$FW, DEST=dmz:$LISTS }
 SMTP(ACCEPT)	   { SOURCE=dmz:$LISTS, DEST=net:PROD_IF }
 SMTP(ACCEPT)	   { SOURCE=dmz, DEST=dmz:$LISTS }
 SMTP(REJECT)	   { SOURCE=dmz:$LISTS, DEST=net }
 IMAPS(ACCEPT)  	   { SOURCE=all, DEST=dmz:$MAIL }
 Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS }
@@ -961,6 +919,7 @@ IMAP(ACCEPT)	   { SOURCE=loc,vpn, DEST=net }
 # NTP
 #
 NTP(ACCEPT)	   { SOURCE=all, DEST=net }
 NTP(ACCEPT)	   { SOURCE=loc,vpn,dmz,apps DEST=$FW }
 ######################################################################################################
 # Squid
 ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 } 
@@ -970,8 +929,8 @@ ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 }
 Web(ACCEPT)	   { SOURCE=loc,vpn DEST=$FW }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=proxy }
 Web(DROP)	   { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist web crawlers" }
-HTTP(ACCEPT)	   { SOURCE=net,loc,vpn,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
+HTTP(ACCEPT)	   { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
-HTTPS(ACCEPT)	   { SOURCE=net,loc,vpn,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
+HTTPS(ACCEPT)	   { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$LISTS,$MAIL }
 Web(ACCEPT)	   { SOURCE=dmz,apps DEST=net,$FW }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=root }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=teastep }
@@ -979,13 +938,13 @@ Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=_apt }
 ######################################################################################################
 # FTP
 #
-FTP(ACCEPT)	   { SOURCE=loc,vpn,apps  DEST=net }
+FTP(ACCEPT)	   { SOURCE=loc,vpn,apps DEST=net }
 FTP(ACCEPT)	   { SOURCE=dmz,          DEST=net }
 FTP(ACCEPT)	   { SOURCE=$FW,          DEST=net, USER=root }
 FTP(ACCEPT)	   { SOURCE=all,          DEST=dmz:$SERVER }
 #
 # Some FTP clients seem prone to sending the PORT command split over two packets.
-# This prevents the FTP connection tracking code from processing the command and setting
+# This prevents the FTP connection tracking code from processing the command  and setting
 # up the proper expectation.
 #
 # The following rule allows active FTP to work in these cases
@@ -993,10 +952,6 @@ FTP(ACCEPT)	   { SOURCE=all,          DEST=dmz:$SERVER }
 #
 ACCEPT:$LOG_LEVEL  { SOURCE=dmz, DEST=net, PROTO=tcp, DPORT=1024:, SPORT=20 }
 ######################################################################################################
 # Git
 #
 Git(ACCEPT)        { source=all, DEST=dmz:$SERVER }
 ######################################################################################################
 # whois
 #
 Whois(ACCEPT)	   { SOURCE=all, DEST=net }
@@ -1008,45 +963,12 @@ SMBBI(ACCEPT)	    { SOURCE=vpn, DEST=$FW }
 ######################################################################################################
 # IRC
 #
-SetEvent(IRC)	                      { SOURCE=loc,apps, DEST=net, PROTO=tcp, DPORT=6667 }
+IRC(ACCEPT)	    { SOURCE=loc,apps, DEST=net }
 IfEvent(IRC,ACCEPT,10,1,dst,reset)    { SOURCE=net, DEST=loc,apps, PROTO=tcp, DPORT=113 }
 ######################################################################################################
 # AUTH
 Auth(REJECT)	{ SOURCE=net, DEST=all }
 ######################################################################################################
 # Rsync
 #
 Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
-######################################################################################################
+</programlisting>
 # IPSEC
 #
 ?if __IPV4
 DNAT		{ SOURCE=loc,net, DEST=apps:172.20.2.44, PROTO=udp, DPORT=500,4500, ORIGDEST=70.90.191.123 }
 ?else
 ACCEPT		{ SOURCE=loc,net, DEST=apps, PROTO=udp, DPORT=500,4500 }
 ACCEPT		{ SOURCE=loc,net, DEST=apps, PROTO=esp }
 ?endif
 ACCEPT		{ SOURCE=$FW,     DEST=net,  PROTO=udp, SPORT=4500 }
 ######################################################################################################
 # Bit Torrent
 ?if __IPV4
 DNAT		{ SOURCE=net,	  DEST=apps:$IRSSIINT,	PROTO=udp,tcp,	DPORT=59410, ORIGDEST=$IRSSIEXT }
 ?else
 ACCEPT		{ SOURCE=net,	  DEST=apps:$IRSSI,	PROTO=udp,tcp,	DPORT=59410 }
 ?endif
 REJECT		{ SOURCE=net,	  DEST=all,	  PROTO=udp,tcp,	DPORT=51413,59410 }
 ######################################################################################################
 # VNC
 ACCEPT		{ SOURCE=loc,	  DEST=$FW,	  PROTO=tcp,		DPORT=5900 }
 ######################################################################################################
 # FIN &amp; RST
 RST(ACCEPT)	{ SOURCE=all, DEST=all }
 FIN(ACCEPT)	{ SOURCE=all, DEST=all }
 ######################################################################################################
 # Multicast
 ?if __IPV4
 Multicast(ACCEPT) { SOURCE=all, DEST=$FW }
 ?endif</programlisting>
    </section>
    <section>
@@ -1057,10 +979,6 @@ Multicast(ACCEPT) { SOURCE=all, DEST=$FW }
      <programlisting>#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
 ?if $VERSION &gt;= 50109
 TCPMSS(pmtu,none) { PROTO=tcp }
 ?endif
 ?if __IPV4
    #
    # I've had a checksum issue with certain IPv4 UDP packets
@@ -1071,12 +989,13 @@ TCPMSS(pmtu,none) { PROTO=tcp }
 ?if $PROXY
    #
-    # Use TPROXY for IPv4 web access from the local LAN
+    # Use TPROXY for web access from the local LAN
    #
    DIVERT:R { PROTO=tcp, SPORT=80 }
    DIVERT:R { PROTO=tcp, DPORT=80 }
    TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=80 }
-?endif</programlisting>
+?endif
 </programlisting>
    </section>
    <section>
@@ -1084,19 +1003,19 @@ TCPMSS(pmtu,none) { PROTO=tcp }
      <para>NAT entries are quite dependent on the address family:</para>
-      <programlisting>###################################################################################################################
+      <programlisting>#ACTION         SOURCE			DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
 #ACTION         SOURCE			DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
 ?if __IPV4
-    MASQUERADE			{ SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF }
+    MASQUERADE		{ SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF }
-    MASQUERADE			{ SOURCE=70.90.191.120/29, 	      DEST=FAST_IF }
+    MASQUERADE 		{ SOURCE=70.90.191.120/29, 	      DEST=FAST_IF }
-    SNAT(70.90.191.121) 	{ SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,  PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
+    SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,  PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
-    SNAT(70.90.191.123) 	{ SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,                    COMMENT="Masquerade Local Network" }
+    SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,                    COMMENT="Masquerade Local Network" }
-    SNAT(172.20.1.253)  	{ SOURCE=!172.20.1.0/24, 	      DEST=LOC_IF:172.20.1.100 }
+    SNAT(172.20.1.253)  { SOURCE=172.20.3.0/24,	 	      DEST=LOC_IF:172.20.1.100 }
 ?else
-    SNAT(&amp;PROD_IF)		{ SOURCE=2601:601:a000:16f0::/60,               DEST=PROD_IF }
+    SNAT(&amp;PROD_IF)	{ SOURCE=2601:601:8b00:bf0::/60,                DEST=PROD_IF }
-    SNAT(&amp;FAST_IF)		{ SOURCE=2001:470:b:227::/64,2001:470:a:227::2,	DEST=FAST_IF }
+    SNAT(&amp;FAST_IF)	{ SOURCE=2001:470:b:227::/64,2001:470:a:227::2,	DEST=FAST_IF }
-?endif</programlisting>
+?endif
 </programlisting>
    </section>
    <section>
@@ -1113,6 +1032,8 @@ ipsecnat {ZONE=loc,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
    <section>
      <title>proxyarp</title>
      <para>This file is only used in the IPv4 configuration:</para>
      <programlisting>#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT
 70.90.191.122 { INTERFACE=br0, EXTERNAL=eth1, HAVEROUTE=yes, PERSISTENT=no }
@@ -1147,14 +1068,5 @@ return $status
 fi
 </programlisting>
    </section>
    <section>
      <title>stoppedrules</title>
      <para>/etc/shorewall/stoppedrules allow SSH connections into the
      firewall system when Shorewall[6] is in the stopped state.</para>
      <programlisting/>
    </section>
  </section>
 </article>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -250,36 +250,14 @@ DROP            net:200.55.14.18        all
          </important>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>log</term>
        <listitem>
          <para>Added in Shorewall 5.2.5. When specified, successful
          'blacklist' and 'allow' commands will log a message to the system
          log.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>noupdate</term>
        <listitem>
          <para>Added in Shorewall 5.2.5. Normally, once an address has been
          blacklisted, each time that a packet is received from the packet,
          the ipset's entry for the address is updated to reset the timeout to
          the value specifyed in the <option>timeout</option> option above.
          Setting the <option>noupdate</option> option, inhibits this
          resetting of the entry's timeout. This option is ignored when the
          <option>timeout</option> option is not specified.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>When ipset-based dynamic blacklisting is enabled, the contents of
    the blacklist will be preserved over
    <command>stop</command>/<command>reboot</command>/<command>start</command>
-    sequences.</para>
+    sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
    <replaceable>setname</replaceable> is included in the list of sets to be
    saved in SAVE_IPSETS.</para>
  </section>
  <section>
@@ -297,69 +275,4 @@ DROP            net:200.55.14.18        all
    <command>shorewall show action BLACKLIST</command> command for
    details.</para>
  </section>
  <section id="fail2ban">
    <title>BLACKLIST and Fail2ban</title>
    <para>The BLACKLIST command can be used as 'blocktype' in
    /etc/fail2ban/actions.d/shorewall.conf. Prior to Shorewall 5.2.5, this
    works best if there is no <emphasis role="bold">timeout</emphasis>
    specified in the DYNAMIC_BLACKLIST setting or if <emphasis
    role="bold">timeout=0</emphasis> is given.</para>
    <para>Beginning with Shorewall 5.2.5, Shorewall includes new features that
    allow fail2ban to work most seamlessly with Shorewall's ipset-based
    dynamic blacklisting:</para>
    <itemizedlist>
      <listitem>
        <para>When a <emphasis role="bold">timeout</emphasis> is specified in
        the DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset is
        created with default timeout 0. As entries are added by BLACKLIST
        policies or by the <emphasis role="bold">blacklist</emphasis> command,
        the created entry is given the specified timeout value.</para>
      </listitem>
      <listitem>
        <para>The <emphasis role="bold">noupdate</emphasis> option has been
        added. Specifying this option prevents 'timeout 0' ipset entries from
        being changed to finite timeout entries as a result of blacklisted ip
        addresses continuing to send packets to the firewall.</para>
      </listitem>
      <listitem>
        <para>The <emphasis role="bold">blacklist!</emphasis> command has been
        added. specifying that command as the fail2ban 'blocktype' causes
        entries created by fail2ban to persist until fail2ban unbans them
        using the Shorewall <emphasis role="bold">allow</emphasis>
        comand.</para>
      </listitem>
    </itemizedlist>
    <para>There are a couple of additional things to note:</para>
    <itemizedlist>
      <listitem>
        <para>The documentation in /etc/fail2ban/action.d/shorewall.conf
        states that you should set BLACKLIST=All. A better approach when using
        BLACKLIST as the 'blocktype' is to specify the <emphasis
        role="bold">disconnect</emphasis> option in the setting of
        DYNAMIC_BLACKLIST. With BLACKLIST=All, every packet entering the
        firewall from the net must be checked against the dynamic-blacklisting
        ipset. That is not required when you specify <emphasis
        role="bold">disconnect</emphasis>.</para>
      </listitem>
      <listitem>
        <para>The <emphasis role="bold">noupdate</emphasis> option allows
        fail2ban full control when a host is 'unbanned'. The cost of using
        this option is that after the specified <emphasis
        role="bold">timeout</emphasis>, the entry for an attacking host will
        be removed from the dynamic-blacklisting ipset, even if the host has
        continued the attack while blacklisted. This isn't a great concern, as
        the first attempt to access an unauthorized service will result in the
        host being re-blacklisted.</para>
      </listitem>
    </itemizedlist>
  </section>
 </article>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -1867,9 +1867,6 @@ SSH(ACCEPT)    net:$MYIP      $FW
      </listitem>
    </itemizedlist>
    <para>They may also be used as the parameter to SNAT() in <ulink
    url="manpages/shorewall-snat.html">shorewall-snat</ulink>(5).</para>
    <para>For optional interfaces, if the interface is not usable at the time
    that the firewall starts, one of two approaches are taken, depending on
    the context:</para>
--- a/docs/docs-targetname
+++ b/docs/docs-targetname
@@ -1 +1 @@
-5.2.5.1
+5.2.4.1
--- a/docs/images/Network2017.dia
+++ b/docs/images/Network2017.dia
--- a/docs/images/Network2017.png
+++ b/docs/images/Network2017.png
--- a/docs/images/Network2020.dia
+++ b/docs/images/Network2020.dia
--- a/docs/images/Network2020.png
+++ b/docs/images/Network2020.png
--- a/docs/images/docs-images-targetname
+++ b/docs/images/docs-images-targetname
@@ -1 +1 @@
-5.2.5-Beta1
+5.2.4-Beta1
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -192,19 +192,11 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
    ipv4 ipsets are saved. Both features require ipset version 5 or
    later.</para>
    <caution>
      <para>After setting SAVE_IPSETS, it is important to recompile the
      firewall script (e.g., 'shorewall compile', 'shorewall reload' or
      'shorewall restart') before rebooting</para>
    </caution>
    <para>Although Shorewall can save the definition of your ipsets and
    restore them when Shorewall starts, in most cases you must use the ipset
    utility to initially create and load your ipsets. The exception is that
    Shorewall will automatically create an empty iphash ipset to back each
-    dynamic zone. It will also create the ipset required by the
+    dynamic zone.</para>
    DYNAMIC_BLACKLIST=ipset:.. setting in <ulink
    url="manpages/shorewall.conf.html">shorewall[6].conf(5)</ulink>,</para>
  </section>
  <section>
@@ -228,32 +220,6 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
    the ipsets will be save to and restored from. Shorewall-init will create
    any necessary directories during the first 'save' operation.</para>
    <caution>
      <para>If you set SAVE_IPSETS in /etc/sysconfig/shorewall-init
      (/etc/default/shorewall-init on Debian and derivatives) when
      shorewall-init has not been started by systemd, then when the system is
      going down during reboot, the ipset contents will not be saved. You can
      work around that as follows:</para>
      <itemizedlist>
        <listitem>
          <para>Suppose that you have set
          SAVE_IPSETS=/var/lib/shorewall/init-save-ipsets.</para>
        </listitem>
        <listitem>
          <para>Before rebooting, execute this command:</para>
          <programlisting>ipset save &gt; /var/lib/shorewall/init-save-ipsets</programlisting>
        </listitem>
        <listitem>
          <para>Be sure to enable shoewall-init (e.g., <emphasis
          role="bold">systemctl enable shorewall-init</emphasis>).</para>
        </listitem>
      </itemizedlist>
    </caution>
    <para>If you configure Shorewall-init to save/restore ipsets, be sure to
    set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para>
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -42,10 +42,10 @@
    <itemizedlist>
      <listitem>
        <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink>s are , 5.1 and 5.2.</para>
+        url="ReleaseModel.html">major release</ulink>s are 5.0 , 5.1 and 5.2.</para>
        <note>
-          <para>Shorewall versions earlier than 5.1.0 are no longer supported;
+          <para>Shorewall versions earlier than 5.0.0 are no longer supported;
          we will try to help but we will not spend time reading earlier code
          to try to help you solve a problem and we will not release a patch
          to correct any defect found.</para>