diff -Nur firehol-1.226/firehol.sh firehol-1.226.new/firehol.sh
--- firehol-1.226/firehol.sh	2006-12-29 23:48:19.000000000 +0100
+++ firehol-1.226.new/firehol.sh	2006-12-29 23:49:40.000000000 +0100
@@ -74,13 +74,16 @@
 	return 0
 }
 
-# Check for a command during runtime.
-# Currently the following commands are required only when needed:
-#
-# wget or curl (either is fine)
-# gzcat
-#
+# command on demand support.
 require_cmd() {
+	local block=1
+	if [ "a$1" = "a-n" ]
+	then
+		local block=0
+		shift
+	fi
+	
+	# if one is found, return success
 	for x in $1
 	do
 		eval var=`echo ${x} | tr 'a-z' 'A-Z'`_CMD
@@ -92,21 +95,56 @@
 		fi
 	done
 	
+	if [ $block -eq 1 ]
+	then
+		echo >&2
+		echo >&2 "ERROR:	THE REQUESTED FEATURE REQUIRES THESE PROGRAMS:"
+		echo >&2
+		echo >&2 "	$*"
+		echo >&2
+		echo >&2 "	You have requested the use of an optional FireHOL"
+		echo >&2 "	feature that requires certain external programs"
+		echo >&2 "	to be installed in the running system."
+		echo >&2
+		echo >&2 "	Please consult your Linux distribution manual to"
+		echo >&2 "	install the package(s) that provide these external"
+		echo >&2 "	programs and retry."
+		echo >&2
+		echo >&2 "	Note that you need an operational 'which' command"
+		echo >&2 "	for FireHOL to find all the external programs it"
+		echo >&2 "	needs. Check it yourself. Run:"
+		echo >&2
+		for x in $1
+		do
+			echo >&2 "	which $x"
+		done
+		
+		exit 1
+	fi
+	
 	return 1
 }
 
+# Currently the following commands are required only when needed.
+# (i.e. Command on Demand)
+#
+# wget or curl (either is fine)
+# gzcat
+# ip
+# netstat
+# egrep
+# date
+# hostname
+
+# Commands that are mandatory for FireHOL operation:
 which_cmd CAT_CMD cat
 which_cmd CUT_CMD cut
 which_cmd CHOWN_CMD chown
 which_cmd CHMOD_CMD chmod
-which_cmd DATE_CMD date
-which_cmd EGREP_CMD egrep
 which_cmd EXPR_CMD expr
 which_cmd GAWK_CMD gawk
 which_cmd GREP_CMD grep
 which_cmd HEAD_CMD head
-which_cmd HOSTNAME_CMD hostname
-which_cmd IP_CMD ip
 which_cmd IPTABLES_CMD iptables
 which_cmd IPTABLES_SAVE_CMD iptables-save
 which_cmd LESS_CMD less
@@ -114,7 +152,6 @@
 which_cmd MKDIR_CMD mkdir
 which_cmd MV_CMD mv
 which_cmd MODPROBE_CMD modprobe
-which_cmd NETSTAT_CMD netstat
 which_cmd RENICE_CMD renice
 which_cmd RM_CMD rm
 which_cmd SED_CMD sed
@@ -170,6 +207,9 @@
 FIREHOL_SAVED="${FIREHOL_DIR}/firehol-save.sh"
 FIREHOL_TMP="${FIREHOL_DIR}/firehol-tmp.sh"
 
+FIREHOL_LOCK_DIR="/var/lock/subsys"
+test ! -d "${FIREHOL_LOCK_DIR}" && FIREHOL_LOCK_DIR="/var/lock"
+
 FIREHOL_SPOOL_DIR="/var/spool/firehol"
 
 # The default configuration file
@@ -209,6 +249,7 @@
 
 # Run our exit even if we don't call exit.
 trap firehol_exit EXIT
+trap firehol_exit SIGHUP
 
 
 # ------------------------------------------------------------------------------
@@ -267,8 +308,8 @@
 if [ ! -d "${FIREHOL_SPOOL_DIR}" ]
 then
 	"${MKDIR_CMD}" "${FIREHOL_SPOOL_DIR}"			|| exit 1
-	"${CHOWN_CMD}" root:root "${FIREHOL_CONFIG_DIR}"	|| exit 1
-	"${CHMOD_CMD}" 700 "${FIREHOL_CONFIG_DIR}"		|| exit 1
+	"${CHOWN_CMD}" root:root "${FIREHOL_SPOOL_DIR}"		|| exit 1
+	"${CHMOD_CMD}" 700 "${FIREHOL_SPOOL_DIR}"		|| exit 1
 fi
 
 
@@ -280,7 +321,7 @@
 # Optimized (CIDR) by Marc 'HE' Brockschmidt <marc@marcbrockschmidt.de>
 # Further optimized and reduced by http://www.vergenet.net/linux/aggregate/
 # The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path.
-RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/7 76.0.0.0/6 89.0.0.0/8 90.0.0.0/7 92.0.0.0/6 96.0.0.0/3 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4"
+RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 42.0.0.0/8 92.0.0.0/6 100.0.0.0/6 104.0.0.0/5 112.0.0.0/5 120.0.0.0/8 127.0.0.0/8 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4 "
 
 # Private IPv4 address space
 # Suggested by Fco.Felix Belmonte <ffelix@gescosoft.com>
@@ -306,6 +347,11 @@
 # policy interface subscommand. 
 DEFAULT_INTERFACE_POLICY="DROP"
 
+# The default policy for the router commands of the firewall.
+# This can be controlled on a per interface basis using the
+# policy interface subscommand. 
+DEFAULT_ROUTER_POLICY="RETURN"
+
 # Which is the filter table chains policy during firewall activation?
 FIREHOL_INPUT_ACTIVATION_POLICY="ACCEPT"
 FIREHOL_OUTPUT_ACTIVATION_POLICY="ACCEPT"
@@ -329,6 +375,10 @@
 FIREHOL_LOG_MODE="LOG"
 FIREHOL_LOG_FREQUENCY="1/second"
 FIREHOL_LOG_BURST="5"
+FIREHOL_LOG_PREFIX=""
+
+# If enabled, FireHOL will silently drop orphan TCP packets with ACK,FIN set.
+FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=0
 
 # The client ports to be used for "default" client ports when the
 # client specified is a foreign host.
@@ -427,7 +477,7 @@
 work_name=
 work_inface=
 work_outface=
-work_policy="${DEFAULT_INTERFACE_POLICY}"
+work_policy=
 work_error=0
 work_function="Initializing"
 
@@ -618,6 +668,9 @@
 server_microsoft_ds_ports="tcp/445"
 client_microsoft_ds_ports="default"
 
+server_ms_ds_ports="tcp/445"
+client_ms_ds_ports="default"
+
 server_mms_ports="tcp/1755 udp/1755"
 client_mms_ports="default"
 require_mms_modules="ip_conntrack_mms"
@@ -666,6 +719,9 @@
 server_oracle_ports="tcp/1521"
 client_oracle_ports="default"
 
+server_OSPF_ports="89/any"
+client_OSPF_ports="any"
+
 server_pop3_ports="tcp/110"
 client_pop3_ports="default"
 
@@ -708,7 +764,7 @@
 client_rtp_ports="any"
 
 server_sip_ports="udp/5060"
-client_sip_ports="default"
+client_sip_ports="5060 default"
 
 server_socks_ports="tcp/1080 udp/1080"
 client_socks_ports="default"
@@ -769,7 +825,7 @@
 server_vmwareauth_ports="tcp/903"
 client_vmwareauth_ports="default"
 
-server_vmwareweb_ports="tcp/8222"
+server_vmwareweb_ports="tcp/8222 tcp/8333"
 client_vmwareweb_ports="default"
 
 server_vnc_ports="tcp/5900:5903"
@@ -1090,10 +1146,12 @@
 		local server_rquotad_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " rquotad$"  | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
 		local server_mountd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " mountd$"  | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
 		local server_lockd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nlockmgr$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
+		local server_statd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " status$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
 		local server_nfsd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nfs$"       | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
 		
 		test -z "${server_mountd_ports}" && error "Cannot find mountd ports for nfs server '${x}'" && return 1
 		test -z "${server_lockd_ports}"  && error "Cannot find lockd ports for nfs server '${x}'" && return 1
+		test -z "${server_statd_ports}"  && error "Cannot find statd ports for nfs server '${x}'" && return 1
 		test -z "${server_nfsd_ports}"   && error "Cannot find nfsd ports for nfs server '${x}'" && return 1
 		
 		local dst=
@@ -1113,6 +1171,9 @@
 		
 		set_work_function "Processing lockd rules for server '${x}'"
 		rules_custom "${mychain}" "${type}" nfs-lockd "${server_lockd_ports}" "500:65535" "${action}" $dst "$@"
+
+		set_work_function "Processing statd rules for server '${x}'"
+		rules_custom "${mychain}" "${type}" nfs-statd "${server_statd_ports}" "500:65535" "${action}" $dst "$@"
 		
 		set_work_function "Processing nfsd rules for server '${x}'"
 		rules_custom "${mychain}" "${type}" nfs-nfsd   "${server_nfsd_ports}"   "500:65535" "${action}" $dst "$@"
@@ -1798,7 +1859,7 @@
 firehol_wget() {
 	local url="${1}"
 	
-	require_cmd wget curl || error "Cannot find 'wget' or 'curl' in the path."
+	require_cmd wget curl
 	
 	if [ ! -z "${WGET_CMD}" ]
 	then
@@ -2407,9 +2468,9 @@
 policy() {
         work_realcmd_secondary ${FUNCNAME} "$@"
 	
-	require_work set interface || return 1
+	require_work set any || return 1
 	
-	set_work_function "Setting interface '${work_inface}' (${work_name}) policy to ${1}"
+	set_work_function "Setting policy of ${work_name} to ${1}"
 	work_policy="$*"
 	
 	return 0
@@ -2482,6 +2543,11 @@
 				return 0
 				;;
 			
+			bad-packets|BAD-PACKETS)
+				protection ${reverse} "invalid fragments new-tcp-w/o-syn malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}"
+				return $?
+				;;
+			
 			strong|STRONG|full|FULL|all|ALL)
 				protection ${reverse} "invalid fragments new-tcp-w/o-syn icmp-floods syn-floods malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}"
 				return $?
@@ -2529,6 +2595,16 @@
 				rule in chain "${mychain}" loglimit "SYN FLOOD" action drop					|| return 1
 				;;
 				
+			all-floods|ALL-FLOODS)
+				local mychain="${pre}_${work_name}_allflood"
+				create_chain filter "${mychain}" "${in}_${work_name}" in state NEW		|| return 1
+				
+				set_work_function "Generating rules to be protected from ALL floods on '${prface}' for ${work_cmd} '${work_name}'"
+				
+				rule in chain "${mychain}" limit "${rate}" "${burst}" action return				|| return 1
+				rule in chain "${mychain}" loglimit "ALL FLOOD" action drop					|| return 1
+				;;
+				
 			malformed-xmas|MALFORMED-XMAS)
 				local mychain="${pre}_${work_name}_malxmas"
 				create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp custom "--tcp-flags ALL ALL"	|| return 1
@@ -2589,7 +2665,7 @@
 # kernel modules.
 
 # optionaly require command gzcat
-require_cmd gzcat
+require_cmd -n gzcat
 
 KERNEL_CONFIG=
 if [ -f "/proc/config" ]
@@ -2632,6 +2708,7 @@
 	echo >&2 " all kernel modules for the services used, without"
 	echo >&2 " being able to detect failures."
 	echo >&2 " "
+	sleep 2
 fi
 
 # activation-phase command to check for the existance of
@@ -2824,11 +2901,12 @@
 	work_name=
 	work_inface=
 	work_outface=
-	work_policy="${DEFAULT_INTERFACE_POLICY}"
+	work_policy=
 	
 	return 0
 }
 
+
 # ------------------------------------------------------------------------------
 # close_interface
 # WHY:
@@ -2841,6 +2919,12 @@
 	
 	set_work_function "Finilizing interface '${work_name}'"
 	
+	# Accept all related traffic to the established connections
+	rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
+	rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
+	
+	# make sure we have a policy
+	test -z "${work_policy}" && work_policy="${DEFAULT_INTERFACE_POLICY}"
 	case "${work_policy}" in
 		return|RETURN)
 			return 0
@@ -2849,15 +2933,18 @@
 		accept|ACCEPT)
 			;;
 		
-		*)
+		*)	
 			local -a inlog=(loglimit "'IN-${work_name}'")
 			local -a outlog=(loglimit "'OUT-${work_name}'")
 			;;
 	esac
 	
-	# Accept all related traffic to the established connections
-	rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
-	rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
+	if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
+	then
+		# Silently drop orphan TCP/ACK FIN packets
+		rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+		rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+	fi
 	
 	rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
 	rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
@@ -2882,6 +2969,32 @@
 	rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
 	rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
 	
+	# make sure we have a policy
+	test -z "${work_policy}" && work_policy="${DEFAULT_ROUTER_POLICY}"
+	case "${work_policy}" in
+		return|RETURN)
+			return 0
+			;;
+			
+		accept|ACCEPT)
+			;;
+		
+		*)	
+			local -a inlog=(loglimit "'PASS-${work_name}'")
+			local -a outlog=(loglimit "'PASS-${work_name}'")
+			;;
+	esac
+	
+	if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
+	then
+		# Silently drop orphan TCP/ACK FIN packets
+		rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+		rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+	fi
+	
+	rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
+	rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
+	
 	return 0
 }
 
@@ -2900,6 +3013,14 @@
 	rule chain OUTPUT state RELATED action ACCEPT || return 1
 	rule chain FORWARD state RELATED action ACCEPT || return 1
 	
+	if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
+	then
+		# Silently drop orphan TCP/ACK FIN packets
+		rule chain INPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+		rule chain OUTPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+		rule chain FORWARD state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+	fi
+	
 	rule chain INPUT loglimit "IN-unknown" action ${UNMATCHED_INPUT_POLICY} || return 1
 	rule chain OUTPUT loglimit "OUT-unknown" action ${UNMATCHED_OUTPUT_POLICY} || return 1
 	rule chain FORWARD loglimit "PASS-unknown" action ${UNMATCHED_ROUTER_POLICY} || return 1
@@ -3055,7 +3176,7 @@
 						# to pass.
 						if [ "${do_accept_limit}" = "1" ]
 						then
-							local accept_limit_chain="`echo "ACCEPT ${freq} ${burst} ${overflow}" | tr " /." "___"`"
+							local accept_limit_chain="`echo "ACCEPT LIMIT ${freq} ${burst} ${overflow}" | tr " /." "___"`"
 							
 							# does the chain we need already exist?
 							if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_limit_chain}" ]
@@ -3075,9 +3196,9 @@
 								local -a logopts_arg=()
 								if [ "${FIREHOL_LOG_MODE}" = "ULOG" ]
 								then
-									local -a logopts_arg=("--ulog-prefix='OVERFLOW:'")
+									local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'")
 								else
-									local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='OVERFLOW:'")
+									local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'")
 								fi
 								iptables ${table} -A "${accept_limit_chain}" -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}"
 								
@@ -3096,6 +3217,62 @@
 						fi
 						;;
 						
+					"recent")
+						# limit NEW connections to the specified rate
+						local name="${action_param[1]}"
+						local seconds="${action_param[2]}"
+						local hits="${action_param[3]}"
+						
+						# unset the action_param, so that if this rule does not include NEW connections,
+						# we will not append anything to the generated iptables statements.
+						local -a action_param=()
+						
+						# find is this rule matches NEW connections
+						local has_new=`echo "${state}" | grep -i NEW`
+						local do_accept_recent=0
+						if [ -z "${statenot}" ]
+						then
+							test ! -z "${has_new}" && local do_accept_recent=1
+						else
+							test -z "${has_new}" && local do_accept_recent=1
+						fi
+						
+						# we have a match for NEW connections.
+						# redirect the traffic to a new chain, which will control
+						# the NEW connections while allowing all the other traffic
+						# to pass.
+						if [ "${do_accept_recent}" = "1" ]
+						then
+							local accept_recent_chain="`echo "ACCEPT RECENT $name $seconds $hits" | tr " /." "___"`"
+							
+							# does the chain we need already exist?
+							if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}" ]
+							then
+								# the chain does not exist. create it.
+								iptables ${table} -N "${accept_recent_chain}"
+								touch "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}"
+								
+								# first, if the traffic is not a NEW connection, allow it.
+								# doing this first will speed up normal traffic.
+								iptables ${table} -A "${accept_recent_chain}" -m state ! --state NEW -j ACCEPT
+								
+								# accept NEW connections within the given limits.
+								iptables ${table} -A "${accept_recent_chain}" -m recent --set --name "${name}"
+								
+								local t1=
+								test ! -z $seconds && local t1="--seconds ${seconds}"
+								local t2=
+								test ! -z $hits && local t2="--hitcount ${hits}"
+								
+								iptables ${table} -A "${accept_recent_chain}" -m recent --update ${t1} ${t2} --name "${name}" -j RETURN
+								iptables ${table} -A "${accept_recent_chain}" -j ACCEPT
+							fi
+							
+							# send the rule to be generated to this chain
+							local action=${accept_recent_chain}
+						fi
+						;;
+						
 					'knock')
 						# the name of the knock
 						local name="knock_${action_param[1]}"
@@ -3175,6 +3352,12 @@
 	local dst=any
 	local dstnot=
 	
+	local srctype=
+	local srctypenot=
+	
+	local dsttype=
+	local dsttypenot=
+	
 	local sport=any
 	local sportnot=
 	
@@ -3397,7 +3580,7 @@
 				if [ "${1}" = "not" -o "${1}" = "NOT" ]
 				then
 					shift
-					macnot="!"
+					test ${nomac} -eq 0 && macnot="!"
 				fi
 				test ${softwarnings} -eq 1 -a ! "${mac}" = "any" && softwarning "Overwritting param: mac '${mac}' becomes '${1}'"
 				test ${nomac} -eq 0 && mac="${1}"
@@ -3454,6 +3637,56 @@
 				shift
 				;;
 				
+			srctype|SRCTYPE|sourcetype|SOURCETYPE)
+				shift
+				if [ ${reverse} -eq 0 ]
+				then
+					srctypenot=
+					if [ "${1}" = "not" -o "${1}" = "NOT" ]
+					then
+						shift
+						srctypenot="!"
+					fi
+					test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'"
+					srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
+				else
+					dsttypenot=
+					if [ "${1}" = "not" -o "${1}" = "NOT" ]
+					then
+						shift
+						dsttypenot="!"
+					fi
+					test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'"
+					dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
+				fi
+				shift
+				;;
+				
+			dsttype|DSTTYPE|destinationtype|DESTINATIONTYPE)
+				shift
+				if [ ${reverse} -eq 0 ]
+				then
+					dsttypenot=
+					if [ "${1}" = "not" -o "${1}" = "NOT" ]
+					then
+						shift
+						dsttypenot="!"
+					fi
+					test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'"
+					dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
+				else
+					srctypenot=
+					if [ "${1}" = "not" -o "${1}" = "NOT" ]
+					then
+						shift
+						srctypenot="!"
+					fi
+					test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'"
+					srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
+				fi
+				shift
+				;;
+				
 			sport|SPORT|sourceport|SOURCEPORT)
 				shift
 				if [ ${reverse} -eq 0 ]
@@ -3591,6 +3824,11 @@
 									fi
 									;;
 								
+								recent|RECENT)
+									local -a action_param=("recent" "${2}" "${3}" "${4}")
+									shift 4
+									;;
+								
 								knock|KNOCK)
 									local -a action_param=("knock" "${2}")
 									shift 2
@@ -3750,6 +3988,10 @@
 						fi
 						;;
 						
+					tarpit|TARPIT)
+						action="TARPIT"
+						;;
+						
 					*)
 						chain_exists "${action}"
 						local action_is_chain=$?
@@ -3991,7 +4233,7 @@
 	#         this temporary chain.
 	
 	
-	# ignore 'statenot' since it is negated in the positive rules
+	# ignore 'statenot', 'srctypenot', 'dsttypenot' since it is negated in the positive rules
 	if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}${marknot}${tosnot}${dscpnot}" ]
 	then
 		if [ ${action_is_chain} -eq 1 ]
@@ -4540,6 +4782,25 @@
 				;;
 		esac
 	
+	# addrtype (srctype, dsttype)
+	local -a addrtype_arg=()
+	local -a stp_arg=()
+	local -a dtp_arg=()
+	if [ ! -z "${srctype}${dsttype}" ]
+	then
+		local -a addrtype_arg=("-m" "addrtype")
+		
+		if [ ! -z "${srctype}" ]
+		then
+			local -a stp_arg=("${srctypenot}" "--src-type" "${srctype}")
+		fi
+		
+		if [ ! -z "${dsttype}" ]
+		then
+			local -a dtp_arg=("${dsttypenot}" "--dst-type" "${dsttype}")
+		fi
+	fi
+	
 	# state
 	local -a state_arg=()
 	if [ ! -z "${state}" ]
@@ -4562,15 +4823,15 @@
 	fi
 	
 	# build the command
-	declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}")
+	declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${addrtype_arg[@]}" "${stp_arg[@]}" "${dtp_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}")
 	
 	# log mode selection
 	local -a logopts_arg=()
 	if [ "${FIREHOL_LOG_MODE}" = "ULOG" ]
 	then
-		local -a logopts_arg=("--ulog-prefix='${logtxt}:'")
+		local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'")
 	else
-		local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${logtxt}:'")
+		local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'")
 	fi
 	
 	# log / loglimit
@@ -5005,8 +5266,8 @@
 	stop)
 		test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored."
 		
-		test -f /var/lock/subsys/firehol && ${RM_CMD} -f /var/lock/subsys/firehol
-		test -f /var/lock/subsys/iptables && ${RM_CMD} -f /var/lock/subsys/iptables
+		test -f "${FIREHOL_LOCK_DIR}/firehol" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/firehol"
+		test -f "${FIREHOL_LOCK_DIR}/iptables" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/iptables"
 		
 		echo -n $"FireHOL: Clearing Firewall:"
 		load_kernel_module ip_tables
@@ -5038,7 +5299,7 @@
 	condrestart)
 		test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored."
 		FIREHOL_TRY=0
-		if [ -f /var/lock/subsys/firehol ]
+		if [ -f "${FIREHOL_LOCK_DIR}/firehol" ]
 		then
 			exit 0
 		fi
@@ -5459,6 +5720,13 @@
 
 if [ ${FIREHOL_WIZARD} -eq 1 ]
 then
+	# require commands for wizard mode
+	require_cmd ip
+	require_cmd netstat
+	require_cmd egrep
+	require_cmd date
+	require_cmd hostname
+	
 	wizard_ask() {
 		local prompt="${1}"; shift
 		local def="${1}"; shift
@@ -5603,7 +5871,12 @@
 		local i4=${4}
 		local i5=${5:-32}
 		
-		echo ${i1}.${i2}.${i3}.${i4}/${i5}
+		if [ "${i5}" = "32" ]
+		then
+			echo ${i1}.${i2}.${i3}.${i4}
+		else
+			echo ${i1}.${i2}.${i3}.${i4}/${i5}
+		fi
 	}
 	
 	ips2net() {
@@ -6354,11 +6627,11 @@
 # Remove the saved firewall, so that the trap will not restore it.
 ${RM_CMD} -f "${FIREHOL_SAVED}"
 
-# RedHat startup service locking.
-if [ -d /var/lock/subsys ]
+# Startup service locking.
+if [ -d "${FIREHOL_LOCK_DIR}" ]
 then
-	${TOUCH_CMD} /var/lock/subsys/iptables
-	${TOUCH_CMD} /var/lock/subsys/firehol
+	${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/iptables"
+	${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/firehol"
 fi