fixes #2124 some error messages get multiplied when compiler splits rules

2025-10-15 23:18:51 +02:00 · 2011-02-20 21:32:58 -08:00 · 2011-02-20 21:32:58 -08:00 · 56f81407f1
commit 56f81407f1
parent 2b342aa67d
322 changed files with 1241 additions and 937 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,5 +1,10 @@
 2011-02-20  vadim  <vadim@netcitadel.com>

+	* BaseCompiler.cpp (getErrorsForRule): fixes #2124 "some error
+	messages get multiplied when compiler splits rules". Under certain
+	circumstances error messages could appear multiple times in the
+	generated script.
+
 	* Compiler.cpp (_expand_interface): fixes #1920 "Setting host
 	interface to unnumbered after it has been assigned IP address
 	doesn't have desired effect". Compiler still used ip addresses
--- a/src/cisco_lib/RoutingCompiler_iosacl_writers.cpp
+++ b/src/cisco_lib/RoutingCompiler_iosacl_writers.cpp
@ -82,12 +82,10 @@ bool RoutingCompiler_iosacl::PrintRule::processNext()
        compiler->output << "! " << endl;
        compiler->output << "! Rule " << rl << endl;
        compiler->output << "! " << endl;
-        compiler->output << "! \"Routing rule " << rl << "\"" << endl;
-        compiler->output << "! " << endl;
    }
   
-    string err = rule->getCompilerMessage();
-    if (!err.empty()) compiler->output << "# " << err << endl;
+//    string err = rule->getCompilerMessage();
+//    if (!err.empty()) compiler->output << "# " << err << endl;

    if( rule->getRuleType() != RoutingRule::MultiPath )
    {
@ -100,6 +98,10 @@ bool RoutingCompiler_iosacl::PrintRule::processNext()
            }
            compiler->output << "! " << comm.substr(c1) << endl;
            compiler->output << "! " << endl;
+
+            string err = compiler->getErrorsForRule(rule, "! ");
+            if (!err.empty()) compiler->output << err << endl;
+
            current_rule_label = rl;
        }
        
@ -108,6 +110,9 @@ bool RoutingCompiler_iosacl::PrintRule::processNext()
    
    } else
    {
+        string err = compiler->getErrorsForRule(rule, "! ");
+        if (!err.empty()) compiler->output << err << endl;
+
        compiler->abort(rule, "MultiPath routing not supported by platform");
    }
    return true;
--- a/src/cisco_lib/RoutingCompiler_pix_writers.cpp
+++ b/src/cisco_lib/RoutingCompiler_pix_writers.cpp
@ -78,8 +78,8 @@ bool RoutingCompiler_pix::PrintRule::processNext()
        compiler->output << "! " << endl;
    }
    
-    string err = rule->getCompilerMessage();
-    if (!err.empty()) compiler->output << "# " << err << endl;
+//    string err = rule->getCompilerMessage();
+//    if (!err.empty()) compiler->output << "# " << err << endl;

    if( rule->getRuleType() != RoutingRule::MultiPath )
    {
@ -92,7 +92,11 @@ bool RoutingCompiler_pix::PrintRule::processNext()
            }
            compiler->output << "! " << comm.substr(c1) << endl;
            compiler->output << "! " << endl;
-            current_rule_label=rl;
+
+            string err = compiler->getErrorsForRule(rule, "! ");
+            if (!err.empty()) compiler->output << err << endl;
+
+            current_rule_label = rl;
        }
        
        string command_line = RoutingRuleToString(rule);
@ -100,6 +104,9 @@ bool RoutingCompiler_pix::PrintRule::processNext()
    
    } else
    {
+        string err = compiler->getErrorsForRule(rule, "! ");
+        if (!err.empty()) compiler->output << err << endl;
+            
        compiler->abort(rule, "MultiPath routing not supported by platform");
    }
    return true;
--- a/src/iptlib/NATCompiler_PrintRule.cpp
+++ b/src/iptlib/NATCompiler_PrintRule.cpp
@ -181,12 +181,15 @@ string NATCompiler_ipt::PrintRule::_printRuleLabel(NATRule *rule)
                res << "# " << line.toStdString() << endl;
            }
            //res << "# " << endl;
+
+            string err = compiler->getErrorsForRule(rule, "# ");
+            if (!err.empty()) res << err << endl;
        }
        current_rule_label=rl;
    }

-    string err = rule->getCompilerMessage();
-    if (!err.empty()) res << "# " << err << endl;
+//    string err = rule->getCompilerMessage();
+//    if (!err.empty()) res << "# " << err << endl;

    return res.str();
 }
--- a/src/iptlib/PolicyCompiler_PrintRule.cpp
+++ b/src/iptlib/PolicyCompiler_PrintRule.cpp
@ -199,13 +199,16 @@ string PolicyCompiler_ipt::PrintRule::_printRuleLabel(PolicyRule *rule)
                res << "# " << line.toStdString() << endl;
            }
            //res << "# " << endl;
+
+            string err = compiler->getErrorsForRule(rule, "# ");
+            if (!err.empty()) res << err << endl;
        }
    }

    current_rule_label = rl;

-    string err = rule->getCompilerMessage();
-    if (!err.empty()) res << "# " << err << endl;
+//    string err = rule->getCompilerMessage();
+//    if (!err.empty()) res << "# " << err << endl;

    return res.str();
 }
--- a/src/iptlib/RoutingCompiler_ipt_writers.cpp
+++ b/src/iptlib/RoutingCompiler_ipt_writers.cpp
@ -190,11 +190,15 @@ bool RoutingCompiler_ipt::PrintRule::processNext()
            }
            compiler->output << "# " << comm.substr(c1) << endl;
            compiler->output << "# " << endl;
+
+            string err = compiler->getErrorsForRule(rule, "# ");
+            if (!err.empty()) compiler->output << err << endl;
+
            current_rule_label = rl;
        }
        
-        string err = rule->getCompilerMessage();
-        if (!err.empty()) compiler->output << "# " << err << endl;
+//        string err = rule->getCompilerMessage();
+//        if (!err.empty()) compiler->output << "# " << err << endl;

        string  command_line = RoutingRuleToString(rule);
        compiler->output << command_line;
--- a/src/libfwbuilder/src/fwcompiler/BaseCompiler.cpp
+++ b/src/libfwbuilder/src/fwcompiler/BaseCompiler.cpp
@ -70,8 +70,25 @@ string BaseCompiler::getErrors(const string &comment_sep)
 void BaseCompiler::clearErrors()
 {
    errors_buffer.str("");
+    rule_errors.clear();
 }

+string BaseCompiler::getErrorsForRule(Rule *rule, const std::string &comment_sep)
+{
+    string rule_label = rule->getLabel();
+    rule_errors[rule_label].sort();
+    ostringstream ostr;
+    list<string>::iterator it;
+    string prev;  // used to remove duplicate messages
+    for (it=rule_errors[rule_label].begin(); it!=rule_errors[rule_label].end(); ++it)
+    {
+        if (*it != prev) ostr << comment_sep << *it << endl;
+        prev = *it;
+    }
+    return ostr.str();
+}
+
+
 /*
 * Error and warning format:
 *
@ -126,7 +143,11 @@ void BaseCompiler::message(const std::string &level,
    string str = setLevel(level, stdErrorMessage(fw, ruleset, rule, errstr));
    printError(str);
    Rule *cast_rule = Rule::cast(rule);
-    if (cast_rule) cast_rule->setCompilerMessage(str);
+    if (cast_rule)
+    {
+        cast_rule->setCompilerMessage(str);
+        rule_errors[cast_rule->getLabel()].push_back(str);
+    }
 }

 void BaseCompiler::printError(const string &errstr)
--- a/src/libfwbuilder/src/fwcompiler/BaseCompiler.h
+++ b/src/libfwbuilder/src/fwcompiler/BaseCompiler.h
@ -47,7 +47,12 @@ namespace fwcompiler {
    {

        std::string level_macro;
+        // all errors generated by the compiler
 	std::stringstream errors_buffer;
+        // a dictionary mapping rule label to the list of errors associated
+        // with it.
+        std::map<std::string, std::list<std::string> > rule_errors;
+        
        // in test mode we trat fatal errors as errors and continue after
        // printing error message
        bool test_mode;
@ -139,6 +144,9 @@ public:
 	bool haveErrorsAndWarnings();
        void clearErrors();

+        std::string getErrorsForRule(libfwbuilder::Rule *rule,
+                                     const std::string &comment_sep);
+
        /**
         * fills a list of strings with regular expressions that match
         * error messages
--- a/src/libfwbuilder/src/fwcompiler/Compiler.cpp
+++ b/src/libfwbuilder/src/fwcompiler/Compiler.cpp
@ -1569,10 +1569,14 @@ string Compiler::printComment(Rule *rule, string &prev_rule_label,
            if (!remainder.empty())
                res << prefix << " " << remainder << endl;
        }
+
+        string err = getErrorsForRule(rule, prefix + " ");
+        if (!err.empty()) res << err << endl;
+
        prev_rule_label = rl;
    }
-    string err = rule->getCompilerMessage();
-    if (!err.empty()) res << prefix << " " << err << endl;
+//    string err = rule->getCompilerMessage();
+//    if (!err.empty()) res << prefix << " " << err << endl;
    return res.str();
 }

--- a/src/pflib/RoutingCompiler_openbsd_writers.cpp
+++ b/src/pflib/RoutingCompiler_openbsd_writers.cpp
@ -189,11 +189,15 @@ bool RoutingCompiler_openbsd::PrintRule::processNext()
                    }
                }
                if (comment_lines) compiler->output << "#" << endl;
+
+                string err = compiler->getErrorsForRule(rule, "# ");
+                if (!err.empty()) compiler->output << err << endl;
+
                current_rule_label = rl;
            }
        
-            string err = rule->getCompilerMessage();
-            if (!err.empty()) compiler->output << "# " << err << endl;
+//            string err = rule->getCompilerMessage();
+//            if (!err.empty()) compiler->output << "# " << err << endl;

            string  command_line = RoutingRuleToString(rule);
            compiler->output << command_line;
--- a/test/iosacl/auto-interface-test.fw.orig
+++ b/test/iosacl/auto-interface-test.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:19 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:38 2011 PST by vadim
 !
 ! Compiled for iosacl 12.1
 !
--- a/test/iosacl/c3620.fw.orig
+++ b/test/iosacl/c3620.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:19 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:38 2011 PST by vadim
 !
 ! Compiled for iosacl 12.1
 !
@ -38,7 +38,6 @@ ip access-list extended e1_0_in
 ! 
 ! Rule  -1 backup ssh access rule (automatic)
   remark -1 backup ssh access rule (automatic)
-  permit tcp  host 10.3.14.41 host 0.0.0.0 eq 22 
  permit tcp  host 10.3.14.41 host 10.3.14.201 eq 22 
  permit tcp  host 10.3.14.41 host 192.168.171.2 eq 22 
 ! 
@ -77,7 +76,6 @@ ip access-list extended e1_0_out
 ! 
 ! Rule  -2 backup ssh access rule (out) (automatic)
   remark -2 backup ssh access rule (out) (automatic)
-  permit tcp  host 0.0.0.0 eq 22 host 10.3.14.41 
  permit tcp  host 10.3.14.201 eq 22 host 10.3.14.41 
  permit tcp  host 192.168.171.2 eq 22 host 10.3.14.41 
 ! 
@ -98,7 +96,6 @@ ip access-list extended e1_1_in
 ! 
 ! Rule  -1 backup ssh access rule (automatic)
   remark -1 backup ssh access rule (automatic)
-  permit tcp  host 10.3.14.41 host 0.0.0.0 eq 22 
  permit tcp  host 10.3.14.41 host 10.3.14.201 eq 22 
  permit tcp  host 10.3.14.41 host 192.168.171.2 eq 22 
 ! 
@ -133,7 +130,6 @@ ip access-list extended e1_1_out
 ! 
 ! Rule  -2 backup ssh access rule (out) (automatic)
   remark -2 backup ssh access rule (out) (automatic)
-  permit tcp  host 0.0.0.0 eq 22 host 10.3.14.41 
  permit tcp  host 10.3.14.201 eq 22 host 10.3.14.41 
  permit tcp  host 192.168.171.2 eq 22 host 10.3.14.41 
 exit
@ -142,7 +138,6 @@ ip access-list extended fe0_0_in
 ! 
 ! Rule  -1 backup ssh access rule (automatic)
   remark -1 backup ssh access rule (automatic)
-  permit tcp  host 10.3.14.41 host 0.0.0.0 eq 22 
  permit tcp  host 10.3.14.41 host 10.3.14.201 eq 22 
  permit tcp  host 10.3.14.41 host 192.168.171.2 eq 22 
 ! 
@ -173,7 +168,6 @@ ip access-list extended fe0_0_out
 ! 
 ! Rule  -2 backup ssh access rule (out) (automatic)
   remark -2 backup ssh access rule (out) (automatic)
-  permit tcp  host 0.0.0.0 eq 22 host 10.3.14.41 
  permit tcp  host 10.3.14.201 eq 22 host 10.3.14.41 
  permit tcp  host 192.168.171.2 eq 22 host 10.3.14.41 
 ! 
@ -225,32 +219,24 @@ exit
 ! 
 ! Rule 0 (main)
 ! 
-! "Routing rule 0 (main)"
-! 
 ! 
 ! 
 ip route 10.10.10.0 255.255.255.0 10.3.14.254 1
 ! 
 ! Rule 1 (main)
 ! 
-! "Routing rule 1 (main)"
-! 
 ! 
 ! 
 ip route 10.10.11.0 255.255.255.0 FastEthernet0/0 1
 ! 
 ! Rule 2 (main)
 ! 
-! "Routing rule 2 (main)"
-! 
 ! 
 ! 
 ip route 10.10.12.0 255.255.255.0 FastEthernet0/0 1
 ! 
 ! Rule 3 (main)
 ! 
-! "Routing rule 3 (main)"
-! 
 ! 
 ! 
 ip route 0.0.0.0 0.0.0.0  Ethernet1/0 1
--- a/test/iosacl/ccie4u-r1.fw.orig
+++ b/test/iosacl/ccie4u-r1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:19 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:39 2011 PST by vadim
 !
 ! Compiled for iosacl 12.1
 !
@ -153,12 +153,25 @@ ipv6 access-list ipv6_fe0_0_in
  permit tcp  fe80::/64 any  eq 22 
 ! 
 ! Rule  r1-ipv6 1 (global)
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 
 ! 
 ! Rule  r1-ipv6 2 (global)
+! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 5 (global)'  below it
+! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 6 (global)'  below it
+
  permit tcp  host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log 
 ! 
 ! Rule  r1-ipv6 3 (global)
+! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)'  below it
+! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)'  below it
+! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 log 
  permit tcp  3ffe:1200:2000::/36 any  eq 22 log 
  permit tcp  host 3ffe:1200:2001:1:8000::1 any  eq 22 log 
@ -183,6 +196,11 @@ ipv6 access-list ipv6_fe0_0_in
  permit ipv6  fe80::/64 any  log 
 ! 
 ! Rule  r1-ipv6 9 (global)
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)'  below it
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)'  below it
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)'  below it
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)'  below it
+
  permit ipv6  host 2001:5c0:0:2::24 any  log 
  permit ipv6  3ffe:1200:2000::/36 any  log 
  permit ipv6  host 3ffe:1200:2001:1:8000::1 any  log 
@ -216,9 +234,19 @@ ipv6 access-list ipv6_fe0_0_out
  permit tcp  fe80::/64 any  eq 22 
 ! 
 ! Rule  r1-ipv6 1 (global)
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 
 ! 
 ! Rule  r1-ipv6 3 (global)
+! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)'  below it
+! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)'  below it
+! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 log 
  permit tcp  3ffe:1200:2000::/36 any  eq 22 log 
  permit tcp  host 3ffe:1200:2001:1:8000::1 any  eq 22 log 
@ -231,6 +259,11 @@ ipv6 access-list ipv6_fe0_0_out
  permit ipv6  fe80::/64 any  log 
 ! 
 ! Rule  r1-ipv6 9 (global)
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)'  below it
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)'  below it
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)'  below it
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)'  below it
+
  permit ipv6  host 2001:5c0:0:2::24 any  log 
  permit ipv6  3ffe:1200:2000::/36 any  log 
  permit ipv6  host 3ffe:1200:2001:1:8000::1 any  log 
@ -261,12 +294,25 @@ exit
 ipv6 access-list ipv6_fe0_1_in
 ! 
 ! Rule  r1-ipv6 1 (global)
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 
 ! 
 ! Rule  r1-ipv6 2 (global)
+! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 5 (global)'  below it
+! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 6 (global)'  below it
+
  permit tcp  host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log 
 ! 
 ! Rule  r1-ipv6 3 (global)
+! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)'  below it
+! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)'  below it
+! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 log 
  permit tcp  3ffe:1200:2000::/36 any  eq 22 log 
  permit tcp  host 3ffe:1200:2001:1:8000::1 any  eq 22 log 
@ -288,6 +334,11 @@ ipv6 access-list ipv6_fe0_1_in
  permit ipv6  any  host fe80::21d:9ff:fe8b:8e94 log 
 ! 
 ! Rule  r1-ipv6 9 (global)
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)'  below it
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)'  below it
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)'  below it
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)'  below it
+
  permit ipv6  host 2001:5c0:0:2::24 any  log 
  permit ipv6  3ffe:1200:2000::/36 any  log 
  permit ipv6  host 3ffe:1200:2001:1:8000::1 any  log 
@ -321,9 +372,19 @@ ipv6 access-list ipv6_fe0_1_out
  permit tcp  fe80::/64 any  eq 22 
 ! 
 ! Rule  r1-ipv6 1 (global)
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)'  below it
+! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 
 ! 
 ! Rule  r1-ipv6 3 (global)
+! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)'  below it
+! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)'  below it
+! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 log 
  permit tcp  3ffe:1200:2000::/36 any  eq 22 log 
  permit tcp  host 3ffe:1200:2001:1:8000::1 any  eq 22 log 
@ -336,6 +397,11 @@ ipv6 access-list ipv6_fe0_1_out
  permit ipv6  fe80::/64 any  log 
 ! 
 ! Rule  r1-ipv6 9 (global)
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)'  below it
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)'  below it
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)'  below it
+! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)'  below it
+
  permit ipv6  host 2001:5c0:0:2::24 any  log 
  permit ipv6  3ffe:1200:2000::/36 any  log 
  permit ipv6  host 3ffe:1200:2001:1:8000::1 any  log 
--- a/test/iosacl/dynamips1-og.fw.orig
+++ b/test/iosacl/dynamips1-og.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:19 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:39 2011 PST by vadim
 !
 ! Compiled for iosacl 12.4
 !
--- a/test/iosacl/firewall-ipv6-1.fw.orig
+++ b/test/iosacl/firewall-ipv6-1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:20 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:39 2011 PST by vadim
 !
 ! Compiled for iosacl 12.1
 !
@ -92,12 +92,25 @@ ipv6 access-list ipv6_e0_0_in
  permit tcp  fe80::/64 any  eq 22 
 ! 
 ! Rule  fw-ipv6-1-ipv6 1 (global)
+! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 3 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 6 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 
 ! 
 ! Rule  fw-ipv6-1-ipv6 2 (global)
+! firewall-ipv6-1:fw-ipv6-1-ipv6:2: error: Rule 'fw-ipv6-1-ipv6 2 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:2: error: Rule 'fw-ipv6-1-ipv6 2 (global)' shadows rule 'fw-ipv6-1-ipv6 6 (global)'  below it
+
  permit tcp  host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log 
 ! 
 ! Rule  fw-ipv6-1-ipv6 3 (global)
+! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 log 
  permit tcp  3ffe:1200:2000::/36 any  eq 22 log 
  permit tcp  host 3ffe:1200:2001:1:8000::1 any  eq 22 log 
@ -122,6 +135,11 @@ ipv6 access-list ipv6_e0_0_in
  permit ipv6  fe80::/64 any  log 
 ! 
 ! Rule  fw-ipv6-1-ipv6 9 (global)
+! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 10 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 11 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 12 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)'  below it
+
  permit ipv6  host 2001:5c0:0:2::24 any  log 
  permit ipv6  3ffe:1200:2000::/36 any  log 
  permit ipv6  host 3ffe:1200:2001:1:8000::1 any  log 
@ -155,9 +173,19 @@ ipv6 access-list ipv6_e0_0_out
  permit tcp  fe80::/64 any  eq 22 
 ! 
 ! Rule  fw-ipv6-1-ipv6 1 (global)
+! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 3 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 6 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 
 ! 
 ! Rule  fw-ipv6-1-ipv6 3 (global)
+! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 log 
  permit tcp  3ffe:1200:2000::/36 any  eq 22 log 
  permit tcp  host 3ffe:1200:2001:1:8000::1 any  eq 22 log 
@ -170,6 +198,11 @@ ipv6 access-list ipv6_e0_0_out
  permit ipv6  fe80::/64 any  log 
 ! 
 ! Rule  fw-ipv6-1-ipv6 9 (global)
+! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 10 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 11 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 12 (global)'  below it
+! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)'  below it
+
  permit ipv6  host 2001:5c0:0:2::24 any  log 
  permit ipv6  3ffe:1200:2000::/36 any  log 
  permit ipv6  host 3ffe:1200:2001:1:8000::1 any  log 
--- a/test/iosacl/firewall-ipv6-2.fw.orig
+++ b/test/iosacl/firewall-ipv6-2.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:20 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:39 2011 PST by vadim
 !
 ! Compiled for iosacl 12.1
 !
@ -99,12 +99,25 @@ ipv6 access-list ipv6_e0_0_in
  permit tcp  fe80::/64 any  eq 22 
 ! 
 ! Rule  fw-ipv6-2-ipv6 1 (global)
+! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 3 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 6 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 
 ! 
 ! Rule  fw-ipv6-2-ipv6 2 (global)
+! firewall-ipv6-2:fw-ipv6-2-ipv6:2: error: Rule 'fw-ipv6-2-ipv6 2 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:2: error: Rule 'fw-ipv6-2-ipv6 2 (global)' shadows rule 'fw-ipv6-2-ipv6 6 (global)'  below it
+
  permit tcp  host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log 
 ! 
 ! Rule  fw-ipv6-2-ipv6 3 (global)
+! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 log 
  permit tcp  3ffe:1200:2000::/36 any  eq 22 log 
  permit tcp  host 3ffe:1200:2001:1:8000::1 any  eq 22 log 
@ -129,6 +142,11 @@ ipv6 access-list ipv6_e0_0_in
  permit ipv6  fe80::/64 any  log 
 ! 
 ! Rule  fw-ipv6-2-ipv6 9 (global)
+! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 10 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 11 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 12 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)'  below it
+
  permit ipv6  host 2001:5c0:0:2::24 any  log 
  permit ipv6  3ffe:1200:2000::/36 any  log 
  permit ipv6  host 3ffe:1200:2001:1:8000::1 any  log 
@ -162,9 +180,19 @@ ipv6 access-list ipv6_e0_0_out
  permit tcp  fe80::/64 any  eq 22 
 ! 
 ! Rule  fw-ipv6-2-ipv6 1 (global)
+! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 3 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 6 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 
 ! 
 ! Rule  fw-ipv6-2-ipv6 3 (global)
+! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)'  below it
+
  permit tcp  host 2001:5c0:0:2::24 any  eq 22 log 
  permit tcp  3ffe:1200:2000::/36 any  eq 22 log 
  permit tcp  host 3ffe:1200:2001:1:8000::1 any  eq 22 log 
@ -177,6 +205,11 @@ ipv6 access-list ipv6_e0_0_out
  permit ipv6  fe80::/64 any  log 
 ! 
 ! Rule  fw-ipv6-2-ipv6 9 (global)
+! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 10 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 11 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 12 (global)'  below it
+! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)'  below it
+
  permit ipv6  host 2001:5c0:0:2::24 any  log 
  permit ipv6  3ffe:1200:2000::/36 any  log 
  permit ipv6  host 3ffe:1200:2001:1:8000::1 any  log 
--- a/test/iosacl/firewall-ipv6-3.fw.orig
+++ b/test/iosacl/firewall-ipv6-3.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:20 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:40 2011 PST by vadim
 !
 ! Compiled for iosacl 12.1
 !
--- a/test/iosacl/testios1-1.fw.orig
+++ b/test/iosacl/testios1-1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:20 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:40 2011 PST by vadim
 !
 ! Compiled for iosacl 12.1
 !
@ -326,8 +326,6 @@ exit
 ! 
 ! Rule 0 (main)
 ! 
-! "Routing rule 0 (main)"
-! 
 ! ip route 0.0.0.0 0.0.0.0 <interface>
 ! 
 ip route 0.0.0.0 0.0.0.0  ethernet0 1
--- a/test/iosacl/testios1.fw.orig
+++ b/test/iosacl/testios1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:20 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:40 2011 PST by vadim
 !
 ! Compiled for iosacl 12.1
 !
--- a/test/iosacl/testios2.fw.orig
+++ b/test/iosacl/testios2.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:21 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:40 2011 PST by vadim
 !
 ! Compiled for iosacl 12.1
 !
@ -369,15 +369,12 @@ exit
 ! 
 ! Rule 0 (main)
 ! 
-! "Routing rule 0 (main)"
-! 
-# testios2:Routing:0: error: Object "test-addr-1" used as gateway in the routing rule 0 (main) is not reachable because it is not in any local network of the firewall
+! testios2:Routing:0: error: Object "test-addr-1" used as gateway in the routing rule 0 (main) is not reachable because it is not in any local network of the firewall
+
 ! 
 ! Rule 1 (main)
 ! 
-! "Routing rule 1 (main)"
-! 
-# testios2:Routing:1: error: Can not use both gateway address and interface in IOS routing rule
+! testios2:Routing:1: error: Can not use both gateway address and interface in IOS routing rule

 !
 ! Epilog script:
--- a/test/iosacl/testios20-v12.3.fw.orig
+++ b/test/iosacl/testios20-v12.3.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:21 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:41 2011 PST by vadim
 !
 ! Compiled for iosacl 12.3
 !
--- a/test/iosacl/testios20.fw.orig
+++ b/test/iosacl/testios20.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:21 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:41 2011 PST by vadim
 !
 ! Compiled for iosacl 12.4
 !
--- a/test/iosacl/testios3.fw.orig
+++ b/test/iosacl/testios3.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:21 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:41 2011 PST by vadim
 !
 ! Compiled for iosacl 12.1
 !
@ -413,10 +413,9 @@ ip access-list extended e0_out
 ! 
 ! Rule  3 (ethernet0)
 ! testios3:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode
+
  deny   ip  10.10.10.0 0.0.0.255 192.0.2.0 0.0.0.255 log 
-! testios3:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode
  deny   ip  10.10.11.0 0.0.0.255 192.0.2.0 0.0.0.255 log 
-! testios3:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode
  deny   ip  10.10.12.0 0.0.0.255 192.0.2.0 0.0.0.255 log 
 ! 
 ! Rule  4 (global)
--- a/test/iosacl/testios4.fw.orig
+++ b/test/iosacl/testios4.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:21 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:41 2011 PST by vadim
 !
 ! Compiled for iosacl 12.4
 !
@ -208,6 +208,7 @@ ip access-list extended e0_out
 ! 
 ! Rule  3 (ethernet0)
 ! testios4:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode
+
  deny   ip  object-group id47180X84238.src.net.0 192.0.2.0 0.0.0.255 log 
 ! 
 ! Rule  4 (global)
--- a/test/iosacl/testios5-1.fw.orig
+++ b/test/iosacl/testios5-1.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:22 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:42 2011 PST by vadim
 !
 ! Compiled for iosacl 12.4
 !
--- a/test/iosacl/testios5.fw.orig
+++ b/test/iosacl/testios5.fw.orig
@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_iosacl v4.2.0.3457
+!  Firewall Builder  fwb_iosacl v4.2.0.3483
 !
-!  Generated Thu Feb  3 10:04:22 2011 PST by vadim
+!  Generated Sun Feb 20 21:26:42 2011 PST by vadim
 !
 ! Compiled for iosacl 12.4
 !
--- a/test/ipf/firewall-ipf.conf.orig
+++ b/test/ipf/firewall-ipf.conf.orig
@ -39,8 +39,8 @@ pass  in  quick on eth1  from 33.33.33.0/24  to any
 # 
 # Rule  4 (eth0)
 # firewall:Policy:4: warning: Changing rule direction due to self reference
+
 pass  in  quick on eth0 proto udp  from 192.168.1.0/24  to 192.168.1.1 port = 53 keep state 
-# firewall:Policy:4: warning: Changing rule direction due to self reference
 pass  in  quick on eth0 proto udp  from 192.168.1.0/24  to 222.222.222.222 port = 53 keep state 
 # 
 # Rule  5 (eth0)
@ -66,8 +66,8 @@ block out  log  level local0.warning quick  from any  to any
 # 
 # Rule  8 (global)
 # firewall:Policy:8: warning: Changing rule direction due to self reference
+
 block return-icmp-as-dest (3) in  quick proto 50  from any  to 192.168.1.1 
-# firewall:Policy:8: warning: Changing rule direction due to self reference
 block return-icmp-as-dest (3) in  quick proto 50  from any  to 222.222.222.222 
 # 
 # Rule  11 (global)
@ -269,6 +269,8 @@ pass  out  log  level local0.warning quick  from 222.222.222.222  to 192.168.1.1
 pass  out  log  level local0.warning quick  from 222.222.222.222  to 222.222.222.222 
 # 
 # Rule  19 (global)
+# firewall:Policy:19: warning: Changing rule direction due to self reference
+
 pass  in  quick proto icmp  from 192.168.1.1  to 192.168.1.1 keep state 
 pass  in  quick proto icmp  from 192.168.1.1  to 222.222.222.222 keep state 
 pass  in  quick proto icmp  from 222.222.222.222  to 192.168.1.1 keep state 
@ -301,69 +303,37 @@ pass  out quick  from 192.168.1.1  to 192.168.1.1
 pass  out quick  from 192.168.1.1  to 222.222.222.222 
 pass  out quick  from 222.222.222.222  to 192.168.1.1 
 pass  out quick  from 222.222.222.222  to 222.222.222.222 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick proto icmp  from 192.168.1.1  to 33.33.33.33 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick proto icmp  from 192.168.1.1  to 33.33.33.34 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick proto icmp  from 222.222.222.222  to 33.33.33.33 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick proto icmp  from 222.222.222.222  to 33.33.33.34 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick proto tcp  from 192.168.1.1  to 33.33.33.33 flags S keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick proto tcp  from 192.168.1.1  to 33.33.33.34 flags S keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick proto tcp  from 222.222.222.222  to 33.33.33.33 flags S keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick proto tcp  from 222.222.222.222  to 33.33.33.34 flags S keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick proto udp  from 192.168.1.1  to 33.33.33.33 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick proto udp  from 192.168.1.1  to 33.33.33.34 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick proto udp  from 222.222.222.222  to 33.33.33.33 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick proto udp  from 222.222.222.222  to 33.33.33.34 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick  from 192.168.1.1  to 33.33.33.33 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick  from 192.168.1.1  to 33.33.33.34 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick  from 222.222.222.222  to 33.33.33.33 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  out quick  from 222.222.222.222  to 33.33.33.34 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick proto icmp  from 33.33.33.33  to 192.168.1.1 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick proto icmp  from 33.33.33.33  to 222.222.222.222 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick proto icmp  from 33.33.33.34  to 192.168.1.1 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick proto icmp  from 33.33.33.34  to 222.222.222.222 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from 33.33.33.33  to 192.168.1.1 flags S keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from 33.33.33.33  to 222.222.222.222 flags S keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from 33.33.33.34  to 192.168.1.1 flags S keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from 33.33.33.34  to 222.222.222.222 flags S keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick proto udp  from 33.33.33.33  to 192.168.1.1 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick proto udp  from 33.33.33.33  to 222.222.222.222 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick proto udp  from 33.33.33.34  to 192.168.1.1 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick proto udp  from 33.33.33.34  to 222.222.222.222 keep state 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick  from 33.33.33.33  to 192.168.1.1 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick  from 33.33.33.33  to 222.222.222.222 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick  from 33.33.33.34  to 192.168.1.1 
-# firewall:Policy:19: warning: Changing rule direction due to self reference
 pass  in  quick  from 33.33.33.34  to 222.222.222.222 
 skip 3 in   from 33.33.33.33  to any 
 skip 2 in   from 33.33.33.34  to any 
@ -425,20 +395,14 @@ pass  out quick  from any  to 192.168.1.1
 # Rule  20 (global)
 # Automatically generated 'masquerading' rule
 # firewall:Policy:20: warning: Changing rule direction due to self reference
+
 pass  out quick proto icmp  from 192.168.1.1  to any keep state 
-# firewall:Policy:20: warning: Changing rule direction due to self reference
 pass  out quick proto icmp  from 222.222.222.222  to any keep state 
-# firewall:Policy:20: warning: Changing rule direction due to self reference
 pass  out quick proto tcp  from 192.168.1.1  to any flags S keep state 
-# firewall:Policy:20: warning: Changing rule direction due to self reference
 pass  out quick proto tcp  from 222.222.222.222  to any flags S keep state 
-# firewall:Policy:20: warning: Changing rule direction due to self reference
 pass  out quick proto udp  from 192.168.1.1  to any keep state 
-# firewall:Policy:20: warning: Changing rule direction due to self reference
 pass  out quick proto udp  from 222.222.222.222  to any keep state 
-# firewall:Policy:20: warning: Changing rule direction due to self reference
 pass  out quick  from 192.168.1.1  to any 
-# firewall:Policy:20: warning: Changing rule direction due to self reference
 pass  out quick  from 222.222.222.222  to any 
 pass  in  quick proto icmp  from 192.168.1.0/24  to any keep state 
 pass  in  quick proto tcp  from 192.168.1.0/24  to any flags S keep state 
--- a/test/ipf/firewall.fw.orig
+++ b/test/ipf/firewall.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:11 2011 PST by vadim
+#  Generated Sun Feb 20 21:28:57 2011 PST by vadim
 #
 # files: * firewall.fw ipf.fw
 # files:   firewall-ipf.conf ipf.conf
@ -169,7 +169,7 @@ configure_interfaces() {
    update_addresses_of_interface "lo 127.0.0.1/0xff000000" ""
 }

-log "Activating firewall script generated Sun Feb 20 16:55:11 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:28:57 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipf/firewall1-ipf.conf.orig
+++ b/test/ipf/firewall1-ipf.conf.orig
@ -99,38 +99,26 @@ block out  log  quick proto icmp  from any  to any icmp-type 3
 # 
 # Rule  9 (global)
 # firewall1:Policy:9: warning: Changing rule direction due to self reference
+
 skip 11 in  proto icmp  from 192.168.1.10  to 22.22.22.22 icmp-type 3  
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 skip 10 in  proto icmp  from 192.168.1.10  to 22.22.23.23 icmp-type 3  
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 skip 9 in  proto icmp  from 192.168.1.10  to 192.168.1.1 icmp-type 3  
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 skip 8 in  proto icmp  from 192.168.1.10  to 192.168.2.1 icmp-type 3  
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 skip 7 in  proto icmp  from 192.168.1.20  to 22.22.22.22 icmp-type 3  
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 skip 6 in  proto icmp  from 192.168.1.20  to 22.22.23.23 icmp-type 3  
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 skip 5 in  proto icmp  from 192.168.1.20  to 192.168.1.1 icmp-type 3  
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 skip 4 in  proto icmp  from 192.168.1.20  to 192.168.2.1 icmp-type 3  
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 block in   log  quick proto icmp  from any  to 22.22.22.22 icmp-type 3  
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 block in   log  quick proto icmp  from any  to 22.22.23.23 icmp-type 3  
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 block in   log  quick proto icmp  from any  to 192.168.1.1 icmp-type 3  
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 block in   log  quick proto icmp  from any  to 192.168.2.1 icmp-type 3  
 # 
 # Rule  10 (global)
 # firewall1:Policy:10: warning: Changing rule direction due to self reference
+
 skip 5 out  from 22.22.22.22  to 192.168.1.0/24 
-# firewall1:Policy:10: warning: Changing rule direction due to self reference
 skip 4 out  from 22.22.23.23  to 192.168.1.0/24 
-# firewall1:Policy:10: warning: Changing rule direction due to self reference
 skip 3 out  from 192.168.1.1  to 192.168.1.0/24 
-# firewall1:Policy:10: warning: Changing rule direction due to self reference
 skip 2 out  from 192.168.2.1  to 192.168.1.0/24 
 skip 1 in   from 192.168.2.0/24  to 192.168.1.0/24 
 skip 1 out  from 192.168.2.0/24  to 192.168.1.0/24 
@ -153,12 +141,10 @@ block out  log  quick  from 192.168.2.0/24  to any
 # 
 # Rule  12 (global)
 # firewall1:Policy:12: warning: Changing rule direction due to self reference
+
 skip 4 in   from any  to 22.22.22.22 
-# firewall1:Policy:12: warning: Changing rule direction due to self reference
 skip 3 in   from any  to 22.22.23.23 
-# firewall1:Policy:12: warning: Changing rule direction due to self reference
 skip 2 in   from any  to 192.168.1.1 
-# firewall1:Policy:12: warning: Changing rule direction due to self reference
 skip 1 in   from any  to 192.168.2.1 
 block in  quick  from any  to any 
 block out quick  from any  to any 
--- a/test/ipf/firewall1.fw.orig
+++ b/test/ipf/firewall1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:11 2011 PST by vadim
+#  Generated Sun Feb 20 21:28:57 2011 PST by vadim
 #
 # files: * firewall1.fw /etc/ipf.fw
 # files:   firewall1-ipf.conf /etc/fw/ipf.conf
@ -83,7 +83,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:11 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:28:57 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipf/firewall10-ipf.conf.orig
+++ b/test/ipf/firewall10-ipf.conf.orig
@ -57,30 +57,19 @@ pass  out quick proto tcp  from any  to any port = 119 flags S keep state
 # 
 # Rule  2 (global)
 # firewall10:Policy:2: warning: Changing rule direction due to self reference
+
 skip 1 in   from 192.168.1.0/24  to any 
-# firewall10:Policy:2: warning: Changing rule direction due to self reference
 skip 11 in   from any  to any 
-# firewall10:Policy:2: warning: Changing rule direction due to self reference
 skip 3 in   from any  to 22.22.22.22 
-# firewall10:Policy:2: warning: Changing rule direction due to self reference
 skip 2 in   from any  to 192.168.1.1 
-# firewall10:Policy:2: warning: Changing rule direction due to self reference
 skip 1 in   from any  to 192.168.2.0 
-# firewall10:Policy:2: warning: Changing rule direction due to self reference
 skip 7 in   from any  to any 
-# firewall10:Policy:2: warning: Changing rule direction due to self reference
 pass  in  quick proto icmp  from any  to any icmp-type 11 code 0  keep state 
-# firewall10:Policy:2: warning: Changing rule direction due to self reference
 pass  in  quick proto icmp  from any  to any icmp-type 11 code 1  keep state 
-# firewall10:Policy:2: warning: Changing rule direction due to self reference
 pass  in  quick proto icmp  from any  to any icmp-type 0 code 0  keep state 
-# firewall10:Policy:2: warning: Changing rule direction due to self reference
 pass  in  quick proto icmp  from any  to any icmp-type 3  keep state 
-# firewall10:Policy:2: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from 192.168.1.0/24  to 22.22.22.22 port = 22 flags S keep state 
-# firewall10:Policy:2: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from 192.168.1.0/24  to 192.168.1.1 port = 22 flags S keep state 
-# firewall10:Policy:2: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from 192.168.1.0/24  to 192.168.2.0 port = 22 flags S keep state 
 # 
 # Rule  3 (global)
--- a/test/ipf/firewall10.fw.orig
+++ b/test/ipf/firewall10.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:11 2011 PST by vadim
+#  Generated Sun Feb 20 21:28:57 2011 PST by vadim
 #
 # files: * firewall10.fw /etc/firewall10.fw
 # files:   firewall10-ipf.conf /etc/firewall10-ipf.conf
@ -75,7 +75,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:11 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:28:57 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipf/firewall11-ipf.conf.orig
+++ b/test/ipf/firewall11-ipf.conf.orig
@ -9,12 +9,10 @@ pass  in  quick on ng0  from any  to <thishost>
 # 
 # Rule  1 (global)
 # firewall11:Policy:1: warning: Changing rule direction due to self reference
+
 pass  in  quick proto icmp  from any  to 10.0.0.1 keep state 
-# firewall11:Policy:1: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from any  to 10.0.0.1 keep state 
-# firewall11:Policy:1: warning: Changing rule direction due to self reference
 pass  in  quick proto udp  from any  to 10.0.0.1 keep state 
-# firewall11:Policy:1: warning: Changing rule direction due to self reference
 pass  in  quick  from any  to 10.0.0.1 
 # 
 # Rule  2 (global)
--- a/test/ipf/firewall11.fw.orig
+++ b/test/ipf/firewall11.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:11 2011 PST by vadim
+#  Generated Sun Feb 20 21:28:57 2011 PST by vadim
 #
 # files: * firewall11.fw /etc/firewall11.fw
 # files:   firewall11-ipf.conf /etc/firewall11-ipf.conf
@ -162,7 +162,7 @@ configure_interfaces() {
    update_addresses_of_interface "lo0 127.0.0.1/0xff000000" ""
 }

-log "Activating firewall script generated Sun Feb 20 16:55:11 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:28:57 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipf/firewall2-ipf.conf.orig
+++ b/test/ipf/firewall2-ipf.conf.orig
@ -88,10 +88,9 @@ pass  out  log  quick proto tcp  from any  to 22.22.22.22 port = 21 keep state
 # 
 # Rule  9 (global)
 # firewall2:Policy:9: warning: Changing rule direction due to self reference
+
 pass  in   log  quick proto tcp  from any  to 22.22.23.23 port = 21 keep state 
-# firewall2:Policy:9: warning: Changing rule direction due to self reference
 pass  in   log  quick proto tcp  from any  to 192.168.1.1 port = 21 keep state 
-# firewall2:Policy:9: warning: Changing rule direction due to self reference
 pass  in   log  quick proto tcp  from any  to 192.168.2.1 port = 21 keep state 
 # 
 # Rule  10 (global)
--- a/test/ipf/firewall2-nat.conf.orig
+++ b/test/ipf/firewall2-nat.conf.orig
@ -116,332 +116,170 @@ map eth2 from 192.168.1.0/24 to any -> 22.22.22.0/24
 # 
 # Rule  17 (NAT)
 # firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
+
 rdr eth1 from any to 22.22.22.22/32 port = 10000 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10000 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10000 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10000 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10001 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10001 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10001 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10001 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10002 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10002 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10002 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10002 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10003 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10003 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10003 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10003 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10004 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10004 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10004 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10004 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10005 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10005 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10005 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10005 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10006 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10006 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10006 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10006 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10007 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10007 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10007 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10007 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10008 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10008 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10008 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10008 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10009 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10009 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10009 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10009 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10010 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10010 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10010 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10010 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10011 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10011 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10011 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10011 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10012 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10012 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10012 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10012 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10013 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10013 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10013 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10013 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10014 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10014 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10014 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10014 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10015 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10015 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10015 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10015 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10016 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10016 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10016 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10016 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10017 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10017 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10017 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10017 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10018 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10018 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10018 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10018 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10019 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10019 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10019 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10019 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10020 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10020 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10020 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10020 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10021 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10021 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10021 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10021 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10022 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10022 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10022 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10022 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10023 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10023 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10023 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10023 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10024 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10024 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10024 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10024 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10025 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10025 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10025 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10025 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10026 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10026 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10026 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10026 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10027 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10027 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10027 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10027 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10028 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10028 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10028 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10028 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10029 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10029 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10029 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10029 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10030 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10030 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10030 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10030 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10031 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10031 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10031 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10031 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10032 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10032 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10032 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10032 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10033 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10033 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10033 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10033 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10034 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10034 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10034 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10034 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10035 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10035 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10035 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10035 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10036 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10036 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10036 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10036 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10037 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10037 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10037 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10037 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10038 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10038 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10038 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10038 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10039 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10039 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10039 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10039 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth1 from any to 22.22.22.22/32 port = 10040 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth3 from any to 22.22.23.23/32 port = 10040 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth0 from any to 192.168.1.1/32 port = 10040 -> 192.168.1.10 port 10000 tcp 
-# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules
 rdr eth2 from any to 192.168.2.1/32 port = 10040 -> 192.168.1.10 port 10000 tcp 
 # 
 # Rule  18 (NAT)
--- a/test/ipf/firewall2.fw.orig
+++ b/test/ipf/firewall2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:12 2011 PST by vadim
+#  Generated Sun Feb 20 21:28:58 2011 PST by vadim
 #
 # files: * firewall2.fw /etc/fw/firewall2.fw
 # files:   firewall2-ipf.conf /etc/fw/firewall2-ipf.conf
@ -79,7 +79,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:12 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:28:58 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipf/firewall34.fw.orig
+++ b/test/ipf/firewall34.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:12 2011 PST by vadim
+#  Generated Sun Feb 20 21:28:58 2011 PST by vadim
 #
 # files: * firewall34.fw /etc/fw/firewall34.fw
 # files:   firewall34-ipf.conf /etc/fw/firewall34-ipf.conf
@ -162,7 +162,7 @@ configure_interfaces() {
    update_addresses_of_interface "lo 127.0.0.1/0xff000000" ""
 }

-log "Activating firewall script generated Sun Feb 20 16:55:12 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:28:58 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipf/firewall35.fw.orig
+++ b/test/ipf/firewall35.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:12 2011 PST by vadim
+#  Generated Sun Feb 20 21:28:59 2011 PST by vadim
 #
 # files: * firewall35.fw /etc/firewall35.fw
 # files:   firewall35-ipf.conf /etc/firewall35-ipf.conf
@ -77,7 +77,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:12 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:28:59 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipf/firewall4-ipf.conf.orig
+++ b/test/ipf/firewall4-ipf.conf.orig
@ -43,22 +43,15 @@ block out  log  quick proto icmp  from any  to any icmp-type 3
 # 
 # Rule  6 (global)
 # firewall4:Policy:6: warning: Changing rule direction due to self reference
+
 skip 8 in  proto icmp  from 192.168.1.10  to 192.168.1.1 icmp-type 3  
-# firewall4:Policy:6: warning: Changing rule direction due to self reference
 skip 7 in  proto icmp  from 192.168.1.10  to 192.168.2.1 icmp-type 3  
-# firewall4:Policy:6: warning: Changing rule direction due to self reference
 skip 6 in  proto icmp  from 192.168.1.10  to 222.222.222.222 icmp-type 3  
-# firewall4:Policy:6: warning: Changing rule direction due to self reference
 skip 5 in  proto icmp  from 192.168.1.20  to 192.168.1.1 icmp-type 3  
-# firewall4:Policy:6: warning: Changing rule direction due to self reference
 skip 4 in  proto icmp  from 192.168.1.20  to 192.168.2.1 icmp-type 3  
-# firewall4:Policy:6: warning: Changing rule direction due to self reference
 skip 3 in  proto icmp  from 192.168.1.20  to 222.222.222.222 icmp-type 3  
-# firewall4:Policy:6: warning: Changing rule direction due to self reference
 block in   log  quick proto icmp  from any  to 192.168.1.1 icmp-type 3  
-# firewall4:Policy:6: warning: Changing rule direction due to self reference
 block in   log  quick proto icmp  from any  to 192.168.2.1 icmp-type 3  
-# firewall4:Policy:6: warning: Changing rule direction due to self reference
 block in   log  quick proto icmp  from any  to 222.222.222.222 icmp-type 3  
 # 
 # Rule  8 (global)
--- a/test/ipf/firewall4.fw.orig
+++ b/test/ipf/firewall4.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:13 2011 PST by vadim
+#  Generated Sun Feb 20 21:28:59 2011 PST by vadim
 #
 # files: * firewall4.fw /etc/fw/firewall4.fw
 # files:   firewall4-ipf.conf /etc/fw/firewall4-ipf.conf
@ -80,7 +80,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:13 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:28:59 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipf/firewall5-ipf.conf.orig
+++ b/test/ipf/firewall5-ipf.conf.orig
@ -3,10 +3,9 @@
 # 
 # Rule  0 (global)
 # firewall5:Policy:0: warning: Changing rule direction due to self reference
+
 pass  in  quick proto tcp  from any  to 33.33.33.33 port = 22 flags S keep state 
-# firewall5:Policy:0: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from any  to 33.33.33.34 port = 22 flags S keep state 
-# firewall5:Policy:0: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from any  to 192.168.1.1 port = 22 flags S keep state 
 # 
 # Rule  1 (global)
--- a/test/ipf/firewall5.fw.orig
+++ b/test/ipf/firewall5.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:13 2011 PST by vadim
+#  Generated Sun Feb 20 21:28:59 2011 PST by vadim
 #
 # files: * firewall5.fw /etc/firewall5.fw
 # files:   firewall5-ipf.conf /etc/firewall5-ipf.conf
@ -92,7 +92,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:13 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:28:59 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipf/firewall7.fw.orig
+++ b/test/ipf/firewall7.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:13 2011 PST by vadim
+#  Generated Sun Feb 20 21:28:59 2011 PST by vadim
 #
 # files: * firewall7.fw /etc/fw/firewall7.fw
 # files:   firewall7-ipf.conf /etc/fw/firewall7-ipf.conf
@ -76,7 +76,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:13 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:28:59 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipf/firewall8-ipf.conf.orig
+++ b/test/ipf/firewall8-ipf.conf.orig
@ -3,10 +3,9 @@
 # 
 # Rule  0 (global)
 # firewall8:Policy:0: warning: Changing rule direction due to self reference
+
 pass  in  quick proto tcp  from any  to 33.33.33.33 port = 22 flags S keep state 
-# firewall8:Policy:0: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from any  to 33.33.33.34 port = 22 flags S keep state 
-# firewall8:Policy:0: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from any  to 192.168.1.1 port = 22 flags S keep state 
 # 
 # Rule  1 (global)
--- a/test/ipf/firewall8.fw.orig
+++ b/test/ipf/firewall8.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:13 2011 PST by vadim
+#  Generated Sun Feb 20 21:28:59 2011 PST by vadim
 #
 # files: * firewall8.fw /etc/firewall8.fw
 # files:   firewall8-ipf.conf /etc/firewall8-ipf.conf
@ -76,7 +76,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:13 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:28:59 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipf/firewall9-ipf.conf.orig
+++ b/test/ipf/firewall9-ipf.conf.orig
@ -31,8 +31,8 @@ count out  log   from any  to any
 # 
 # Rule  5 (global)
 # firewall9:Policy:5: warning: Changing rule direction due to self reference
+
 pass  in  quick proto tcp  from any  to 22.22.22.22 port = 22 flags S keep state 
-# firewall9:Policy:5: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from any  to 192.168.1.1 port = 22 flags S keep state 
 # 
 # Rule  6 (global)
--- a/test/ipf/firewall9.fw.orig
+++ b/test/ipf/firewall9.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:13 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:00 2011 PST by vadim
 #
 # files: * firewall9.fw /etc/firewall9.fw
 # files:   firewall9-ipf.conf /etc/firewall9-ipf.conf
@ -76,7 +76,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:13 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:00 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipf/host-ipf.conf.orig
+++ b/test/ipf/host-ipf.conf.orig
@ -72,31 +72,26 @@ pass  out  log  quick on lo  from 127.0.0.1  to 127.0.0.1
 # Rule  4 (global)
 # block fragments
 # host:Policy:4: warning: Changing rule direction due to self reference
+
 block in   log  quick  from any  to 22.22.22.22  with short
 # 
 # Rule  5 (global)
 # host:Policy:5: warning: Changing rule direction due to self reference
+
 pass  in  quick proto icmp  from any  to 22.22.22.22 icmp-type 3  keep state 
-# host:Policy:5: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from any  to 22.22.22.22 port = 25 keep state 
-# host:Policy:5: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from any  to 22.22.22.22 port = 80 keep state 
-# host:Policy:5: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from any  to 22.22.22.22 port = 22 keep state 
-# host:Policy:5: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from any  to 22.22.22.22 port = 21 keep state 
-# host:Policy:5: warning: Changing rule direction due to self reference
 pass  in  quick proto tcp  from any  to 22.22.22.22 port = 23 keep state 
 # 
 # Rule  6 (global)
 # allow all outgoing connections
 # host:Policy:6: warning: Changing rule direction due to self reference
+
 pass  out quick proto icmp  from 22.22.22.22  to any keep state 
-# host:Policy:6: warning: Changing rule direction due to self reference
 pass  out quick proto tcp  from 22.22.22.22  to any keep state 
-# host:Policy:6: warning: Changing rule direction due to self reference
 pass  out quick proto udp  from 22.22.22.22  to any keep state 
-# host:Policy:6: warning: Changing rule direction due to self reference
 pass  out quick  from 22.22.22.22  to any 
 # 
 # Rule  7 (global)
--- a/test/ipf/host.fw.orig
+++ b/test/ipf/host.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipf v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:14 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:00 2011 PST by vadim
 #
 # files: * host.fw /etc/fw/host.fw
 # files:   host-ipf.conf /etc/fw/host-ipf.conf
@ -78,7 +78,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:14 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:00 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipfw/firewall.fw.orig
+++ b/test/ipfw/firewall.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipfw v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:54 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:36 2011 PST by vadim
 #
 # files: * firewall.fw ipfw.fw
 #
@ -81,7 +81,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:54 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:36 2011 by vadim"

 set_kernel_vars
 configure_interfaces
@ -118,6 +118,7 @@ prolog_commands
 # Rule  3 (eth0)
 # комментарий по-русски
 # firewall:Policy:3: warning: Changing rule direction due to self reference
+
 "$IPFW" add 60 set 1 permit udp  from 192.168.1.0/24  to me 53 in  recv eth0 keep-state  || exit 1
 # 
 # Rule  4 (eth0)
@ -141,6 +142,7 @@ prolog_commands
 # 
 # Rule  9 (global)
 # firewall:Policy:9: warning: Changing rule direction due to self reference
+
 "$IPFW" add 160 set 1 unreach port 50  from any  to me  in   || exit 1
 # 
 # Rule  12 (global)
@ -180,6 +182,7 @@ prolog_commands
 # Rule  20 (global)
 # Automatically generated 'masquerading' rule
 # firewall:Policy:20: warning: Changing rule direction due to self reference
+
 "$IPFW" add 350 set 1 permit all  from me  to any  out keep-state  || exit 1
 "$IPFW" add 360 set 1 permit all  from 192.168.1.0/24  to any      keep-state  || exit 1
 # 
--- a/test/ipfw/firewall1.fw.orig
+++ b/test/ipfw/firewall1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipfw v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:54 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:36 2011 PST by vadim
 #
 # files: * firewall1.fw /etc/firewall1.fw
 #
@ -83,7 +83,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:54 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:36 2011 by vadim"

 set_kernel_vars
 configure_interfaces
@ -156,14 +156,14 @@ prolog_commands
 # 
 # Rule  9 (global)
 # firewall1:Policy:9: warning: Changing rule direction due to self reference
+
 "$IPFW" add 350 set 1 skipto 380 icmp  from 192.168.1.10  to me icmptypes 3 in   || exit 1
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 "$IPFW" add 360 set 1 skipto 380 icmp  from 192.168.1.20  to me icmptypes 3 in   || exit 1
-# firewall1:Policy:9: warning: Changing rule direction due to self reference
 "$IPFW" add 370 set 1 drop    log icmp  from any  to me icmptypes 3 in   || exit 1
 # 
 # Rule  10 (global)
 # firewall1:Policy:10: warning: Changing rule direction due to self reference
+
 "$IPFW" add 380 set 1 skipto 410 all  from me  to 192.168.1.0/24  out  || exit 1
 "$IPFW" add 390 set 1 skipto 410 all  from 192.168.2.0/24  to 192.168.1.0/24       || exit 1
 "$IPFW" add 400 set 1 drop    log all  from any  to 192.168.1.0/24       || exit 1
@ -183,6 +183,7 @@ prolog_commands
 # 
 # Rule  13 (global)
 # firewall1:Policy:13: warning: Changing rule direction due to self reference
+
 "$IPFW" add 500 set 1 skipto 520 all  from any  to me  in   || exit 1
 "$IPFW" add 510 set 1 drop   all  from any  to any       || exit 1
 # 
--- a/test/ipfw/firewall2.fw.orig
+++ b/test/ipfw/firewall2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipfw v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:55 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:37 2011 PST by vadim
 #
 # files: * firewall2.fw /etc/firewall2.fw
 #
@ -77,7 +77,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:55 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:37 2011 by vadim"

 set_kernel_vars
 configure_interfaces
@ -145,6 +145,7 @@ prolog_commands
 # 
 # Rule  12 (global)
 # firewall2:Policy:12: warning: Changing rule direction due to self reference
+
 "$IPFW" add 180 set 1 permit  log tcp  from any  to me 21 in  setup keep-state  || exit 1
 # 
 # Rule  13 (global)
--- a/test/ipfw/firewall33.fw.orig
+++ b/test/ipfw/firewall33.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipfw v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:55 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:37 2011 PST by vadim
 #
 # files: * firewall33.fw /etc/fw/firewall33.fw
 #
@ -163,7 +163,7 @@ configure_interfaces() {
    update_addresses_of_interface "lo 127.0.0.1/0xff000000" ""
 }

-log "Activating firewall script generated Sun Feb 20 16:55:55 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:37 2011 by vadim"

 set_kernel_vars
 configure_interfaces
@ -193,6 +193,7 @@ prolog_commands
 # 
 # Rule  2 (global)
 # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode
+
 "$IPFW" add 80 set 1 permit all  from 192.0.2.1  to any      keep-state  || exit 1
 # 
 # Rule  3 (global)
@ -213,6 +214,7 @@ prolog_commands
 # 
 # Rule  6 (global)
 # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode
+
 "$IPFW" add 190 set 1 skipto 210 all  from any  to 192.0.2.1       || exit 1
 "$IPFW" add 200 set 1 permit all  from any  to any      keep-state  || exit 1
 # 
--- a/test/ipfw/firewall34.fw.orig
+++ b/test/ipfw/firewall34.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipfw v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:55 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:37 2011 PST by vadim
 #
 # files: * firewall34.fw /etc/firewall34.fw
 #
@ -77,7 +77,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:55 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:37 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipfw/firewall4.fw.orig
+++ b/test/ipfw/firewall4.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipfw v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:55 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:37 2011 PST by vadim
 #
 # files: * firewall4.fw /etc/firewall4.fw
 #
@ -80,7 +80,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:55 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:37 2011 by vadim"

 set_kernel_vars
 configure_interfaces
@ -127,10 +127,9 @@ prolog_commands
 # 
 # Rule  6 (global)
 # firewall4:Policy:6: warning: Changing rule direction due to self reference
+
 "$IPFW" add 130 set 1 skipto 160 icmp  from 192.168.1.10  to me icmptypes 3 in   || exit 1
-# firewall4:Policy:6: warning: Changing rule direction due to self reference
 "$IPFW" add 140 set 1 skipto 160 icmp  from 192.168.1.20  to me icmptypes 3 in   || exit 1
-# firewall4:Policy:6: warning: Changing rule direction due to self reference
 "$IPFW" add 150 set 1 drop    log icmp  from any  to me icmptypes 3 in   || exit 1
 # 
 # Rule  8 (global)
--- a/test/ipfw/firewall7.fw.orig
+++ b/test/ipfw/firewall7.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipfw v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:55 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:37 2011 PST by vadim
 #
 # files: * firewall7.fw /etc/firewall7.fw
 #
@ -77,7 +77,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:55 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:37 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/ipfw/firewall8.fw.orig
+++ b/test/ipfw/firewall8.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipfw v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:56 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:37 2011 PST by vadim
 #
 # files: * firewall8.fw /etc/firewall8.fw
 #
@ -76,7 +76,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:56 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:37 2011 by vadim"

 set_kernel_vars
 configure_interfaces
@ -95,6 +95,7 @@ prolog_commands
 # 
 # Rule  0 (global)
 # firewall8:Policy:0: warning: Changing rule direction due to self reference
+
 "$IPFW" add 10 set 1 permit tcp  from any  to me 22 in  setup keep-state  || exit 1
 # 
 # Rule  1 (global)
--- a/test/ipfw/firewall9.fw.orig
+++ b/test/ipfw/firewall9.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipfw v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:56 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:38 2011 PST by vadim
 #
 # files: * firewall9.fw /etc/firewall9.fw
 #
@ -76,7 +76,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:56 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:38 2011 by vadim"

 set_kernel_vars
 configure_interfaces
@ -114,6 +114,7 @@ prolog_commands
 # 
 # Rule  5 (global)
 # firewall9:Policy:5: warning: Changing rule direction due to self reference
+
 "$IPFW" add 100 set 1 permit tcp  from any  to me 22 in  setup keep-state  || exit 1
 # 
 # Rule  6 (global)
--- a/test/ipfw/host.fw.orig
+++ b/test/ipfw/host.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipfw v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:56 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:38 2011 PST by vadim
 #
 # files: * host.fw /etc/host.fw
 #
@ -79,7 +79,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:56 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:38 2011 by vadim"

 set_kernel_vars
 configure_interfaces
@ -113,17 +113,19 @@ prolog_commands
 # Rule  4 (global)
 # block fragments
 # host:Policy:4: warning: Changing rule direction due to self reference
+
 "$IPFW" add 50 set 1 drop    log all  from any  to me   frag in   || exit 1
 # 
 # Rule  5 (global)
 # host:Policy:5: warning: Changing rule direction due to self reference
+
 "$IPFW" add 60 set 1 permit icmp  from any  to me icmptypes 3 in  keep-state  || exit 1
-# host:Policy:5: warning: Changing rule direction due to self reference
 "$IPFW" add 70 set 1 permit tcp  from any  to me 25,80,22,21,23 in  setup keep-state  || exit 1
 # 
 # Rule  6 (global)
 # allow all outgoing connections
 # host:Policy:6: warning: Changing rule direction due to self reference
+
 "$IPFW" add 80 set 1 permit all  from me  to any  out keep-state  || exit 1
 # 
 # Rule  7 (global)
--- a/test/ipfw/mac.fw.orig
+++ b/test/ipfw/mac.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipfw v4.2.0.3483
 #
-#  Generated Sun Feb 20 16:55:56 2011 PST by vadim
+#  Generated Sun Feb 20 21:29:38 2011 PST by vadim
 #
 # files: * mac.fw /etc/mac.fw
 #
@ -77,7 +77,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 16:55:56 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:29:38 2011 by vadim"

 set_kernel_vars
 configure_interfaces
@ -99,6 +99,7 @@ prolog_commands
 # 
 # Rule  1 (global)
 # mac:Policy:1: warning: Changing rule direction due to self reference
+
 "$IPFW" add 20 set 1 permit tcp  from any  to me established  in  keep-state  || exit 1
 # 
 # Rule  2 (global)
@ -107,18 +108,16 @@ prolog_commands
 # 
 # Rule  3 (global)
 # mac:Policy:3: warning: Changing rule direction due to self reference
+
 "$IPFW" add 50 set 1 permit icmp  from any  to me icmptypes 11,11,0,3 in  keep-state  || exit 1
-# mac:Policy:3: warning: Changing rule direction due to self reference
 "$IPFW" add 60 set 1 permit tcp  from any  to me 22,25 in  setup keep-state  || exit 1
-# mac:Policy:3: warning: Changing rule direction due to self reference
 "$IPFW" add 70 set 1 permit udp  from any  to me  in  keep-state  || exit 1
 # 
 # Rule  4 (global)
 # mac:Policy:4: warning: Changing rule direction due to self reference
+
 "$IPFW" add 80 set 1 permit icmp  from me  to any icmptypes 11,11,0,3 out keep-state  || exit 1
-# mac:Policy:4: warning: Changing rule direction due to self reference
 "$IPFW" add 90 set 1 permit tcp  from me  to any  out setup keep-state  || exit 1
-# mac:Policy:4: warning: Changing rule direction due to self reference
 "$IPFW" add 100 set 1 permit udp  from me  to any 53,68,67 out keep-state  || exit 1
 # 
 # Rule  5 (global)
--- a/test/ipt/cluster1_secuwall-1.fw.orig
+++ b/test/ipt/cluster1_secuwall-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:49 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:48 2011 PST by vadim
 #
 # files: * cluster1_secuwall-1.fw /etc/cluster1_secuwall-1.fw
 #
@ -588,7 +588,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:49 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:48 2011 by vadim"
        log "Database was cluster-tests.fwb"
        check_tools
        check_run_time_address_table_files
--- a/test/ipt/firewall-base-rulesets.fw.orig
+++ b/test/ipt/firewall-base-rulesets.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:07:08 2011 PST by vadim
+#  Generated Sun Feb 20 21:01:06 2011 PST by vadim
 #
 # files: * firewall-base-rulesets.fw /etc/fw/firewall-base-rulesets.fw
 #
@ -445,7 +445,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:07:08 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:01:06 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-1.fw.orig
+++ b/test/ipt/firewall-ipv6-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:07:32 2011 PST by vadim
+#  Generated Sun Feb 20 21:01:29 2011 PST by vadim
 #
 # files: * firewall-ipv6-1.fw /etc/firewall-ipv6-1.fw
 #
@ -355,6 +355,8 @@ script_body() {
    # 
    echo "Rule 4 (global)"
    # 
+    # firewall-ipv6-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)'  below it
+
    $IPTABLES -N Cid4834D3108571.0
    $IPTABLES -A INPUT -p tcp -m tcp  -d 1.1.1.1   --dport 22  -m state --state NEW  -j Cid4834D3108571.0
    $IPTABLES -N RULE_4
@ -407,6 +409,9 @@ script_body() {
    # 
    echo "Rule 13 (global)"
    # 
+    # firewall-ipv6-1:Policy:13: error: Rule '13 (global)' shadows rule '15 (global)'  below it
+    # firewall-ipv6-1:Policy:13: error: Rule '13 (global)' shadows rule '17 (global)'  below it
+
    $IPTABLES -A OUTPUT -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT
@ -459,10 +464,10 @@ script_body() {
    echo "Rule 21 (global)"
    # 
    # firewall-ipv6-1:Policy:21: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    $IPTABLES -N RULE_21
    $IPTABLES -A OUTPUT  -d 192.0.2.1   -j RULE_21
    $IPTABLES -A OUTPUT  -d 207.251.84.150   -j RULE_21
-    # firewall-ipv6-1:Policy:21: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
    $IPTABLES -A FORWARD  -d 192.0.2.1   -j RULE_21
    $IPTABLES -A FORWARD  -d 207.251.84.150   -j RULE_21
    $IPTABLES -A RULE_21  -j ULOG  --ulog-nlgroup 1 --ulog-prefix "RULE 21 -- DENY " --ulog-qthreshold 1
@ -506,6 +511,8 @@ script_body() {
    echo "Rule Policy_ipv6 0 (global)"
    # 
    # for bug 2047082
+    # firewall-ipv6-1:Policy_ipv6:0: error: Rule 'Policy_ipv6 0 (global)' shadows rule 'Policy_ipv6 14 (global)'  below it
+
    $IP6TABLES -A OUTPUT  -m state --state NEW  -j ACCEPT
    # 
    # Rule Policy_ipv6 1 (global)
@ -522,9 +529,9 @@ script_body() {
    echo "Rule Policy_ipv6 2 (global)"
    # 
    # firewall-ipv6-1:Policy_ipv6:2: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    $IP6TABLES -N Policy_ipv6_2
    $IP6TABLES -A OUTPUT  -d 2001:db8::1   -j Policy_ipv6_2
-    # firewall-ipv6-1:Policy_ipv6:2: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
    $IP6TABLES -A FORWARD  -d 2001:db8::1   -j Policy_ipv6_2
    $IP6TABLES -A Policy_ipv6_2  -j LOG  --log-level info --log-prefix "RULE 2 -- DENY "
    $IP6TABLES -A Policy_ipv6_2  -j DROP
@ -561,9 +568,14 @@ script_body() {
    # 
    echo "Rule Policy_ipv6 6 (global)"
    # 
+    # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 10 (global)'  below it
+    # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 11 (global)'  below it
+    # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 12 (global)'  below it
+    # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 7 (global)'  below it
+    # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 9 (global)'  below it
    # firewall-ipv6-1:Policy_ipv6:6: warning: Making rule stateless because it matches ICMPv6
+
    $IP6TABLES -A OUTPUT -p ipv6-icmp  -d fe80::21d:9ff:fe8b:8e94   -j ACCEPT
-    # firewall-ipv6-1:Policy_ipv6:6: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A INPUT -p ipv6-icmp  -j ACCEPT
    # 
    # Rule Policy_ipv6 7 (global)
@ -571,34 +583,37 @@ script_body() {
    echo "Rule Policy_ipv6 7 (global)"
    # 
    # firewall-ipv6-1:Policy_ipv6:7: warning: Making rule stateless because it matches ICMPv6
+
    $IP6TABLES -A INPUT -p ipv6-icmp  -j ACCEPT
    # 
    # Rule Policy_ipv6 8 (global)
    # 
    echo "Rule Policy_ipv6 8 (global)"
    # 
+    # firewall-ipv6-1:Policy_ipv6:8: error: Rule 'Policy_ipv6 8 (global)' shadows rule 'Policy_ipv6 13 (global)'  below it
    # firewall-ipv6-1:Policy_ipv6:8: warning: Making rule stateless because it matches ICMPv6
+
    $IP6TABLES -A OUTPUT -p ipv6-icmp  -j ACCEPT
-    # firewall-ipv6-1:Policy_ipv6:8: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A INPUT -p ipv6-icmp  -j ACCEPT
-    # firewall-ipv6-1:Policy_ipv6:8: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A FORWARD -p ipv6-icmp  -j ACCEPT
    # 
    # Rule Policy_ipv6 9 (global)
    # 
    echo "Rule Policy_ipv6 9 (global)"
    # 
-    $IP6TABLES -A INPUT -p tcp -m tcp  --dport 993  -m state --state NEW  -j ACCEPT
    # firewall-ipv6-1:Policy_ipv6:9: warning: Making rule stateless because it matches ICMPv6
+
+    $IP6TABLES -A INPUT -p tcp -m tcp  --dport 993  -m state --state NEW  -j ACCEPT
    $IP6TABLES -A INPUT -p ipv6-icmp  -j ACCEPT
    # 
    # Rule Policy_ipv6 10 (global)
    # 
    echo "Rule Policy_ipv6 10 (global)"
    # 
+    # firewall-ipv6-1:Policy_ipv6:10: warning: Making rule stateless because it matches ICMPv6
+
    $IP6TABLES -A INPUT -p tcp -m tcp  -m multiport  --dports 139,135,42,445,88,389,636,3268,3269,53  -m state --state NEW  -j ACCEPT
    $IP6TABLES -A INPUT -p udp -m udp  -m multiport  --dports 138,137,53,88  -m state --state NEW  -j ACCEPT
-    # firewall-ipv6-1:Policy_ipv6:10: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A INPUT -p ipv6-icmp  -j ACCEPT
    # 
    # Rule Policy_ipv6 11 (global)
@ -687,7 +702,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:07:32 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:01:29 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-2.fw.orig
+++ b/test/ipt/firewall-ipv6-2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:07:34 2011 PST by vadim
+#  Generated Sun Feb 20 21:01:31 2011 PST by vadim
 #
 # files: * firewall-ipv6-2.fw /etc/firewall-ipv6-2.fw
 #
@ -383,6 +383,8 @@ script_body() {
    # 
    echo "Rule 4 (global)"
    # 
+    # firewall-ipv6-2:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)'  below it
+
    $IPTABLES -N Cid56136X87590.0
    $IPTABLES -A INPUT -p tcp -m tcp  -d 1.1.1.1   --dport 22  -m state --state NEW  -j Cid56136X87590.0
    $IPTABLES -N RULE_4
@ -407,6 +409,9 @@ script_body() {
    # 
    echo "Rule 7 (global)"
    # 
+    # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '27 (global)'  below it
+    # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '28 (global)'  below it
+
    $IPTABLES -N In_RULE_7
    $IPTABLES -A INPUT  -m state --state NEW  -j In_RULE_7
    $IPTABLES -A In_RULE_7  -j ULOG  --ulog-nlgroup 1 --ulog-prefix "RULE 7 -- ACCEPT " --ulog-qthreshold 1
@ -416,6 +421,8 @@ script_body() {
    # 
    echo "Rule 8 (global)"
    # 
+    # firewall-ipv6-2:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)'  below it
+
    $IPTABLES -A OUTPUT  -d 192.168.1.1   -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -d 192.168.1.1   -m state --state NEW  -j ACCEPT
    # 
@ -449,6 +456,9 @@ script_body() {
    # 
    echo "Rule 15 (global)"
    # 
+    # firewall-ipv6-2:Policy:15: error: Rule '15 (global)' shadows rule '17 (global)'  below it
+    # firewall-ipv6-2:Policy:15: error: Rule '15 (global)' shadows rule '19 (global)'  below it
+
    $IPTABLES -A OUTPUT -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT
@ -474,6 +484,9 @@ script_body() {
    echo "Rule 20 (global)"
    # 
    # INPUT, OUTPUT, FORWARD
+    # firewall-ipv6-2:Policy:20: error: Rule '20 (global)' shadows rule '22 (global)'  below it
+    # firewall-ipv6-2:Policy:20: error: Rule '20 (global)' shadows rule '30 (global)'  below it
+
    $IPTABLES -A INPUT  -s 1.1.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 1.1.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -s 1.1.1.0/24   -m state --state NEW  -j ACCEPT
@ -508,10 +521,10 @@ script_body() {
    echo "Rule 24 (global)"
    # 
    # firewall-ipv6-2:Policy:24: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    $IPTABLES -N RULE_24
    $IPTABLES -A OUTPUT  -d 192.0.2.1   -j RULE_24
    $IPTABLES -A OUTPUT  -d 207.251.84.150   -j RULE_24
-    # firewall-ipv6-2:Policy:24: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
    $IPTABLES -A FORWARD  -d 192.0.2.1   -j RULE_24
    $IPTABLES -A FORWARD  -d 207.251.84.150   -j RULE_24
    $IPTABLES -A RULE_24  -j ULOG  --ulog-nlgroup 1 --ulog-prefix "RULE 24 -- DENY " --ulog-qthreshold 1
@ -609,12 +622,22 @@ script_body() {
    # 
    echo "Rule 1 (global)"
    # 
+    # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)'  below it
+    # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)'  below it
+    # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)'  below it
+    # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '6 (global)'  below it
+
    $IP6TABLES -A INPUT -p tcp -m tcp  -s 2001:5c0:0:2::24   -d fe80::21d:9ff:fe8b:8e94   --dport 22  -m state --state NEW  -j ACCEPT
    # 
    # Rule 2 (global)
    # 
    echo "Rule 2 (global)"
    # 
+    # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)'  below it
+    # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)'  below it
+    # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)'  below it
+    # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)'  below it
+
    $IP6TABLES -N RULE_2
    $IP6TABLES -A INPUT -p tcp -m tcp  -s 3ffe:1200:2001:1:8000::1   --dport 22  -m state --state NEW  -j RULE_2
    $IP6TABLES -A RULE_2  -j LOG  --log-level info --log-prefix "RULE 2 -- ACCEPT "
@ -624,6 +647,8 @@ script_body() {
    # 
    echo "Rule 3 (global)"
    # 
+    # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)'  below it
+
    $IP6TABLES -N Cid56124X87590.0
    $IP6TABLES -A INPUT -p tcp -m tcp  -d fe80::21d:9ff:fe8b:8e94   --dport 22  -m state --state NEW  -j Cid56124X87590.0
    $IP6TABLES -N RULE_3
@ -674,6 +699,9 @@ script_body() {
    # 
    echo "Rule 7 (global)"
    # 
+    # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '27 (global)'  below it
+    # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '28 (global)'  below it
+
    $IP6TABLES -N In_RULE_7
    $IP6TABLES -A INPUT  -m state --state NEW  -j In_RULE_7
    $IP6TABLES -A In_RULE_7  -j LOG  --log-level info --log-prefix "RULE 7 -- ACCEPT "
@ -683,6 +711,8 @@ script_body() {
    # 
    echo "Rule 8 (global)"
    # 
+    # firewall-ipv6-2:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)'  below it
+
    $IP6TABLES -A OUTPUT  -d e80::21d:9ff:fe8b:8e94   -m state --state NEW  -j ACCEPT
    $IP6TABLES -A FORWARD  -d e80::21d:9ff:fe8b:8e94   -m state --state NEW  -j ACCEPT
    # 
@ -697,6 +727,8 @@ script_body() {
    # 
    echo "Rule 10 (global)"
    # 
+    # firewall-ipv6-2:Policy:10: error: Rule '10 (global)' shadows rule '25 (global)'  below it
+
    $IP6TABLES -N RULE_10
    $IP6TABLES -A INPUT  -s fe80::/64   -m state --state NEW  -j RULE_10
    $IP6TABLES -A OUTPUT  -s fe80::/64   -m state --state NEW  -j RULE_10
@ -708,6 +740,8 @@ script_body() {
    # 
    echo "Rule 11 (global)"
    # 
+    # firewall-ipv6-2:Policy:11: error: Rule '11 (global)' shadows rule '12 (global)'  below it
+
    $IP6TABLES -N RULE_11
    $IP6TABLES -A INPUT  -s 2001:5c0:0:2::24   -m state --state NEW  -j RULE_11
    $IP6TABLES -A INPUT  -s 3ffe:1200:2000::/36   -m state --state NEW  -j RULE_11
@ -734,11 +768,13 @@ script_body() {
    # 
    echo "Rule 16 (global)"
    # 
+    # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '18 (global)'  below it
+    # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '19 (global)'  below it
+    # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '29 (global)'  below it
    # firewall-ipv6-2:Policy:16: warning: Making rule stateless because it matches ICMPv6
+
    $IP6TABLES -A OUTPUT -p ipv6-icmp  -j ACCEPT
-    # firewall-ipv6-2:Policy:16: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A INPUT -p ipv6-icmp  -j ACCEPT
-    # firewall-ipv6-2:Policy:16: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A FORWARD -p ipv6-icmp  -j ACCEPT
    # 
    # Rule 18 (global)
@ -746,10 +782,9 @@ script_body() {
    echo "Rule 18 (global)"
    # 
    # firewall-ipv6-2:Policy:18: warning: Making rule stateless because it matches ICMPv6
+
    $IP6TABLES -A OUTPUT -p ipv6-icmp  -m icmp6 --icmpv6-type 128/0   -j ACCEPT
-    # firewall-ipv6-2:Policy:18: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A INPUT -p ipv6-icmp  -m icmp6 --icmpv6-type 128/0   -j ACCEPT
-    # firewall-ipv6-2:Policy:18: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A FORWARD -p ipv6-icmp  -m icmp6 --icmpv6-type 128/0   -j ACCEPT
    # 
    # Rule 19 (global)
@ -757,10 +792,9 @@ script_body() {
    echo "Rule 19 (global)"
    # 
    # firewall-ipv6-2:Policy:19: warning: Making rule stateless because it matches ICMPv6
+
    $IP6TABLES -A OUTPUT -p ipv6-icmp  -m icmp6 --icmpv6-type 128/0   -j ACCEPT
-    # firewall-ipv6-2:Policy:19: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A INPUT -p ipv6-icmp  -m icmp6 --icmpv6-type 128/0   -j ACCEPT
-    # firewall-ipv6-2:Policy:19: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A FORWARD -p ipv6-icmp  -m icmp6 --icmpv6-type 128/0   -j ACCEPT
    # 
    # Rule 22 (global)
@ -768,6 +802,8 @@ script_body() {
    echo "Rule 22 (global)"
    # 
    # for bug 2047082
+    # firewall-ipv6-2:Policy:22: error: Rule '22 (global)' shadows rule '30 (global)'  below it
+
    $IP6TABLES -A OUTPUT  -m state --state NEW  -j ACCEPT
    # 
    # Rule 23 (global)
@ -784,9 +820,9 @@ script_body() {
    echo "Rule 24 (global)"
    # 
    # firewall-ipv6-2:Policy:24: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    $IP6TABLES -N RULE_24
    $IP6TABLES -A OUTPUT  -d 2001:db8::1   -j RULE_24
-    # firewall-ipv6-2:Policy:24: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
    $IP6TABLES -A FORWARD  -d 2001:db8::1   -j RULE_24
    $IP6TABLES -A RULE_24  -j LOG  --log-level info --log-prefix "RULE 24 -- DENY "
    $IP6TABLES -A RULE_24  -j DROP
@ -814,8 +850,8 @@ script_body() {
    echo "Rule 27 (global)"
    # 
    # firewall-ipv6-2:Policy:27: warning: Making rule stateless because it matches ICMPv6
+
    $IP6TABLES -A OUTPUT -p ipv6-icmp  -d fe80::21d:9ff:fe8b:8e94   -j ACCEPT
-    # firewall-ipv6-2:Policy:27: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A INPUT -p ipv6-icmp  -j ACCEPT
    # 
    # Rule 28 (global)
@ -823,6 +859,7 @@ script_body() {
    echo "Rule 28 (global)"
    # 
    # firewall-ipv6-2:Policy:28: warning: Making rule stateless because it matches ICMPv6
+
    $IP6TABLES -A INPUT -p ipv6-icmp  -j ACCEPT
    # 
    # Rule 29 (global)
@ -830,10 +867,9 @@ script_body() {
    echo "Rule 29 (global)"
    # 
    # firewall-ipv6-2:Policy:29: warning: Making rule stateless because it matches ICMPv6
+
    $IP6TABLES -A OUTPUT -p ipv6-icmp  -j ACCEPT
-    # firewall-ipv6-2:Policy:29: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A INPUT -p ipv6-icmp  -j ACCEPT
-    # firewall-ipv6-2:Policy:29: warning: Making rule stateless because it matches ICMPv6
    $IP6TABLES -A FORWARD -p ipv6-icmp  -j ACCEPT
    # 
    # Rule 30 (global)
@ -930,7 +966,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:07:34 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:01:31 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-3.fw.orig
+++ b/test/ipt/firewall-ipv6-3.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:07:57 2011 PST by vadim
+#  Generated Sun Feb 20 21:01:54 2011 PST by vadim
 #
 # files: * firewall-ipv6-3.fw /etc/firewall-ipv6-3.fw
 #
@ -352,6 +352,8 @@ script_body() {
    # 
    echo "Rule fw-ipv6-3 2 (global)"
    # 
+    # firewall-ipv6-3:fw-ipv6-3:2: error: Rule 'fw-ipv6-3 2 (global)' shadows rule 'fw-ipv6-3 3 (global)'  below it
+
    $IPTABLES -A OUTPUT -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT
@ -369,6 +371,8 @@ script_body() {
    echo "Rule fw-ipv6-3 4 (global)"
    # 
    # INPUT, OUTPUT, FORWARD
+    # firewall-ipv6-3:fw-ipv6-3:4: error: Rule 'fw-ipv6-3 4 (global)' shadows rule 'fw-ipv6-3 6 (global)'  below it
+
    $IPTABLES -A INPUT  -s 1.1.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 1.1.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -s 1.1.1.0/24   -m state --state NEW  -j ACCEPT
@ -403,10 +407,10 @@ script_body() {
    echo "Rule fw-ipv6-3 8 (global)"
    # 
    # firewall-ipv6-3:fw-ipv6-3:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    $IPTABLES -N fw-ipv6-3_8
    $IPTABLES -A OUTPUT  -d 192.0.2.1   -j fw-ipv6-3_8
    $IPTABLES -A OUTPUT  -d 207.251.84.150   -j fw-ipv6-3_8
-    # firewall-ipv6-3:fw-ipv6-3:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
    $IPTABLES -A FORWARD  -d 192.0.2.1   -j fw-ipv6-3_8
    $IPTABLES -A FORWARD  -d 207.251.84.150   -j fw-ipv6-3_8
    $IPTABLES -A fw-ipv6-3_8  -j ULOG  --ulog-nlgroup 1 --ulog-prefix "RULE 8 -- DENY " --ulog-qthreshold 1
@ -515,9 +519,9 @@ script_body() {
    echo "Rule fw-ipv6-3 8 (global)"
    # 
    # firewall-ipv6-3:fw-ipv6-3:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    $IP6TABLES -N fw-ipv6-3_8
    $IP6TABLES -A OUTPUT  -d 2001:db8::1   -j fw-ipv6-3_8
-    # firewall-ipv6-3:fw-ipv6-3:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
    $IP6TABLES -A FORWARD  -d 2001:db8::1   -j fw-ipv6-3_8
    $IP6TABLES -A fw-ipv6-3_8  -j LOG  --log-level info --log-prefix "RULE 8 -- DENY "
    $IP6TABLES -A fw-ipv6-3_8  -j DROP
@ -592,7 +596,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:07:57 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:01:54 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-4-1.fw.orig
+++ b/test/ipt/firewall-ipv6-4-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:23 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:20 2011 PST by vadim
 #
 # files: * firewall-ipv6-4-1.fw /etc/firewall-ipv6-4-1.fw
 #
@ -342,6 +342,8 @@ script_body() {
    echo "-A OUTPUT -p icmp  -m icmp  -s 1.1.1.1   --icmp-type 8/0   -m state --state NEW  -j ACCEPT "
    # 
    # Rule  2 (global)
+    # firewall-ipv6-4-1:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)'  below it
+
    echo "-A FORWARD -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT "
    # 
    # Rule  3 (global)
@ -349,6 +351,8 @@ script_body() {
    # 
    # Rule  4 (global)
    # INPUT, OUTPUT, FORWARD
+    # firewall-ipv6-4-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)'  below it
+
    echo "-A FORWARD  -s 1.1.1.0/24   -m state --state NEW  -j ACCEPT "
    # 
    # Rule  5 (global)
@ -366,10 +370,17 @@ script_body() {
    # 
    # Rule  8 (global)
    # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo ":RULE_8 - [0:0]"
    echo "-A FORWARD  -d 192.0.2.1   -j RULE_8 "
+    # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A FORWARD  -d 207.251.84.150   -j RULE_8 "
+    # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A RULE_8  -j ULOG  --ulog-nlgroup 1 --ulog-prefix \"RULE 8 -- DENY \" --ulog-qthreshold 1 "
+    # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A RULE_8  -j DROP "
    # 
    # Rule  9 (global)
@ -449,9 +460,14 @@ script_body() {
    # 
    # Rule  8 (global)
    # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo ":RULE_8 - [0:0]"
    echo "-A FORWARD  -d 2001:db8::1   -j RULE_8 "
+    # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A RULE_8  -j LOG  --log-level info --log-prefix \"RULE 8 -- DENY \""
+    # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A RULE_8  -j DROP "
    # 
    # Rule  11 (global)
@ -539,7 +555,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:23 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:20 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-4.fw.orig
+++ b/test/ipt/firewall-ipv6-4.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:00 2011 PST by vadim
+#  Generated Sun Feb 20 21:01:57 2011 PST by vadim
 #
 # files: * firewall-ipv6-4.fw /etc/firewall-ipv6-4.fw
 #
@ -341,8 +341,14 @@ script_body() {
    echo "-A OUTPUT -p icmp  -m icmp  -s 1.1.1.1   --icmp-type 8/0   -m state --state NEW  -j ACCEPT "
    # 
    # Rule  2 (global)
+    # firewall-ipv6-4:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)'  below it
+
    echo "-A OUTPUT -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT "
+    # firewall-ipv6-4:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)'  below it
+
    echo "-A INPUT -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT "
+    # firewall-ipv6-4:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)'  below it
+
    echo "-A FORWARD -p icmp  -m icmp  --icmp-type any  -m state --state NEW  -j ACCEPT "
    # 
    # Rule  3 (global)
@ -352,8 +358,14 @@ script_body() {
    # 
    # Rule  4 (global)
    # INPUT, OUTPUT, FORWARD
+    # firewall-ipv6-4:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)'  below it
+
    echo "-A INPUT  -s 1.1.1.0/24   -m state --state NEW  -j ACCEPT "
+    # firewall-ipv6-4:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)'  below it
+
    echo "-A OUTPUT  -s 1.1.1.0/24   -m state --state NEW  -j ACCEPT "
+    # firewall-ipv6-4:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)'  below it
+
    echo "-A FORWARD  -s 1.1.1.0/24   -m state --state NEW  -j ACCEPT "
    # 
    # Rule  5 (global)
@ -375,13 +387,23 @@ script_body() {
    # 
    # Rule  8 (global)
    # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo ":RULE_8 - [0:0]"
    echo "-A OUTPUT  -d 192.0.2.1   -j RULE_8 "
+    # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A OUTPUT  -d 207.251.84.150   -j RULE_8 "
    # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A FORWARD  -d 192.0.2.1   -j RULE_8 "
+    # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A FORWARD  -d 207.251.84.150   -j RULE_8 "
+    # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A RULE_8  -j ULOG  --ulog-nlgroup 1 --ulog-prefix \"RULE 8 -- DENY \" --ulog-qthreshold 1 "
+    # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A RULE_8  -j DROP "
    # 
    # Rule  9 (global)
@ -483,11 +505,17 @@ script_body() {
    # 
    # Rule  8 (global)
    # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo ":RULE_8 - [0:0]"
    echo "-A OUTPUT  -d 2001:db8::1   -j RULE_8 "
    # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A FORWARD  -d 2001:db8::1   -j RULE_8 "
+    # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A RULE_8  -j LOG  --log-level info --log-prefix \"RULE 8 -- DENY \""
+    # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    echo "-A RULE_8  -j DROP "
    # 
    # Rule  11 (global)
@ -577,7 +605,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:00 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:01:57 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-5.fw.orig
+++ b/test/ipt/firewall-ipv6-5.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:03 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:01 2011 PST by vadim
 #
 # files: * firewall-ipv6-5.fw /etc/firewall-ipv6-5.fw
 #
@ -412,7 +412,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:03 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:01 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-6.fw.orig
+++ b/test/ipt/firewall-ipv6-6.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:07 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:05 2011 PST by vadim
 #
 # files: * firewall-ipv6-6.fw /etc/firewall-ipv6-6.fw
 #
@ -399,7 +399,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:07 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:05 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-7.fw.orig
+++ b/test/ipt/firewall-ipv6-7.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:11 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:08 2011 PST by vadim
 #
 # files: * firewall-ipv6-7.fw /etc/firewall-ipv6-7.fw
 #
@ -443,7 +443,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:11 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:08 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-8.fw.orig
+++ b/test/ipt/firewall-ipv6-8.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:15 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:13 2011 PST by vadim
 #
 # files: * firewall-ipv6-8.fw /etc/firewall-ipv6-8.fw
 #
@ -484,7 +484,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:15 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:13 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-ipt-reset-prolog-after-flush.fw.orig
+++ b/test/ipt/firewall-ipv6-ipt-reset-prolog-after-flush.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:19 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:16 2011 PST by vadim
 #
 # files: * firewall-ipv6-ipt-reset-prolog-after-flush.fw /etc/firewall-ipv6-ipt-reset-prolog-after-flush.fw
 #
@ -450,7 +450,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:19 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:16 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw.orig
+++ b/test/ipt/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:23 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:20 2011 PST by vadim
 #
 # files: * firewall-ipv6-ipt-reset-prolog-after-interfaces.fw /etc/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw
 #
@ -450,7 +450,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:23 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:20 2011 by vadim"
        check_tools
        
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-ipt-reset-prolog-top.fw.orig
+++ b/test/ipt/firewall-ipv6-ipt-reset-prolog-top.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:27 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:25 2011 PST by vadim
 #
 # files: * firewall-ipv6-ipt-reset-prolog-top.fw /etc/firewall-ipv6-ipt-reset-prolog-top.fw
 #
@ -450,7 +450,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:27 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:25 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-prolog-after-flush.fw.orig
+++ b/test/ipt/firewall-ipv6-prolog-after-flush.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:27 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:25 2011 PST by vadim
 #
 # files: * firewall-ipv6-prolog-after-flush.fw /etc/firewall-ipv6-prolog-after-flush.fw
 #
@ -420,7 +420,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:27 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:25 2011 by vadim"
        check_tools
        
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-prolog-after-interfaces.fw.orig
+++ b/test/ipt/firewall-ipv6-prolog-after-interfaces.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:31 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:29 2011 PST by vadim
 #
 # files: * firewall-ipv6-prolog-after-interfaces.fw /etc/firewall-ipv6-prolog-after-interfaces.fw
 #
@ -420,7 +420,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:31 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:29 2011 by vadim"
        check_tools
        
        check_run_time_address_table_files
--- a/test/ipt/firewall-ipv6-prolog-top.fw.orig
+++ b/test/ipt/firewall-ipv6-prolog-top.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:32 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:30 2011 PST by vadim
 #
 # files: * firewall-ipv6-prolog-top.fw /etc/firewall-ipv6-prolog-top.fw
 #
@ -420,7 +420,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:32 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:30 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall-server-1-s.fw.orig
+++ b/test/ipt/firewall-server-1-s.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:35 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:33 2011 PST by vadim
 #
 # files: * firewall-server-1-s.fw /etc/fw/firewall-server-1-s.fw
 #
@ -393,7 +393,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:35 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:33 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall.fw.orig
+++ b/test/ipt/firewall.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:17 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:11 2011 PST by vadim
 #
 # files: * firewall.fw /etc/fw/firewall.fw
 #
@ -364,18 +364,13 @@ script_body() {
    echo "Rule 2 (NAT)"
    # 
    # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0)
+
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.10/31  -j SNAT --to-source 222.222.222.10-222.222.222.100
-    # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0)
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.12/30  -j SNAT --to-source 222.222.222.10-222.222.222.100
-    # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0)
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.16/28  -j SNAT --to-source 222.222.222.10-222.222.222.100
-    # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0)
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.32/27  -j SNAT --to-source 222.222.222.10-222.222.222.100
-    # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0)
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.64/27  -j SNAT --to-source 222.222.222.10-222.222.222.100
-    # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0)
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.96/30  -j SNAT --to-source 222.222.222.10-222.222.222.100
-    # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0)
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.100  -j SNAT --to-source 222.222.222.10-222.222.222.100
    # 
    # Rule 4 (NAT)
@ -431,6 +426,7 @@ script_body() {
    echo "Rule 11 (NAT)"
    # 
    # firewall:NAT:11: warning: SNAT rule can not match MAC address. Object CA(host-with-mac-1:1) removed from the rule
+
    $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp  -s 192.168.1.10   --dport 25 -j SNAT --to-source 222.222.222.222
    # 
    # Rule 12 (NAT)
@ -920,11 +916,12 @@ script_body() {
    # 
    echo "Rule 36 (global)"
    # 
+    # firewall:Policy:36: warning: Empty MAC address in rule
+
    $IPTABLES -N Cid3DB0B422.0
    $IPTABLES -A FORWARD  -d 192.168.1.10   -m state --state NEW  -j Cid3DB0B422.0
    $IPTABLES -A Cid3DB0B422.0  -m mac --mac-source 00:10:4b:de:e9:70  -j ACCEPT
    $IPTABLES -A Cid3DB0B422.0  -m mac --mac-source 00:10:4b:de:e9:71  -j ACCEPT
-    # firewall:Policy:36: warning: Empty MAC address in rule
    $IPTABLES -A Cid3DB0B422.0  -m mac --mac-source 00:00:00:00:00:00  -j ACCEPT
    $IPTABLES -A Cid3DB0B422.0  -m mac --mac-source 00:10:4b:de:e9:6f  -s 192.168.1.10   -j ACCEPT
    # 
@ -932,11 +929,12 @@ script_body() {
    # 
    echo "Rule 37 (global)"
    # 
+    # firewall:Policy:37: warning: Empty MAC address in rule
+
    $IPTABLES -N Cid3DB0B628.0
    $IPTABLES -A FORWARD  -d 192.168.1.10   -m state --state NEW  -j Cid3DB0B628.0
    $IPTABLES -A Cid3DB0B628.0  -m mac --mac-source 00:10:4b:de:e9:70  -j ACCEPT
    $IPTABLES -A Cid3DB0B628.0  -m mac --mac-source 00:10:4b:de:e9:71  -j ACCEPT
-    # firewall:Policy:37: warning: Empty MAC address in rule
    $IPTABLES -A Cid3DB0B628.0  -m mac --mac-source 00:00:00:00:00:00  -j ACCEPT
    $IPTABLES -A Cid3DB0B628.0  -m mac --mac-source 00:10:4b:de:e9:6f  -s 192.168.1.10   -j ACCEPT
    $IPTABLES -A Cid3DB0B628.0  -s 192.168.1.20   -j ACCEPT
@ -945,11 +943,12 @@ script_body() {
    # 
    echo "Rule 38 (global)"
    # 
+    # firewall:Policy:38: warning: Empty MAC address in rule
+
    $IPTABLES -N Cid3DE474B7.0
    $IPTABLES -A FORWARD -p tcp -m tcp  --sport 53  -d 192.168.1.10   -m state --state NEW  -j Cid3DE474B7.0
    $IPTABLES -A Cid3DE474B7.0  -m mac --mac-source 00:10:4b:de:e9:70  -j ACCEPT
    $IPTABLES -A Cid3DE474B7.0  -m mac --mac-source 00:10:4b:de:e9:71  -j ACCEPT
-    # firewall:Policy:38: warning: Empty MAC address in rule
    $IPTABLES -A Cid3DE474B7.0  -m mac --mac-source 00:00:00:00:00:00  -j ACCEPT
    $IPTABLES -A Cid3DE474B7.0  -m mac --mac-source 00:10:4b:de:e9:6f  -s 192.168.1.10   -j ACCEPT
    # 
@ -957,6 +956,8 @@ script_body() {
    # 
    echo "Rule 39 (global)"
    # 
+    # firewall:Policy:39: warning: Empty MAC address in rule
+
    $IPTABLES -N Cpol-firewall2-2.0
    $IPTABLES -A FORWARD -p tcp -m tcp  -d 192.168.1.10   --dport 10000:11000  -m state --state NEW  -j Cpol-firewall2-2.0
    $IPTABLES -A FORWARD -p tcp -m tcp  -m multiport  -d 192.168.1.10   --dports 6667,3128,113,53,21,80,119,25,22,23,540,70,13,2105,443  -m state --state NEW  -j Cpol-firewall2-2.0
@ -964,7 +965,6 @@ script_body() {
    $IPTABLES -A FORWARD -p tcp -m tcp  -m multiport  -d 192.168.1.10   --dports 514,4321,465,1080,111,7100  -m state --state NEW  -j Cpol-firewall2-2.0
    $IPTABLES -A Cpol-firewall2-2.0  -m mac --mac-source 00:10:4b:de:e9:70  -j ACCEPT
    $IPTABLES -A Cpol-firewall2-2.0  -m mac --mac-source 00:10:4b:de:e9:71  -j ACCEPT
-    # firewall:Policy:39: warning: Empty MAC address in rule
    $IPTABLES -A Cpol-firewall2-2.0  -m mac --mac-source 00:00:00:00:00:00  -j ACCEPT
    $IPTABLES -A Cpol-firewall2-2.0  -m mac --mac-source 00:10:4b:de:e9:6f  -s 192.168.1.10   -j ACCEPT
    # 
@ -972,18 +972,18 @@ script_body() {
    # 
    echo "Rule 40 (global)"
    # 
+    # firewall:Policy:40: warning: Empty MAC address in rule
+
    $IPTABLES -N Cid445FAA6D31658.0
    $IPTABLES -A INPUT -p tcp -m tcp  --dport 80  -m state --state NEW  -j Cid445FAA6D31658.0
    $IPTABLES -A Cid445FAA6D31658.0  -m mac --mac-source 00:10:4b:de:e9:70  -j ACCEPT
    $IPTABLES -A Cid445FAA6D31658.0  -m mac --mac-source 00:10:4b:de:e9:71  -j ACCEPT
-    # firewall:Policy:40: warning: Empty MAC address in rule
    $IPTABLES -A Cid445FAA6D31658.0  -m mac --mac-source 00:00:00:00:00:00  -j ACCEPT
    $IPTABLES -A Cid445FAA6D31658.0  -m mac --mac-source 00:10:4b:de:e9:6f  -s 192.168.1.10   -j ACCEPT
    $IPTABLES -N Cid445FAA6D31658.1
    $IPTABLES -A FORWARD -p tcp -m tcp  --dport 80  -m state --state NEW  -j Cid445FAA6D31658.1
    $IPTABLES -A Cid445FAA6D31658.1  -m mac --mac-source 00:10:4b:de:e9:70  -j ACCEPT
    $IPTABLES -A Cid445FAA6D31658.1  -m mac --mac-source 00:10:4b:de:e9:71  -j ACCEPT
-    # firewall:Policy:40: warning: Empty MAC address in rule
    $IPTABLES -A Cid445FAA6D31658.1  -m mac --mac-source 00:00:00:00:00:00  -j ACCEPT
    $IPTABLES -A Cid445FAA6D31658.1  -m mac --mac-source 00:10:4b:de:e9:6f  -s 192.168.1.10   -j ACCEPT
    # 
@ -992,6 +992,7 @@ script_body() {
    echo "Rule 41 (global)"
    # 
    # firewall:Policy:41: warning: Can not match MAC address of the firewall (chain OUTPUT) 
+
    $IPTABLES -A OUTPUT  -s 192.168.1.1   -d 192.168.1.10   -m state --state NEW  -j ACCEPT
    # 
    # Rule 42 (global)
@ -1341,7 +1342,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:17 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:11 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall1.fw.orig
+++ b/test/ipt/firewall1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:19 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:14 2011 PST by vadim
 #
 # files: * firewall1.fw /etc/fw/firewall1.fw
 #
@ -1252,7 +1252,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:19 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:14 2011 by vadim"
        check_tools
        
        check_run_time_address_table_files
--- a/test/ipt/firewall10.fw.orig
+++ b/test/ipt/firewall10.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:20 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:15 2011 PST by vadim
 #
 # files: * firewall10.fw /etc/fw/firewall10.fw
 #
@ -473,7 +473,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:20 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:15 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall11.fw.orig
+++ b/test/ipt/firewall11.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:22 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:17 2011 PST by vadim
 #
 # files: * firewall11.fw /etc/fw/firewall11.fw
 #
@ -589,7 +589,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:22 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:17 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall12.fw.orig
+++ b/test/ipt/firewall12.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:23 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:18 2011 PST by vadim
 #
 # files: * firewall12.fw /etc/fw/firewall12.fw
 #
@ -511,7 +511,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:23 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:18 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall13.fw.orig
+++ b/test/ipt/firewall13.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:25 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:20 2011 PST by vadim
 #
 # files: * firewall13.fw /etc/fw/firewall13.fw
 #
@ -385,7 +385,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:25 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:20 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall14.fw.orig
+++ b/test/ipt/firewall14.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:27 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:21 2011 PST by vadim
 #
 # files: * firewall14.fw /etc/fw/firewall14.fw
 #
@ -404,7 +404,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:27 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:21 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall15.fw.orig
+++ b/test/ipt/firewall15.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:28 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:23 2011 PST by vadim
 #
 # files: * firewall15.fw /etc/fw/firewall15.fw
 #
@ -388,7 +388,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:28 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:23 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall16.fw.orig
+++ b/test/ipt/firewall16.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:30 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:24 2011 PST by vadim
 #
 # files: * firewall16.fw /etc/fw/firewall16.fw
 #
@ -492,7 +492,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:30 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:24 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall17.fw.orig
+++ b/test/ipt/firewall17.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:31 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:26 2011 PST by vadim
 #
 # files: * firewall17.fw /etc/fw/firewall17.fw
 #
@ -471,7 +471,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:31 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:26 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall18.fw.orig
+++ b/test/ipt/firewall18.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:33 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:27 2011 PST by vadim
 #
 # files: * firewall18.fw /etc/fw/firewall18.fw
 #
@ -504,7 +504,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:33 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:27 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall19.fw.orig
+++ b/test/ipt/firewall19.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:35 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:29 2011 PST by vadim
 #
 # files: * firewall19.fw /etc/fw/firewall19.fw
 #
@ -429,10 +429,9 @@ script_body() {
    echo "Rule 10 (global)"
    # 
    # firewall19:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
+
    $IPTABLES -A INPUT  -s 192.168.1.0/24   -p tcp ! --syn -dport 5190 -m state --state NEW  -j REJECT  --reject-with icmp-host-prohibited
-    # firewall19:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A OUTPUT  -s 192.168.1.0/24   -p tcp ! --syn -dport 5190 -m state --state NEW  -j REJECT  --reject-with icmp-host-prohibited
-    # firewall19:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A FORWARD  -s 192.168.1.0/24   -p tcp ! --syn -dport 5190 -m state --state NEW  -j REJECT  --reject-with icmp-host-prohibited
    # 
    # Rule 11 (global)
@ -509,7 +508,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:35 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:29 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall2-1.fw.orig
+++ b/test/ipt/firewall2-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:45 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:39 2011 PST by vadim
 #
 # files: * firewall2-1.fw /etc/fw/firewall2-1.fw
 #
@ -573,6 +573,7 @@ script_body() {
    echo "Rule 20 (NAT)"
    # 
    # firewall2-1:NAT:20: warning: Adding of virtual address for address range is not implemented (object ext_range)
+
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.0/24  -j SNAT --to-source 22.22.22.100-22.22.22.110
    # 
    # Rule 21 (NAT)
@ -816,6 +817,8 @@ script_body() {
    echo "Rule 0 (eth1)"
    # 
    # Anti-spoofing rule
+    # firewall2-1:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)'  below it
+
    $IPTABLES -N In_RULE_0
    $IPTABLES -A INPUT -i eth1   -s 22.22.22.22   -j In_RULE_0
    $IPTABLES -A INPUT -i eth1   -s 22.22.23.23   -j In_RULE_0
@ -889,6 +892,9 @@ script_body() {
    # testing choice of chains in case when several
    # interfaces are used and rule matches 'any' or
    # broadcast 
+    # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)'  below it
+    # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)'  below it
+
    $IPTABLES -A INPUT -i eth1  -p udp -m udp  -m multiport  -d 255.255.255.255   --destination-port 68,67  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT -i eth3  -p udp -m udp  -m multiport  -d 255.255.255.255   --destination-port 68,67  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT -o eth1  -p udp -m udp  -m multiport  -d 255.255.255.255   --destination-port 68,67  -m state --state NEW  -j ACCEPT
@ -951,16 +957,18 @@ script_body() {
    # 
    echo "Rule 10 (global)"
    # 
+    # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)'  below it
+    # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '12 (global)'  below it
+    # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '13 (global)'  below it
+    # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '14 (global)'  below it
+    # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '20 (global)'  below it
    # firewall2-1:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
+
    $IPTABLES -N RULE_10
    $IPTABLES -A OUTPUT -p udp -m udp  --dport 161  -j RULE_10
-    # firewall2-1:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A INPUT -p udp -m udp  --dport 161  -j RULE_10
-    # firewall2-1:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A FORWARD -p udp -m udp  --dport 161  -j RULE_10
-    # firewall2-1:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A RULE_10  -m limit --limit 5/second -j ULOG  --ulog-nlgroup 1 --ulog-prefix "RULE 10 - REJECT **" --ulog-qthreshold 1
-    # firewall2-1:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A RULE_10  -j REJECT  --reject-with icmp-net-unreachable
    # 
    # Rule 11 (global)
@ -1300,6 +1308,8 @@ script_body() {
    # 
    echo "Rule 25 (global)"
    # 
+    # firewall2-1:Policy:25: error: Rule '25 (global)' shadows rule '26 (global)'  below it
+
    $IPTABLES -A INPUT  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.2.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
@ -1420,7 +1430,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:45 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:39 2011 by vadim"
        check_tools
        
        check_run_time_address_table_files
--- a/test/ipt/firewall2-2.fw.orig
+++ b/test/ipt/firewall2-2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:49 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:44 2011 PST by vadim
 #
 # files: * firewall2-2.fw /etc/fw/firewall2-2.fw
 #
@ -572,6 +572,7 @@ script_body() {
    echo "Rule 20 (NAT)"
    # 
    # firewall2-2:NAT:20: warning: Adding of virtual address for address range is not implemented (object ext_range)
+
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.0/24  -j SNAT --to-source 22.22.22.100-22.22.22.110
    # 
    # Rule 21 (NAT)
@ -815,6 +816,8 @@ script_body() {
    echo "Rule 0 (eth1)"
    # 
    # Anti-spoofing rule
+    # firewall2-2:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)'  below it
+
    $IPTABLES -N In_RULE_0
    $IPTABLES -A INPUT -i eth1   -s 22.22.22.22   -j In_RULE_0
    $IPTABLES -A INPUT -i eth1   -s 22.22.23.23   -j In_RULE_0
@ -888,6 +891,9 @@ script_body() {
    # testing choice of chains in case when several
    # interfaces are used and rule matches 'any' or
    # broadcast 
+    # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)'  below it
+    # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)'  below it
+
    $IPTABLES -A INPUT -i eth1  -p udp -m udp  -m multiport -d 255.255.255.255  --dports 68,67  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT -i eth3  -p udp -m udp  -m multiport -d 255.255.255.255  --dports 68,67  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT -o eth1  -p udp -m udp  -m multiport -d 255.255.255.255  --dports 68,67  -m state --state NEW  -j ACCEPT
@ -950,16 +956,18 @@ script_body() {
    # 
    echo "Rule 10 (global)"
    # 
+    # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)'  below it
+    # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '12 (global)'  below it
+    # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '13 (global)'  below it
+    # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '14 (global)'  below it
+    # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '20 (global)'  below it
    # firewall2-2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
+
    $IPTABLES -N RULE_10
    $IPTABLES -A OUTPUT -p udp -m udp  --dport 161  -j RULE_10
-    # firewall2-2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A INPUT -p udp -m udp  --dport 161  -j RULE_10
-    # firewall2-2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A FORWARD -p udp -m udp  --dport 161  -j RULE_10
-    # firewall2-2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A RULE_10  -m limit --limit 5/second -j ULOG  --ulog-nlgroup 1 --ulog-prefix "RULE 10 - REJECT **" --ulog-qthreshold 1
-    # firewall2-2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A RULE_10  -j REJECT  --reject-with icmp-net-unreachable
    # 
    # Rule 11 (global)
@ -1129,6 +1137,8 @@ script_body() {
    # 
    echo "Rule 25 (global)"
    # 
+    # firewall2-2:Policy:25: error: Rule '25 (global)' shadows rule '26 (global)'  below it
+
    $IPTABLES -A INPUT  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.2.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
@ -1249,7 +1259,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:49 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:44 2011 by vadim"
        check_tools
        
        check_run_time_address_table_files
--- a/test/ipt/firewall2-3.fw.orig
+++ b/test/ipt/firewall2-3.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:53 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:47 2011 PST by vadim
 #
 # files: * firewall2-3.fw /etc/fw/firewall2-3.fw
 #
@ -557,6 +557,7 @@ script_body() {
    echo "Rule 20 (NAT)"
    # 
    # firewall2-3:NAT:20: warning: Adding of virtual address for address range is not implemented (object ext_range)
+
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.0/24  -j SNAT --to-source 22.22.22.100-22.22.22.110
    # 
    # Rule 21 (NAT)
@ -936,15 +937,12 @@ script_body() {
    echo "Rule 10 (global)"
    # 
    # firewall2-3:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
+
    $IPTABLES -N RULE_10
    $IPTABLES -A OUTPUT -p udp -m udp  --dport 161  -j RULE_10
-    # firewall2-3:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A INPUT -p udp -m udp  --dport 161  -j RULE_10
-    # firewall2-3:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A FORWARD -p udp -m udp  --dport 161  -j RULE_10
-    # firewall2-3:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A RULE_10  -m limit --limit 5/second -j ULOG  --ulog-nlgroup 1 --ulog-prefix "RULE 10 - REJECT **" --ulog-qthreshold 1
-    # firewall2-3:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A RULE_10  -j REJECT  --reject-with icmp-net-unreachable
    # 
    # Rule 11 (global)
@ -1120,7 +1118,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:53 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:47 2011 by vadim"
        check_tools
        
        check_run_time_address_table_files
--- a/test/ipt/firewall2-4.fw.orig
+++ b/test/ipt/firewall2-4.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:57 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:52 2011 PST by vadim
 #
 # files: * firewall2-4.fw /etc/fw/firewall2-4.fw
 #
@ -331,8 +331,8 @@ script_body() {
    echo "Rule 5 (NAT)"
    # 
    # firewall2-4:NAT:5: error: Non-contiguous address range in Translated Destination in load balancing NAT rule
+
    $IPTABLES -t nat -A PREROUTING -p tcp -m tcp   -d 22.22.22.22  --dport 80 -j DNAT --to-destination 192.168.1.10-192.168.1.20
-    # firewall2-4:NAT:5: error: Non-contiguous address range in Translated Destination in load balancing NAT rule
    $IPTABLES -t nat -A OUTPUT -p tcp -m tcp   -d 22.22.22.22  --dport 80 -j DNAT --to-destination 192.168.1.10-192.168.1.20
    # 
    # Rule 6 (NAT)
@ -424,7 +424,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:57 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:52 2011 by vadim"
        check_tools
        
        check_run_time_address_table_files
--- a/test/ipt/firewall2-5.fw.orig
+++ b/test/ipt/firewall2-5.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:00 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:55 2011 PST by vadim
 #
 # files: * firewall2-5.fw /etc/fw/firewall2-5.fw
 #
@ -351,6 +351,7 @@ script_body() {
    # 
    # should be -o eth1
    # firewall2-5:NAT:4: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0)
+
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.0/24  -j SNAT --to-source 222.222.222.10-222.222.222.100
    # 
    # Rule 5 (NAT)
@ -366,6 +367,7 @@ script_body() {
    # 
    # partially matches eth3
    # firewall2-5:NAT:7: warning: Adding of virtual address for address range is not implemented (object range 33 30-33)
+
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.0/24  -j SNAT --to-source 33.33.33.30-33.33.33.33
    # 
    # Rule 8 (NAT)
@ -453,7 +455,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:00 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:55 2011 by vadim"
        check_tools
        
        check_run_time_address_table_files
--- a/test/ipt/firewall2-6.fw.orig
+++ b/test/ipt/firewall2-6.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:04 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:59 2011 PST by vadim
 #
 # files: * firewall2-6.fw /etc/fw/firewall2-6.fw
 #
@ -566,7 +566,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:04 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:59 2011 by vadim"
        check_tools
        
        check_run_time_address_table_files
--- a/test/ipt/firewall2-7.fw.orig
+++ b/test/ipt/firewall2-7.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:07 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:02 2011 PST by vadim
 #
 # files: * firewall2-7.fw /etc/fw/firewall2-7.fw
 #
@ -424,7 +424,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:07 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:02 2011 by vadim"
        check_tools
        
        check_run_time_address_table_files
--- a/test/ipt/firewall2.fw.orig
+++ b/test/ipt/firewall2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:37 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:32 2011 PST by vadim
 #
 # files: * firewall2.fw /etc/fw/firewall2.fw
 #
@ -595,6 +595,7 @@ script_body() {
    echo "Rule 22 (NAT)"
    # 
    # firewall2:NAT:22: warning: Adding of virtual address for address range is not implemented (object ext_range)
+
    $IPTABLES -t nat -A POSTROUTING -o eth+  -s 192.168.1.0/24  -j SNAT --to-source 22.22.22.100-22.22.22.110
    # 
    # Rule 23 (NAT)
@ -863,6 +864,9 @@ script_body() {
    echo "Rule 0 (eth1)"
    # 
    # Anti-spoofing rule
+    # firewall2:Policy:0: error: Rule '0 (eth1)' shadows rule '2 (fw2i1,3)'  below it
+    # firewall2:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)'  below it
+
    $IPTABLES -N In_RULE_0
    $IPTABLES -A INPUT -i eth1   -s 22.22.22.22   -j In_RULE_0
    $IPTABLES -A INPUT -i eth1   -s 22.22.23.23   -j In_RULE_0
@ -909,6 +913,8 @@ script_body() {
    # 
    # testing group in "interface"
    # this rule should be identical to rule 3
+    # firewall2:Policy:2: error: Rule '2 (fw2i1,3)' shadows rule '3 (eth1,eth3)'  below it
+
    $IPTABLES -N In_RULE_2
    $IPTABLES -A INPUT -i eth1  -p udp -m udp  -m multiport  -s 192.168.1.0/24   --dports 68,67  -j In_RULE_2
    $IPTABLES -A INPUT -i eth3  -p udp -m udp  -m multiport  -s 192.168.1.0/24   --dports 68,67  -j In_RULE_2
@ -936,6 +942,9 @@ script_body() {
    # testing choice of chains in case when several
    # interfaces are used and rule matches 'any' or
    # broadcast 
+    # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)'  below it
+    # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)'  below it
+
    $IPTABLES -A INPUT -i eth1  -p udp -m udp  -m multiport  -d 255.255.255.255   --dports 68,67  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT -i eth3  -p udp -m udp  -m multiport  -d 255.255.255.255   --dports 68,67  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT -o eth1  -p udp -m udp  -m multiport  -d 255.255.255.255   --dports 68,67  -m state --state NEW  -j ACCEPT
@ -998,16 +1007,18 @@ script_body() {
    # 
    echo "Rule 10 (global)"
    # 
+    # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)'  below it
+    # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '12 (global)'  below it
+    # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '13 (global)'  below it
+    # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '14 (global)'  below it
+    # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '20 (global)'  below it
    # firewall2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
+
    $IPTABLES -N RULE_10
    $IPTABLES -A OUTPUT -p udp -m udp  --dport 161  -j RULE_10
-    # firewall2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A INPUT -p udp -m udp  --dport 161  -j RULE_10
-    # firewall2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A FORWARD -p udp -m udp  --dport 161  -j RULE_10
-    # firewall2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A RULE_10  -m limit --limit 5/second -j ULOG  --ulog-nlgroup 1 --ulog-prefix "RULE 10 - REJECT **" --ulog-qthreshold 1
-    # firewall2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A RULE_10  -j REJECT  --reject-with icmp-net-unreachable
    # 
    # Rule 11 (global)
@ -1347,6 +1358,8 @@ script_body() {
    # 
    echo "Rule 25 (global)"
    # 
+    # firewall2:Policy:25: error: Rule '25 (global)' shadows rule '26 (global)'  below it
+
    $IPTABLES -A INPUT  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.2.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
@ -1407,11 +1420,10 @@ script_body() {
    # 
    # 'catch all' rule
    # firewall2:Policy:29: error: Object 'net-err' has address or netmask 0.0.0.0, which is equivalent to 'any'. This is likely an error.
+
    $IPTABLES -N RULE_29
    $IPTABLES -A INPUT  -s 1.2.3.0/0   -j RULE_29
-    # firewall2:Policy:29: error: Object 'net-err' has address or netmask 0.0.0.0, which is equivalent to 'any'. This is likely an error.
    $IPTABLES -A OUTPUT  -s 1.2.3.0/0   -j RULE_29
-    # firewall2:Policy:29: error: Object 'net-err' has address or netmask 0.0.0.0, which is equivalent to 'any'. This is likely an error.
    $IPTABLES -A FORWARD  -s 1.2.3.0/0   -j RULE_29
    $IPTABLES -A RULE_29  -m limit --limit 5/second -j ULOG  --ulog-nlgroup 1 --ulog-prefix "RULE 29 - DENY **" --ulog-qthreshold 1
    $IPTABLES -A RULE_29  -j DROP
@ -1470,7 +1482,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:37 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:32 2011 by vadim"
        check_tools
        
        check_run_time_address_table_files
--- a/test/ipt/firewall20-ipv6.fw.orig
+++ b/test/ipt/firewall20-ipv6.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:40 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:35 2011 PST by vadim
 #
 # files: * firewall20-ipv6.fw /etc/fw/firewall20-ipv6.fw
 #
@ -456,7 +456,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:40 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:35 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall20.fw.orig
+++ b/test/ipt/firewall20.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:38 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:32 2011 PST by vadim
 #
 # files: * firewall20.fw /etc/fw/firewall20.fw
 #
@ -674,7 +674,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:38 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:32 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall21-1.fw.orig
+++ b/test/ipt/firewall21-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:44 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:39 2011 PST by vadim
 #
 # files: * firewall21-1.fw /etc/fw/firewall21-1.fw
 #
@ -470,7 +470,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:44 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:39 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall21.fw.orig
+++ b/test/ipt/firewall21.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:41 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:36 2011 PST by vadim
 #
 # files: * firewall21.fw /etc/fw/firewall21.fw
 #
@ -469,7 +469,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:41 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:36 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall22.fw.orig
+++ b/test/ipt/firewall22.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:47 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:42 2011 PST by vadim
 #
 # files: * firewall22.fw /etc/fw/firewall22.fw
 #
@ -390,7 +390,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:47 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:42 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall23-1.fw.orig
+++ b/test/ipt/firewall23-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:54 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:48 2011 PST by vadim
 #
 # files: * firewall23-1.fw /etc/fw/firewall23-1.fw
 #
@ -564,7 +564,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:54 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:48 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall23.fw.orig
+++ b/test/ipt/firewall23.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:51 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:45 2011 PST by vadim
 #
 # files: * firewall23.fw /etc/fw/firewall23.fw
 #
@ -476,7 +476,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:51 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:45 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall24.fw.orig
+++ b/test/ipt/firewall24.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:04:56 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:50 2011 PST by vadim
 #
 # files: * firewall24.fw /etc/fw/firewall24.fw
 #
@ -493,7 +493,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:04:56 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:50 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall25.fw.orig
+++ b/test/ipt/firewall25.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:00 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:55 2011 PST by vadim
 #
 # files: * firewall25.fw /etc/fw/firewall25.fw
 #
@ -551,8 +551,12 @@ script_body() {
    # Rule  policy_2_mangle 1 (global)
    # SF bug report 3034628
    # "iptables does not allow target REJECT in mangle table"
+    # firewall25:policy_2_mangle:1: error: Action Reject is not allowed in mangle table
+
    echo ":policy_2_mangle_1 - [0:0]"
    echo "-A policy_2_mangle -p tcp -m tcp  --dport 70  -j policy_2_mangle_1 "
+    # firewall25:policy_2_mangle:1: error: Action Reject is not allowed in mangle table
+
    echo "-A policy_2_mangle_1  -j LOG "
    # 
    # Rule  policy_2_mangle 2 (global)
@ -687,7 +691,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:00 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:55 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall26.fw.orig
+++ b/test/ipt/firewall26.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:03 2011 PST by vadim
+#  Generated Sun Feb 20 20:58:58 2011 PST by vadim
 #
 # files: * firewall26.fw /etc/fw/firewall26.fw
 #
@ -562,7 +562,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:03 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:58:58 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall27.fw.orig
+++ b/test/ipt/firewall27.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:06 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:02 2011 PST by vadim
 #
 # files: * firewall27.fw /etc/fw/firewall27.fw
 #
@ -546,7 +546,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:06 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:02 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall28.fw.orig
+++ b/test/ipt/firewall28.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:09 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:05 2011 PST by vadim
 #
 # files: * firewall28.fw /etc/fw/firewall28.fw
 #
@ -319,6 +319,8 @@ script_body() {
    # 
    # this rule should shadow rule #1 because
    # it uses IPService object with protocol 0
+    # firewall28:Policy:0: error: Rule '0 (global)' shadows rule '1 (global)'  below it
+
    $IPTABLES -A OUTPUT -p all  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT -p all  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD -p all  -m state --state NEW  -j ACCEPT
@ -407,7 +409,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:09 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:05 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall29.fw.orig
+++ b/test/ipt/firewall29.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:10 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:05 2011 PST by vadim
 #
 # files: * firewall29.fw /etc/fw/firewall29.fw
 #
@ -440,7 +440,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:10 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:05 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall3.fw.orig
+++ b/test/ipt/firewall3.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:13 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:08 2011 PST by vadim
 #
 # files: * firewall3.fw /etc/fw/firewall3.fw
 #
@ -578,7 +578,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:13 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:08 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall30.fw.orig
+++ b/test/ipt/firewall30.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:13 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:09 2011 PST by vadim
 #
 # files: * firewall30.fw /etc/fw/firewall30.fw
 #
@ -375,7 +375,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:13 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:09 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall31.fw.orig
+++ b/test/ipt/firewall31.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:16 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:11 2011 PST by vadim
 #
 # files: * firewall31.fw /etc/fw/firewall31.fw
 #
@ -445,7 +445,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:16 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:11 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall32.fw.orig
+++ b/test/ipt/firewall32.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:17 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:12 2011 PST by vadim
 #
 # files: * firewall32.fw /etc/fw/firewall32.fw
 #
@ -416,7 +416,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:17 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:12 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall33-1.fw.orig
+++ b/test/ipt/firewall33-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:31 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:27 2011 PST by vadim
 #
 # files: * firewall33-1.fw /etc/fw/firewall33-1.fw
 #
@ -337,6 +337,7 @@ script_body() {
    echo "Rule 2 (global)"
    # 
    # firewall33-1:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode
+
    $IPTABLES -A Policy  -s 192.0.2.1   -m state --state NEW  -j ACCEPT
    # 
    # Rule 3 (global)
@ -372,9 +373,10 @@ script_body() {
    # 
    echo "Rule 6 (global)"
    # 
+    # firewall33-1:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode
+
    $IPTABLES -N Cid43867C3018346.0
    $IPTABLES -A Policy  -m state --state NEW  -j Cid43867C3018346.0
-    # firewall33-1:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode
    $IPTABLES -A Cid43867C3018346.0  -d 192.0.2.1   -j RETURN
    $IPTABLES -A Cid43867C3018346.0  -j ACCEPT
    # 
@ -445,6 +447,7 @@ script_body() {
    echo "Rule 12 (global)"
    # 
    # firewall33-1:Policy:12: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    $IPTABLES -A Policy  -d 192.0.2.1   -m state --state NEW  -j ACCEPT
    $IPTABLES -A Policy  -d 207.251.84.150   -m state --state NEW  -j ACCEPT
    # 
@ -522,7 +525,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:31 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:27 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall33.fw.orig
+++ b/test/ipt/firewall33.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:31 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:26 2011 PST by vadim
 #
 # files: * firewall33.fw /etc/fw/firewall33.fw
 #
@ -373,8 +373,8 @@ script_body() {
    echo "Rule 2 (global)"
    # 
    # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode
+
    $IPTABLES -A INPUT  -s 192.0.2.1   -m state --state NEW  -j ACCEPT
-    # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode
    $IPTABLES -A FORWARD  -s 192.0.2.1   -m state --state NEW  -j ACCEPT
    # 
    # Rule 3 (global)
@ -415,11 +415,12 @@ script_body() {
    # 
    echo "Rule 6 (global)"
    # 
+    # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode
+
    $IPTABLES -N Cid43867C3018346.0
    $IPTABLES -A OUTPUT  -m state --state NEW  -j Cid43867C3018346.0
    $IPTABLES -A INPUT  -m state --state NEW  -j Cid43867C3018346.0
    $IPTABLES -A FORWARD  -m state --state NEW  -j Cid43867C3018346.0
-    # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode
    $IPTABLES -A Cid43867C3018346.0  -d 192.0.2.1   -j RETURN
    $IPTABLES -A Cid43867C3018346.0  -j ACCEPT
    # 
@ -500,9 +501,9 @@ script_body() {
    echo "Rule 12 (global)"
    # 
    # firewall33:Policy:12: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    $IPTABLES -A OUTPUT  -d 192.0.2.1   -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -d 207.251.84.150   -m state --state NEW  -j ACCEPT
-    # firewall33:Policy:12: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
    $IPTABLES -A FORWARD  -d 192.0.2.1   -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -d 207.251.84.150   -m state --state NEW  -j ACCEPT
    # 
@ -571,7 +572,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:31 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:26 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall34.fw.orig
+++ b/test/ipt/firewall34.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:35 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:30 2011 PST by vadim
 #
 # files: * firewall34.fw /etc/fw/firewall34.fw
 #
@ -648,7 +648,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:35 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:30 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall35.fw.orig
+++ b/test/ipt/firewall35.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:35 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:30 2011 PST by vadim
 #
 # files: * firewall35.fw /etc/fw/firewall35.fw
 #
@ -540,7 +540,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:35 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:30 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall36-1.fw.orig
+++ b/test/ipt/firewall36-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:39 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:34 2011 PST by vadim
 #
 # files: * firewall36-1.fw /etc/firewall36-1.fw
 #
@ -433,7 +433,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:39 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:34 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall36-2.fw.orig
+++ b/test/ipt/firewall36-2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:41 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:36 2011 PST by vadim
 #
 # files: * firewall36-2.fw /etc/firewall36-2.fw
 #
@ -433,7 +433,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:41 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:36 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall36.fw.orig
+++ b/test/ipt/firewall36.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:38 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:33 2011 PST by vadim
 #
 # files: * firewall36.fw /etc/firewall36.fw
 #
@ -535,7 +535,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:38 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:33 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall37-1.fw.orig
+++ b/test/ipt/firewall37-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:45 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:40 2011 PST by vadim
 #
 # files: * firewall37-1.fw /etc/fw/firewall37-1.fw
 #
@ -769,7 +769,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:45 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:40 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall37.fw.orig
+++ b/test/ipt/firewall37.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:54 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:49 2011 PST by vadim
 #
 # files: * firewall37.fw /etc/fw/firewall37.fw
 #
@ -851,8 +851,8 @@ script_body() {
    echo "Rule mangle_rules 4 (global)"
    # 
    # firewall37:mangle_rules:4: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    $IPTABLES -t mangle -A INPUT  -s 192.0.2.1  -m mark --mark 1  -m state --state NEW  -j ACCEPT
-    # firewall37:mangle_rules:4: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
    $IPTABLES -t mangle -A PREROUTING  -s 192.0.2.1  -m mark --mark 1  -m state --state NEW  -j ACCEPT
    # 
    # Rule mangle_rules 5 (global)
@ -914,9 +914,10 @@ script_body() {
    # 
    echo "Rule mangle_rules 13 (global)"
    # 
+    # firewall37:mangle_rules:13: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
+
    $IPTABLES -N Cid480281X13558.0 -t mangle
    $IPTABLES -t mangle -A PREROUTING -i +  -m mark --mark 1  -m state --state NEW  -j Cid480281X13558.0
-    # firewall37:mangle_rules:13: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
    $IPTABLES -t mangle -A Cid480281X13558.0  -s 192.0.2.1   -j RETURN
    $IPTABLES -t mangle -A Cid480281X13558.0  -j ACCEPT
    # 
@ -1049,7 +1050,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:54 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:49 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall38.fw.orig
+++ b/test/ipt/firewall38.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:47 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:43 2011 PST by vadim
 #
 # files: * firewall38.fw /etc/fw/firewall38.fw
 #
@ -498,7 +498,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:47 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:43 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall39.fw.orig
+++ b/test/ipt/firewall39.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:55 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:50 2011 PST by vadim
 #
 # files: * firewall39.fw /etc/fw/firewall39.fw
 #
@ -631,7 +631,6 @@ script_body() {
    # 
    echo "Rule rule6_branch 0 (global)"
    # 
-    # firewall39:rule6_branch:0: warning: Rule branches to rule set Policy which branches back to it, creating a loop
    $IPTABLES -N rule6_branch
    $IPTABLES -N Policy
    $IPTABLES -A rule6_branch  -j Policy
@ -809,11 +808,8 @@ script_body() {
    echo "Rule 14 (global)"
    # 
    # testing loop in branching rules
-    # firewall39:Policy:14: warning: Rule branches to rule set rule6_branch which branches back to it, creating a loop
    $IPTABLES -A INPUT  -s 192.168.1.0/24   -j rule6_branch
-    # firewall39:Policy:14: warning: Rule branches to rule set rule6_branch which branches back to it, creating a loop
    $IPTABLES -A OUTPUT  -s 192.168.1.0/24   -j rule6_branch
-    # firewall39:Policy:14: warning: Rule branches to rule set rule6_branch which branches back to it, creating a loop
    $IPTABLES -A FORWARD  -s 192.168.1.0/24   -j rule6_branch
    # 
    # Rule 15 (global)
@ -899,7 +895,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:55 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:50 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall4.fw.orig
+++ b/test/ipt/firewall4.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:57 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:52 2011 PST by vadim
 #
 # files: * firewall4.fw /etc/fw/firewall4.fw
 #
@ -710,7 +710,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:57 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:52 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall40-1.fw.orig
+++ b/test/ipt/firewall40-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:01 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:56 2011 PST by vadim
 #
 # files: * firewall40-1.fw /etc/firewall40-1.fw
 #
@ -450,7 +450,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:01 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:56 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall40-2.fw.orig
+++ b/test/ipt/firewall40-2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:01 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:57 2011 PST by vadim
 #
 # files: * firewall40-2.fw /etc/firewall40-2.fw
 #
@ -437,7 +437,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:01 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:57 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall40.fw.orig
+++ b/test/ipt/firewall40.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:05:58 2011 PST by vadim
+#  Generated Sun Feb 20 20:59:53 2011 PST by vadim
 #
 # files: * firewall40.fw /etc/firewall40.fw
 #
@ -439,7 +439,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:05:58 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 20:59:53 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall41-1.fw.orig
+++ b/test/ipt/firewall41-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:04 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:00 2011 PST by vadim
 #
 # files: * firewall41-1.fw /etc/firewall41-1.fw
 #
@ -575,7 +575,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:04 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:00 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall41.fw.orig
+++ b/test/ipt/firewall41.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:09 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:04 2011 PST by vadim
 #
 # files: * firewall41.fw /etc/firewall41.fw
 #
@ -387,6 +387,8 @@ script_body() {
    # 
    # there should be warning saying the table could not be found
    # firewall41:Policy:5: error: File not found for Address Table: missing table (this_table_does_not_exist.tbl) Using dummy address in test mode
+    # firewall41:Policy:5: error: Rule '5 (global)' shadows rule '6 (global)'  below it
+
    $IPTABLES -N RULE_5
    $IPTABLES -A OUTPUT  -d 192.0.2.0/24   -j RULE_5
    $IPTABLES -A RULE_5  -j LOG  --log-level info --log-prefix "RULE 5 -- DENY "
@ -397,6 +399,7 @@ script_body() {
    echo "Rule 6 (global)"
    # 
    # firewall41:Policy:6: error: DNSName object "does not resolve" (compile time) can not resolve dns name "does_not_resolve.local" (AF_INET): Host or network 'does_not_resolve.local' not found; last error: Unknown error Using dummy address in test mode
+
    $IPTABLES -N RULE_6
    $IPTABLES -A OUTPUT  -d 192.0.2.1   -j RULE_6
    $IPTABLES -A RULE_6  -j LOG  --log-level info --log-prefix "RULE 6 -- DENY "
@ -456,7 +459,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:09 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:04 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall42.fw.orig
+++ b/test/ipt/firewall42.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:10 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:06 2011 PST by vadim
 #
 # files: * firewall42.fw /etc/fw/firewall42.fw
 #
@ -382,7 +382,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:10 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:06 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall5.fw.orig
+++ b/test/ipt/firewall5.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:12 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:07 2011 PST by vadim
 #
 # files: * firewall5.fw /etc/fw/firewall5.fw
 #
@ -622,7 +622,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:12 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:07 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall50.fw.orig
+++ b/test/ipt/firewall50.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:14 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:10 2011 PST by vadim
 #
 # files: * firewall50.fw /etc/fw/firewall50.fw
 #
@ -407,7 +407,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:14 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:10 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall51.fw.orig
+++ b/test/ipt/firewall51.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:18 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:14 2011 PST by vadim
 #
 # files: * firewall51.fw /etc/fw/firewall51.fw
 #
@ -491,7 +491,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:18 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:14 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall6.fw.orig
+++ b/test/ipt/firewall6.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:17 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:13 2011 PST by vadim
 #
 # files: * firewall6.fw /etc/fw/firewall6.fw
 #
@ -513,7 +513,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:17 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:13 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall60.fw.orig
+++ b/test/ipt/firewall60.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:20 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:17 2011 PST by vadim
 #
 # files: * firewall60.fw /etc/firewall60.fw
 #
@ -419,7 +419,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:20 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:17 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall61-1.2.5.fw.orig
+++ b/test/ipt/firewall61-1.2.5.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:22 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:18 2011 PST by vadim
 #
 # files: * firewall61-1.2.5.fw /etc/firewall61-1.2.5.fw
 #
@ -499,7 +499,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:22 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:18 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall61-1.2.6.fw.orig
+++ b/test/ipt/firewall61-1.2.6.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:25 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:21 2011 PST by vadim
 #
 # files: * firewall61-1.2.6.fw /etc/firewall61-1.2.6.fw
 #
@ -505,7 +505,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:25 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:21 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall61-1.3.x.fw.orig
+++ b/test/ipt/firewall61-1.3.x.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:26 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:22 2011 PST by vadim
 #
 # files: * firewall61-1.3.x.fw /etc/firewall61-1.3.x.fw
 #
@ -492,7 +492,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:26 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:22 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall61-1.4.fw.orig
+++ b/test/ipt/firewall61-1.4.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:29 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:26 2011 PST by vadim
 #
 # files: * firewall61-1.4.fw /etc/firewall61-1.4.fw
 #
@ -493,7 +493,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:29 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:26 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall62.fw.orig
+++ b/test/ipt/firewall62.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:29 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:25 2011 PST by vadim
 #
 # files: * firewall62.fw /etc/firewall62.fw
 #
@ -340,6 +340,8 @@ script_body() {
    # 
    echo "Rule 0 (global)"
    # 
+    # firewall62:Policy:0: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -A OUTPUT -m owner --uid-owner 2000  -m state --state NEW  -j ACCEPT
    # 
    # Rule 1 (global)
@ -353,6 +355,8 @@ script_body() {
    # 
    echo "Rule 2 (global)"
    # 
+    # firewall62:Policy:2: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -N Cid484A599620246.0
    $IPTABLES -A INPUT -p tcp -m tcp  --dport 80  -m state --state NEW  -j Cid484A599620246.0
    $IPTABLES -A Cid484A599620246.0  -s 192.168.1.1   -j ACCEPT
@ -371,18 +375,24 @@ script_body() {
    # 
    echo "Rule 4 (global)"
    # 
+    # firewall62:Policy:4: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -A OUTPUT  -s 192.168.1.1  -m owner --uid-owner 2000  -m state --state NEW  -j ACCEPT
    # 
    # Rule 5 (global)
    # 
    echo "Rule 5 (global)"
    # 
+    # firewall62:Policy:5: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -A OUTPUT  -s 192.168.1.0/24  -m owner --uid-owner 2000  -m state --state NEW  -j ACCEPT
    # 
    # Rule 6 (global)
    # 
    echo "Rule 6 (global)"
    # 
+    # firewall62:Policy:6: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -N Cid4848F1BB20246.0
    $IPTABLES -A OUTPUT -m owner --uid-owner 2000  -m state --state NEW  -j Cid4848F1BB20246.0
    $IPTABLES -A Cid4848F1BB20246.0  -d 192.168.1.1   -j ACCEPT
@ -392,12 +402,16 @@ script_body() {
    # 
    echo "Rule 8 (global)"
    # 
+    # firewall62:Policy:8: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -A OUTPUT  -s ! 192.168.1.0/24  -m owner --uid-owner 2000  -m state --state NEW  -j ACCEPT
    # 
    # Rule 9 (global)
    # 
    echo "Rule 9 (global)"
    # 
+    # firewall62:Policy:9: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -A OUTPUT -m owner --uid-owner 2000  -m state --state NEW  -j ACCEPT
    # 
    # Rule 10 (global)
@ -405,6 +419,8 @@ script_body() {
    echo "Rule 10 (global)"
    # 
    # bug 2186568
+    # firewall62:Policy:10: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -A OUTPUT -m owner --uid-owner 500  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT -m owner --uid-owner 2000  -m state --state NEW  -j ACCEPT
    # 
@ -413,6 +429,8 @@ script_body() {
    echo "Rule 11 (global)"
    # 
    # bug 2186568
+    # firewall62:Policy:11: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -N Cid55369X1137.0
    $IPTABLES -A OUTPUT -m owner --uid-owner 500  -m state --state NEW  -j Cid55369X1137.0
    $IPTABLES -A OUTPUT -m owner --uid-owner 2000  -m state --state NEW  -j Cid55369X1137.0
@ -424,6 +442,8 @@ script_body() {
    echo "Rule 12 (global)"
    # 
    # bug 2186568
+    # firewall62:Policy:12: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -A OUTPUT -m owner ! --uid-owner 2000  -m state --state NEW  -j ACCEPT
    # 
    # Rule 13 (global)
@ -431,6 +451,8 @@ script_body() {
    echo "Rule 13 (global)"
    # 
    # bug 2186568
+    # firewall62:Policy:13: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -N Cid72626X1137.0
    $IPTABLES -A OUTPUT -m owner ! --uid-owner 2000  -m state --state NEW  -j Cid72626X1137.0
    $IPTABLES -A Cid72626X1137.0  -d 192.168.1.1   -j ACCEPT
@ -467,6 +489,8 @@ script_body() {
    echo "Rule 16 (global)"
    # 
    # bug 2186568
+    # firewall62:Policy:16: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -A OUTPUT -m owner --uid-owner 2000  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT -m owner --uid-owner 500  -m state --state NEW  -j ACCEPT
    # 
@ -475,6 +499,8 @@ script_body() {
    echo "Rule 17 (global)"
    # 
    # bug 2186568
+    # firewall62:Policy:17: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -N Cid89930X1137.0
    $IPTABLES -A OUTPUT -m owner --uid-owner 2000  -m state --state NEW  -j Cid89930X1137.0
    $IPTABLES -A OUTPUT -m owner --uid-owner 500  -m state --state NEW  -j Cid89930X1137.0
@ -543,7 +569,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:29 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:25 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall63.fw.orig
+++ b/test/ipt/firewall63.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:32 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:29 2011 PST by vadim
 #
 # files: * firewall63.fw /etc/firewall63.fw
 #
@ -389,7 +389,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:32 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:29 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall7.fw.orig
+++ b/test/ipt/firewall7.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:33 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:29 2011 PST by vadim
 #
 # files: * firewall7.fw /etc/fw/firewall7.fw
 #
@ -473,7 +473,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:33 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:29 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall70.fw.orig
+++ b/test/ipt/firewall70.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:37 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:33 2011 PST by vadim
 #
 # files: * firewall70.fw iptables.sh
 #
@ -332,12 +332,12 @@ script_body() {
    echo "Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)"
    # 
    # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
+    # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
+
    $IPTABLES -N very_long_ruleset_name_should_be_gt_30_chars
    $IPTABLES -N very_long_ruleset_name_should_be_gt_30_chars_0
    $IPTABLES -A very_long_ruleset_name_should_be_gt_30_chars  -j very_long_ruleset_name_should_be_gt_30_chars_0
-    # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
    $IPTABLES -A very_long_ruleset_name_should_be_gt_30_chars_0  -j LOG  --log-level info --log-prefix "RULE 0 -- DENY "
-    # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
    $IPTABLES -A very_long_ruleset_name_should_be_gt_30_chars_0  -j DROP
    # ================ Table 'filter', rule set not_quite_long_ruleset_name
    # 
@ -345,6 +345,8 @@ script_body() {
    # 
    echo "Rule not_quite_long_ruleset_name 0 (global)"
    # 
+    # firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global)
+
    $IPTABLES -N not_quite_long_ruleset_name
    $IPTABLES -N Cid208737X59595.0
    $IPTABLES -A not_quite_long_ruleset_name  -s 22.22.22.0/24   -j Cid208737X59595.0
@ -353,9 +355,7 @@ script_body() {
    $IPTABLES -A Cid208737X59595.0  -d 192.168.1.1   -j RETURN
    $IPTABLES -N not_quite_long_ruleset_name_0_3
    $IPTABLES -A Cid208737X59595.0  -j not_quite_long_ruleset_name_0_3
-    # firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global)
    $IPTABLES -A not_quite_long_ruleset_name_0_3  -j LOG  --log-level info --log-prefix "RULE 0 -- DENY "
-    # firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global)
    $IPTABLES -A not_quite_long_ruleset_name_0_3  -j DROP
 }

@ -412,7 +412,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:37 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:33 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall71.fw.orig
+++ b/test/ipt/firewall71.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:37 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:34 2011 PST by vadim
 #
 # files: * firewall71.fw /etc/fw/firewall71.fw
 #
@ -428,7 +428,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:37 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:34 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall72-1.3.x.fw.orig
+++ b/test/ipt/firewall72-1.3.x.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:40 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:37 2011 PST by vadim
 #
 # files: * firewall72-1.3.x.fw /etc/fw/firewall72-1.3.x.fw
 #
@ -457,6 +457,9 @@ script_body() {
    echo "Rule 10 (eth1)"
    # 
    # Should use ! -i eth1 eventually
+    # firewall72-1.3.x:Policy:10: error: Rule '10 (eth1)' shadows rule '13 (eth1)'  below it
+    # firewall72-1.3.x:Policy:10: error: Rule '10 (eth1)' shadows rule '14 (eth1)'  below it
+
    $IPTABLES -A FORWARD -i ! eth1  -p tcp -m tcp  -d 192.168.1.0/24    --tcp-flags ALL NONE  -j DROP
    # 
    # Rule 11 (eth1)
@ -499,6 +502,8 @@ script_body() {
    # 
    echo "Rule 15 (global)"
    # 
+    # firewall72-1.3.x:Policy:15: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -A OUTPUT  -d 172.16.1.1  -m owner ! --uid-owner 500  -j DROP
 }

@ -555,7 +560,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:40 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:37 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall72-1.4.3.fw.orig
+++ b/test/ipt/firewall72-1.4.3.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:41 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:37 2011 PST by vadim
 #
 # files: * firewall72-1.4.3.fw /etc/fw/firewall72-1.4.3.fw
 #
@ -457,6 +457,9 @@ script_body() {
    echo "Rule 10 (eth1)"
    # 
    # Should use ! -i eth1 eventually
+    # firewall72-1.4.3:Policy:10: error: Rule '10 (eth1)' shadows rule '13 (eth1)'  below it
+    # firewall72-1.4.3:Policy:10: error: Rule '10 (eth1)' shadows rule '14 (eth1)'  below it
+
    $IPTABLES -A FORWARD ! -i eth1  -p tcp -m tcp  -d 192.168.1.0/24    --tcp-flags ALL NONE  -j DROP
    # 
    # Rule 11 (eth1)
@ -499,6 +502,8 @@ script_body() {
    # 
    echo "Rule 15 (global)"
    # 
+    # firewall72-1.4.3:Policy:15: warning: Iptables does not support module 'owner' in a chain other than OUTPUT
+
    $IPTABLES -A OUTPUT  -d 172.16.1.1  -m owner ! --uid-owner 500  -j DROP
 }

@ -555,7 +560,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:41 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:37 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall73.fw.orig
+++ b/test/ipt/firewall73.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:43 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:40 2011 PST by vadim
 #
 # files: * firewall73.fw /etc/fw/firewall73.fw
 #
@ -523,7 +523,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:43 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:40 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall74.fw.orig
+++ b/test/ipt/firewall74.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:44 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:41 2011 PST by vadim
 #
 # files: * firewall74.fw /etc/fw/firewall74.fw
 #
@ -375,7 +375,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:44 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:41 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall8.fw.orig
+++ b/test/ipt/firewall8.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:47 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:44 2011 PST by vadim
 #
 # files: * firewall8.fw /etc/fw/firewall8.fw
 #
@ -358,7 +358,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:47 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:44 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall80.fw.orig
+++ b/test/ipt/firewall80.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:48 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:44 2011 PST by vadim
 #
 # files: * firewall80.fw /etc/fw/firewall80.fw
 #
@ -317,8 +317,8 @@ script_body() {
    # 
    # Branch rule with actual translation. Translation is ignored and warning should be issued
    # firewall80:NAT:0: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch'
+
    $IPTABLES -t nat -A POSTROUTING  -d 192.0.2.1  -j NAT_1_POSTROUTING
-    # firewall80:NAT:0: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch'
    $IPTABLES -t nat -A PREROUTING  -d 192.0.2.1  -j NAT_1_PREROUTING
    # 
    # Rule 1 (NAT)
@ -399,7 +399,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:48 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:44 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall81.fw.orig
+++ b/test/ipt/firewall81.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:51 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:48 2011 PST by vadim
 #
 # files: * firewall81.fw /etc/fw/firewall81.fw
 #
@ -302,9 +302,10 @@ script_body() {
    # Branch rule with actual translation. 
    # Translation is ignored and warning should be issued
    # firewall81:NAT_2:0: warning: NAT branching rule does not have information about targets used in the branch ruleset to choose proper chain in the nat table. Will split the rule and place it in both PREROUTNING and POSTROUTING
+    # firewall81:NAT_2:0: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch'
+
    $IPTABLES -t nat -N NAT_1
    $IPTABLES -t nat -A POSTROUTING  -d 192.0.2.1  -j NAT_1
-    # firewall81:NAT_2:0: warning: NAT branching rule does not have information about targets used in the branch ruleset to choose proper chain in the nat table. Will split the rule and place it in both PREROUTNING and POSTROUTING
    $IPTABLES -t nat -A PREROUTING  -d 192.0.2.1  -j NAT_1
    # 
    # Rule NAT_2 1 (NAT)
@ -313,8 +314,8 @@ script_body() {
    # 
    # DNAT Rule
    # firewall81:NAT_2:1: warning: NAT branching rule does not have information about targets used in the branch ruleset to choose proper chain in the nat table. Will split the rule and place it in both PREROUTNING and POSTROUTING
+
    $IPTABLES -t nat -A POSTROUTING  -j NAT_1
-    # firewall81:NAT_2:1: warning: NAT branching rule does not have information about targets used in the branch ruleset to choose proper chain in the nat table. Will split the rule and place it in both PREROUTNING and POSTROUTING
    $IPTABLES -t nat -A PREROUTING  -j NAT_1

    # ================ Table 'nat',  rule set NAT_1
@ -419,7 +420,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:51 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:48 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall82.fw.orig
+++ b/test/ipt/firewall82.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:52 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:49 2011 PST by vadim
 #
 # files: * firewall82.fw /etc/firewall82.fw
 #
@ -353,11 +353,8 @@ script_body() {
    # 
    echo "Rule 0 (global)"
    # 
-    # firewall82:Policy:0: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop
    $IPTABLES -A OUTPUT  -j Policy_A
-    # firewall82:Policy:0: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop
    $IPTABLES -A INPUT  -j Policy_A
-    # firewall82:Policy:0: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop
    $IPTABLES -A FORWARD  -j Policy_A
 }

@ -414,7 +411,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:52 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:49 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall82_A.fw.orig
+++ b/test/ipt/firewall82_A.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:55 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:52 2011 PST by vadim
 #
 # files: * firewall82_A.fw /etc/fw/firewall82_A.fw
 #
@ -334,22 +334,16 @@ script_body() {
    echo "Rule Policy_A 1 (global)"
    # 
    # recursive branching
-    # firewall82_A:Policy_A:1: warning: Rule branches to rule set Policy which branches back to it, creating a loop
    $IPTABLES -A OUTPUT  -j Policy
-    # firewall82_A:Policy_A:1: warning: Rule branches to rule set Policy which branches back to it, creating a loop
    $IPTABLES -A INPUT  -j Policy
-    # firewall82_A:Policy_A:1: warning: Rule branches to rule set Policy which branches back to it, creating a loop
    $IPTABLES -A FORWARD  -j Policy
    # 
    # Rule Policy_A 2 (global)
    # 
    echo "Rule Policy_A 2 (global)"
    # 
-    # firewall82_A:Policy_A:2: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop
    $IPTABLES -A OUTPUT  -j Policy_A
-    # firewall82_A:Policy_A:2: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop
    $IPTABLES -A INPUT  -j Policy_A
-    # firewall82_A:Policy_A:2: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop
    $IPTABLES -A FORWARD  -j Policy_A
 }

@ -406,7 +400,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:55 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:52 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall82_B.fw.orig
+++ b/test/ipt/firewall82_B.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:55 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:52 2011 PST by vadim
 #
 # files: * firewall82_B.fw /etc/fw/firewall82_B.fw
 #
@ -363,7 +363,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:55 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:52 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall9.fw.orig
+++ b/test/ipt/firewall9.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:58 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:56 2011 PST by vadim
 #
 # files: * firewall9.fw /etc/fw/firewall9.fw
 #
@ -317,18 +317,14 @@ script_body() {
    echo "Rule 1 (global)"
    # 
    # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
+
    $IPTABLES -N Cid3D4DF36C.0
    $IPTABLES -A OUTPUT -p udp -m udp  --dport 53  -j Cid3D4DF36C.0
-    # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -N RULE_1
    $IPTABLES -A Cid3D4DF36C.0  -d 22.22.22.22   -j RULE_1
-    # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A Cid3D4DF36C.0  -d 192.168.1.1   -j RULE_1
-    # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A INPUT -p udp -m udp  --dport 53  -j RULE_1
-    # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A RULE_1  -j LOG  --log-level debug --log-prefix "RULE 1 -- REJECT global"
-    # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A RULE_1  -j REJECT  --reject-with icmp-net-unreachable
    # 
    # Rule 2 (global)
@ -336,22 +332,16 @@ script_body() {
    echo "Rule 2 (global)"
    # 
    # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
+
    $IPTABLES -N Cid3D4DF376.0
    $IPTABLES -A OUTPUT -p icmp  -j Cid3D4DF376.0
-    # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A OUTPUT -p 50  -j Cid3D4DF376.0
-    # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -N RULE_2
    $IPTABLES -A Cid3D4DF376.0  -d 22.22.22.22   -j RULE_2
-    # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A Cid3D4DF376.0  -d 192.168.1.1   -j RULE_2
-    # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A INPUT -p icmp  -j RULE_2
-    # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A INPUT -p 50  -j RULE_2
-    # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A RULE_2  -j LOG  --log-level debug --log-prefix "RULE 2 -- REJECT global"
-    # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A RULE_2  -j REJECT  --reject-with icmp-net-unreachable
    # 
    # Rule 3 (global)
@ -421,11 +411,10 @@ script_body() {
    echo "Rule 6 (global)"
    # 
    # firewall9:Policy:6: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
+
    $IPTABLES -N Cid3D4DF39E.0
    $IPTABLES -A OUTPUT  -d 22.22.22.22   -j Cid3D4DF39E.0
-    # firewall9:Policy:6: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A OUTPUT  -d 192.168.1.1   -j Cid3D4DF39E.0
-    # firewall9:Policy:6: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A INPUT  -j Cid3D4DF39E.0
    $IPTABLES -A Cid3D4DF39E.0 -p tcp -m tcp  --dport 10000:11000  -j RETURN
    $IPTABLES -A Cid3D4DF39E.0 -p tcp -m tcp  --dport 113  -j RETURN
@ -437,11 +426,10 @@ script_body() {
    echo "Rule 7 (global)"
    # 
    # firewall9:Policy:7: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
+
    $IPTABLES -N Cid3D4DF3A8.0
    $IPTABLES -A OUTPUT  -d 22.22.22.22   -j Cid3D4DF3A8.0
-    # firewall9:Policy:7: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A OUTPUT  -d 192.168.1.1   -j Cid3D4DF3A8.0
-    # firewall9:Policy:7: warning: Rule action 'Reject' with TCP RST can be used only with TCP services.
    $IPTABLES -A INPUT  -j Cid3D4DF3A8.0
    $IPTABLES -A Cid3D4DF3A8.0 -p tcp -m tcp  --dport 10000:11000  -j RETURN
    $IPTABLES -A Cid3D4DF3A8.0 -p tcp -m tcp  --dport 113  -j RETURN
@ -633,7 +621,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:58 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:56 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall90.fw.orig
+++ b/test/ipt/firewall90.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:58 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:56 2011 PST by vadim
 #
 # files: * firewall90.fw /etc/fw/firewall90.fw
 #
@ -383,7 +383,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:06:58 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:56 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall91.fw.orig
+++ b/test/ipt/firewall91.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:07:02 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:59 2011 PST by vadim
 #
 # files: * firewall91.fw /etc/fw/firewall91.fw
 #
@ -383,7 +383,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:07:02 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:00:59 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall92.fw.orig
+++ b/test/ipt/firewall92.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:07:03 2011 PST by vadim
+#  Generated Sun Feb 20 21:01:00 2011 PST by vadim
 #
 # files: * firewall92.fw /etc/fw/firewall92.fw
 #
@ -419,7 +419,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:07:03 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:01:00 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/firewall93.fw.orig
+++ b/test/ipt/firewall93.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:07:06 2011 PST by vadim
+#  Generated Sun Feb 20 21:01:03 2011 PST by vadim
 #
 # files: * firewall93.fw /etc/fw/firewall93.fw
 #
@ -458,7 +458,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:07:06 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:01:03 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/fw-A.fw.orig
+++ b/test/ipt/fw-A.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:38 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:37 2011 PST by vadim
 #
 # files: * fw-A.fw /sw/FWbuilder/fw-A.fw
 #
@ -611,6 +611,8 @@ script_body() {
    # 
    # 
    # fw-A:Routing:0: error: Object "gw_200" used as gateway in the routing rule 0 (main) is not in the same local network as interface eth3
+    fw-A:Routing:0: error: Object "gw_200" used as gateway in the routing rule 0 (main) is not reachable because it is not in any local network of the firewall
+
    $IP route add default via 200.200.200.200 dev eth3 \
    || route_command_error "0 (main)"

@ -722,7 +724,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:38 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:37 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/fw1.fw.orig
+++ b/test/ipt/fw1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:35 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:33 2011 PST by vadim
 #
 # files: * fw1.fw /etc/fw1.fw
 #
@ -405,6 +405,12 @@ script_body() {
    # 
    echo "Rule 1 (global)"
    # 
+    # fw1:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)'  below it
+    # fw1:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)'  below it
+    # fw1:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)'  below it
+    # fw1:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)'  below it
+    # fw1:Policy:1: error: Rule '1 (global)' shadows rule '6 (global)'  below it
+
    $IPTABLES -A OUTPUT  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -m state --state NEW  -j ACCEPT
@ -519,7 +525,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:35 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:33 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/fwbuilder.fw.orig
+++ b/test/ipt/fwbuilder.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:06:07 2011 PST by vadim
+#  Generated Sun Feb 20 21:00:03 2011 PST by vadim
 #
 # files: * fwbuilder.fw /etc/init.d/fwbuilder.fw
 #
@ -483,7 +483,7 @@ status_action() {
 }

 start() {
-    log "Activating firewall script generated Sun Feb 20 20:06:07 2011 by vadim"
+    log "Activating firewall script generated Sun Feb 20 21:00:03 2011 by vadim"
    check_tools
     prolog_commands 
    check_run_time_address_table_files
--- a/test/ipt/heartbeat_cluster_1_d_linux-1-d.fw.orig
+++ b/test/ipt/heartbeat_cluster_1_d_linux-1-d.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:51 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:49 2011 PST by vadim
 #
 # files: * heartbeat_cluster_1_d_linux-1-d.fw firewall.sh
 #
@ -489,6 +489,8 @@ script_body() {
    # 
    echo "Rule 7 (global)"
    # 
+    # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-2-d' because its address in unknown.
+
    for i_eth0 in $i_eth0_list
    do
    test -n "$i_eth0" && $IPTABLES -A OUTPUT -p tcp -m tcp  -s $i_eth0   -d 192.168.1.0/24   --dport 22  -m state --state NEW  -j ACCEPT 
@ -720,7 +722,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:51 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:49 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig
+++ b/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:51 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:50 2011 PST by vadim
 #
 # files: * heartbeat_cluster_1_d_linux-2-d.fw firewall.sh
 #
@ -356,6 +356,7 @@ script_body() {
    echo "Rule 4 (NAT)"
    # 
    # heartbeat_cluster_1_d:NAT:4: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown.
+
    $IPTABLES -t nat -A PREROUTING  -d   -j DNAT --to-destination 192.168.1.100


@ -492,6 +493,8 @@ script_body() {
    # 
    echo "Rule 7 (global)"
    # 
+    # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown.
+
    for i_eth0 in $i_eth0_list
    do
    test -n "$i_eth0" && $IPTABLES -A OUTPUT -p tcp -m tcp  -s $i_eth0   -d 192.168.1.0/24   --dport 22  -m state --state NEW  -j ACCEPT 
@ -723,7 +726,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:51 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:50 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/heartbeat_cluster_1_linux-1.fw.orig
+++ b/test/ipt/heartbeat_cluster_1_linux-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:50 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:48 2011 PST by vadim
 #
 # files: * heartbeat_cluster_1_linux-1.fw /etc/heartbeat_cluster_1_linux-1.fw
 #
@ -843,7 +843,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:50 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:48 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/heartbeat_cluster_1_linux-2.fw.orig
+++ b/test/ipt/heartbeat_cluster_1_linux-2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:50 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:49 2011 PST by vadim
 #
 # files: * heartbeat_cluster_1_linux-2.fw /etc/heartbeat_cluster_1_linux-2.fw
 #
@ -741,7 +741,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:50 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:49 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/heartbeat_cluster_2_linux-1.fw.orig
+++ b/test/ipt/heartbeat_cluster_2_linux-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:52 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:50 2011 PST by vadim
 #
 # files: * heartbeat_cluster_2_linux-1.fw /etc/heartbeat_cluster_2_linux-1.fw
 #
@ -707,7 +707,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:52 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:50 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/heartbeat_cluster_2_linux-2.fw.orig
+++ b/test/ipt/heartbeat_cluster_2_linux-2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:52 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:51 2011 PST by vadim
 #
 # files: * heartbeat_cluster_2_linux-2.fw /etc/heartbeat_cluster_2_linux-2.fw
 #
@ -620,7 +620,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:52 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:51 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/host.fw.orig
+++ b/test/ipt/host.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:38 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:37 2011 PST by vadim
 #
 # files: * host.fw /etc/fw/host.fw
 #
@ -422,7 +422,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:38 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:37 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/openais_cluster_1_linux-1.fw.orig
+++ b/test/ipt/openais_cluster_1_linux-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:53 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:51 2011 PST by vadim
 #
 # files: * openais_cluster_1_linux-1.fw /etc/openais_cluster_1_linux-1.fw
 #
@ -707,7 +707,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:53 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:51 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/openais_cluster_1_linux-2.fw.orig
+++ b/test/ipt/openais_cluster_1_linux-2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:53 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:52 2011 PST by vadim
 #
 # files: * openais_cluster_1_linux-2.fw /etc/openais_cluster_1_linux-2.fw
 #
@ -611,7 +611,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:53 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:52 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/rc.firewall.local
+++ b/test/ipt/rc.firewall.local
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:42 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:40 2011 PST by vadim
 #
 # files: * rc.firewall.local /etc/rc.d//rc.firewall.local
 #
--- a/test/ipt/rh90.fw.orig
+++ b/test/ipt/rh90.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:42 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:40 2011 PST by vadim
 #
 # files: * rh90.fw /etc/rh90.fw
 #
@ -421,7 +421,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:42 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:40 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/secuwall_cluster_1_secuwall-1.fw.orig
+++ b/test/ipt/secuwall_cluster_1_secuwall-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:53 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:51 2011 PST by vadim
 #
 # files: * secuwall_cluster_1_secuwall-1.fw /etc/secuwall_cluster_1_secuwall-1.fw
 #
@ -405,7 +405,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:53 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:51 2011 by vadim"
        log "Database was cluster-tests.fwb"
        check_tools
        check_run_time_address_table_files
--- a/test/ipt/server-cluster-1_server-1.fw.orig
+++ b/test/ipt/server-cluster-1_server-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:53 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:52 2011 PST by vadim
 #
 # files: * server-cluster-1_server-1.fw /etc/fw/server-cluster-1_server-1.fw
 #
@ -341,6 +341,8 @@ script_body() {
    echo "Rule 0 (global)"
    # 
    # test for ticket #1338
+    # server-cluster-1:Policy:0: error: Rule '0 (global)' shadows rule '1 (global)'  below it
+
    $IPTABLES -A INPUT  -s 192.168.1.1   -j DROP
    $IPTABLES -A INPUT  -s 192.168.1.100   -j DROP
 }
@ -398,7 +400,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:53 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:52 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/server-cluster-1_server-2.fw.orig
+++ b/test/ipt/server-cluster-1_server-2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:54 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:52 2011 PST by vadim
 #
 # files: * server-cluster-1_server-2.fw /etc/fw/server-cluster-1_server-2.fw
 #
@ -397,7 +397,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:54 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:52 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/test-shadowing-1.fw.orig
+++ b/test/ipt/test-shadowing-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:46 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:44 2011 PST by vadim
 #
 # files: * test-shadowing-1.fw /etc/test-shadowing-1.fw
 #
@ -324,6 +324,8 @@ script_body() {
    echo "Rule 0 (eth0)"
    # 
    # shades rule below
+    # test-shadowing-1:Policy:0: error: Rule '0 (eth0)' shadows rule '1 (eth0)'  below it
+
    $IPTABLES -A OUTPUT -o eth0   -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD -o eth0   -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
    # 
@ -342,6 +344,8 @@ script_body() {
    # 
    # firewall is part
    # of any for this rule
+    # test-shadowing-1:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)'  below it
+
    $IPTABLES -A OUTPUT -p tcp -m tcp  --dport 80  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT -p tcp -m tcp  --dport 80  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp  --dport 80  -m state --state NEW  -j ACCEPT
@ -361,6 +365,8 @@ script_body() {
    # 
    echo "Rule 4 (global)"
    # 
+    # test-shadowing-1:Policy:4: error: Rule '4 (global)' shadows rule '5 (global)'  below it
+
    $IPTABLES -A INPUT -p tcp -m tcp  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp -m tcp  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
@ -377,6 +383,8 @@ script_body() {
    # 
    echo "Rule 6 (global)"
    # 
+    # test-shadowing-1:Policy:6: error: Rule '6 (global)' shadows rule '7 (global)'  below it
+
    $IPTABLES -A INPUT -p udp -m udp  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT -p udp -m udp  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD -p udp -m udp  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
@ -395,6 +403,8 @@ script_body() {
    # 
    # this rule should shadow rule below it because
    # it uses IPService object with protocol 0
+    # test-shadowing-1:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)'  below it
+
    $IPTABLES -A INPUT -p all  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT -p all  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD -p all  -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
@ -461,7 +471,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:46 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:44 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/test-shadowing-2.fw.orig
+++ b/test/ipt/test-shadowing-2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:49 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:47 2011 PST by vadim
 #
 # files: * test-shadowing-2.fw /etc/test-shadowing-2.fw
 #
@ -322,6 +322,8 @@ script_body() {
    echo "Rule 0 (eth0)"
    # 
    # shades rule below
+    # test-shadowing-2:Policy:0: error: Rule '0 (eth0)' shadows rule '1 (eth0)'  below it
+
    $IPTABLES -A FORWARD -o eth0   -s 192.168.1.0/24   -m state --state NEW  -j ACCEPT
    # 
    # Rule 1 (eth0)
@ -336,6 +338,8 @@ script_body() {
    # 
    # firewall is part
    # of any for this rule
+    # test-shadowing-2:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)'  below it
+
    $IPTABLES -A OUTPUT -p tcp -m tcp  --dport 80  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT -p tcp -m tcp  --dport 80  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp  --dport 80  -m state --state NEW  -j ACCEPT
@ -352,6 +356,8 @@ script_body() {
    # 
    # this rule should shadow rule below it because
    # it uses IPService object with protocol 0
+    # test-shadowing-2:Policy:4: error: Rule '4 (global)' shadows rule '5 (global)'  below it
+
    $IPTABLES -A FORWARD -p all  -m state --state NEW  -j ACCEPT
    # 
    # Rule 5 (global)
@ -423,7 +429,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:49 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:47 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/test-shadowing-3.fw.orig
+++ b/test/ipt/test-shadowing-3.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:52 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:51 2011 PST by vadim
 #
 # files: * test-shadowing-3.fw /etc/test-shadowing-3.fw
 #
@ -350,6 +350,8 @@ script_body() {
    echo "Rule Policy_3 0 (eth0)"
    # 
    # 50/sec
+    # test-shadowing-3:Policy_3:0: error: Rule 'Policy_3 0 (eth0)' shadows rule 'Policy_3 1 (eth0)'  below it
+
    $IPTABLES -N Policy_3
    $IPTABLES -A Policy_3 -o eth0   -s 192.168.1.0/24   -m state --state NEW  -m hashlimit --hashlimit 50/second --hashlimit-mode srcip --hashlimit-name test -j ACCEPT
    # 
@ -396,6 +398,8 @@ script_body() {
    echo "Rule Policy_5 0 (eth0)"
    # 
    # 50/sec
+    # test-shadowing-3:Policy_5:0: error: Rule 'Policy_5 0 (eth0)' shadows rule 'Policy_5 1 (eth0)'  below it
+
    $IPTABLES -N Policy_5
    $IPTABLES -A Policy_5 -o eth0   -s 192.168.1.0/24   -m state --state NEW  -m hashlimit --hashlimit 50/second --hashlimit-mode srcip --hashlimit-name test -j ACCEPT
    # 
@ -474,7 +478,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:52 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:51 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/test_fw.fw.orig
+++ b/test/ipt/test_fw.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:47 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:45 2011 PST by vadim
 #
 # files: * test_fw.fw /etc/test_fw.fw
 #
@ -570,7 +570,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:47 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:45 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/vrrp_cluster_1_linux-1.fw.orig
+++ b/test/ipt/vrrp_cluster_1_linux-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:54 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:52 2011 PST by vadim
 #
 # files: * vrrp_cluster_1_linux-1.fw /etc/vrrp_cluster_1_linux-1.fw
 #
@ -710,7 +710,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:54 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:52 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/vrrp_cluster_1_linux-2.fw.orig
+++ b/test/ipt/vrrp_cluster_1_linux-2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:54 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:52 2011 PST by vadim
 #
 # files: * vrrp_cluster_1_linux-2.fw /etc/vrrp_cluster_1_linux-2.fw
 #
@ -615,7 +615,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:54 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:52 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/vrrp_cluster_2_linux-1.fw.orig
+++ b/test/ipt/vrrp_cluster_2_linux-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:54 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:53 2011 PST by vadim
 #
 # files: * vrrp_cluster_2_linux-1.fw /etc/vrrp_cluster_2_linux-1.fw
 #
@ -642,7 +642,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:54 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:53 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/vrrp_cluster_2_linux-2.fw.orig
+++ b/test/ipt/vrrp_cluster_2_linux-2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:55 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:53 2011 PST by vadim
 #
 # files: * vrrp_cluster_2_linux-2.fw /etc/vrrp_cluster_2_linux-2.fw
 #
@ -547,7 +547,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:55 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:53 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/ipt/vrrp_cluster_2_linux-3.fw.orig
+++ b/test/ipt/vrrp_cluster_2_linux-3.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:08:55 2011 PST by vadim
+#  Generated Sun Feb 20 21:02:53 2011 PST by vadim
 #
 # files: * vrrp_cluster_2_linux-3.fw /etc/vrrp_cluster_2_linux-3.fw
 #
@ -523,7 +523,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Sun Feb 20 20:08:55 2011 by vadim"
+        log "Activating firewall script generated Sun Feb 20 21:02:53 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files
--- a/test/pf/firewall-base-rulesets.fw.orig
+++ b/test/pf/firewall-base-rulesets.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_pf v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:10:18 2011 PST by vadim
+#  Generated Sun Feb 20 21:16:40 2011 PST by vadim
 #
 # files: * firewall-base-rulesets.fw /etc/fw/firewall-base-rulesets.fw
 # files:   firewall-base-rulesets.conf /etc/fw/firewall-base-rulesets.conf
@ -163,7 +163,7 @@ configure_interfaces() {
    update_addresses_of_interface "en2 192.168.100.1/0xffffff00" ""
 }

-log "Activating firewall script generated Sun Feb 20 20:10:18 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:16:40 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/pf/firewall-ipv6-1.conf.orig
+++ b/test/pf/firewall-ipv6-1.conf.orig
@ -32,13 +32,25 @@ pass  quick on lo inet6  from any  to any keep state  label "RULE 0 -- ACCEPT "
 pass  quick inet6 proto tcp  from fe80::/64  to fe80::21d:9ff:fe8b:8e94 port 22 keep state  label "RULE 1 -- ACCEPT "  
 # 
 # Rule  2 (global)
+# firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)'  below it
+# firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)'  below it
+# firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)'  below it
+# firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)'  below it
+
 pass  quick inet6 proto tcp  from 2001:5c0:0:2::24  to fe80::21d:9ff:fe8b:8e94 port 22 keep state  label "RULE 2 -- ACCEPT "  
 # 
 # Rule  3 (global)
+# firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)'  below it
+# firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)'  below it
+# firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '6 (global)'  below it
+# firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '7 (global)'  below it
 # firewall-ipv6-1:Policy:3: warning: Changing rule direction due to self reference
+
 pass in   log  quick inet6 proto tcp  from 3ffe:1200:2001:1:8000::1  to fe80::21d:9ff:fe8b:8e94 port 22 keep state  label "RULE 3 -- ACCEPT "  
 # 
 # Rule  4 (global)
+# firewall-ipv6-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)'  below it
+
 pass  log  quick inet6 proto tcp  from <tbl.r4.s>  to fe80::21d:9ff:fe8b:8e94 port 22 keep state  label "RULE 4 -- ACCEPT "  
 # 
 # Rule  5 (global)
@ -46,10 +58,12 @@ pass  log  quick inet6 proto tcp  from <tbl.r5.s>  to fe80::21d:9ff:fe8b:8e94 po
 # 
 # Rule  6 (global)
 # firewall-ipv6-1:Policy:6: warning: Changing rule direction due to self reference
+
 pass in   log  quick inet6 proto tcp  from <tbl.r4.s>  to fe80::21d:9ff:fe8b:8e94 port 22 keep state  label "RULE 6 -- ACCEPT "  
 # 
 # Rule  7 (global)
 # firewall-ipv6-1:Policy:7: warning: Changing rule direction due to self reference
+
 pass in   log  quick inet6 proto tcp  from <tbl.r5.s>  to fe80::21d:9ff:fe8b:8e94 port 22 keep state  label "RULE 7 -- ACCEPT "  
 # 
 # Rule  8 (global)
@ -59,6 +73,8 @@ pass in   log  quick inet6  from any  to fe80::21d:9ff:fe8b:8e94 keep state  lab
 pass  log  quick inet6  from fe80::/64  to any keep state  label "RULE 9 -- ACCEPT "  
 # 
 # Rule  10 (global)
+# firewall-ipv6-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)'  below it
+
 pass  log  quick inet6  from <tbl.r4.s>  to any keep state  label "RULE 10 -- ACCEPT "  
 # 
 # Rule  11 (global)
--- a/test/pf/firewall-ipv6-1.fw.orig
+++ b/test/pf/firewall-ipv6-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_pf v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:10:18 2011 PST by vadim
+#  Generated Sun Feb 20 21:16:40 2011 PST by vadim
 #
 # files: * firewall-ipv6-1.fw pf-ipv6.fw
 # files:   firewall-ipv6-1.conf /etc/fw/pf-ipv6.conf
@ -175,7 +175,7 @@ configure_interfaces() {
    update_addresses_of_interface "lo ::1/128 127.0.0.1/0xff000000" ""
 }

-log "Activating firewall script generated Sun Feb 20 20:10:18 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:16:40 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/pf/firewall-ipv6-2.conf.orig
+++ b/test/pf/firewall-ipv6-2.conf.orig
@ -21,10 +21,13 @@ pass  quick on lo inet  from any  to any keep state  label "RULE 0 -- ACCEPT "
 pass  log  quick inet proto tcp  from <tbl.r4.s>  to 1.1.1.1 port 22 keep state  label "RULE 4 -- ACCEPT "  
 # 
 # Rule  5 (global)
+# firewall-ipv6-2:Policy:5: error: Rule '5 (global)' shadows rule '7 (global)'  below it
+
 pass  log  quick inet proto tcp  from <tbl.r5.s>  to 1.1.1.1 port 22 keep state  label "RULE 5 -- ACCEPT "  
 # 
 # Rule  7 (global)
 # firewall-ipv6-2:Policy:7: warning: Changing rule direction due to self reference
+
 pass in   log  quick inet proto tcp  from <tbl.r7.s>  to 1.1.1.1 port 22 keep state  label "RULE 7 -- ACCEPT "  
 # 
 # Rule  8 (global)
@ -66,13 +69,25 @@ pass  quick on lo inet6  from any  to any keep state  label "RULE 0 -- ACCEPT "
 pass  quick inet6 proto tcp  from fe80::/64  to fe80::21d:9ff:fe8b:8e94 port 22 keep state  label "RULE 1 -- ACCEPT "  
 # 
 # Rule  2 (global)
+# firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)'  below it
+# firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)'  below it
+# firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)'  below it
+# firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)'  below it
+
 pass  quick inet6 proto tcp  from 2001:5c0:0:2::24  to fe80::21d:9ff:fe8b:8e94 port 22 keep state  label "RULE 2 -- ACCEPT "  
 # 
 # Rule  3 (global)
+# firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)'  below it
+# firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)'  below it
+# firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '6 (global)'  below it
+# firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '7 (global)'  below it
 # firewall-ipv6-2:Policy:3: warning: Changing rule direction due to self reference
+
 pass in   log  quick inet6 proto tcp  from 3ffe:1200:2001:1:8000::1  to fe80::21d:9ff:fe8b:8e94 port 22 keep state  label "RULE 3 -- ACCEPT "  
 # 
 # Rule  4 (global)
+# firewall-ipv6-2:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)'  below it
+
 pass  log  quick inet6 proto tcp  from <tbl.r4.sx>  to fe80::21d:9ff:fe8b:8e94 port 22 keep state  label "RULE 4 -- ACCEPT "  
 # 
 # Rule  5 (global)
@ -80,10 +95,12 @@ pass  log  quick inet6 proto tcp  from <tbl.r5.sx>  to fe80::21d:9ff:fe8b:8e94 p
 # 
 # Rule  6 (global)
 # firewall-ipv6-2:Policy:6: warning: Changing rule direction due to self reference
+
 pass in   log  quick inet6 proto tcp  from <tbl.r4.sx>  to fe80::21d:9ff:fe8b:8e94 port 22 keep state  label "RULE 6 -- ACCEPT "  
 # 
 # Rule  7 (global)
 # firewall-ipv6-2:Policy:7: warning: Changing rule direction due to self reference
+
 pass in   log  quick inet6 proto tcp  from <tbl.r5.sx>  to fe80::21d:9ff:fe8b:8e94 port 22 keep state  label "RULE 7 -- ACCEPT "  
 # 
 # Rule  8 (global)
@ -93,6 +110,8 @@ pass in   log  quick inet6  from any  to fe80::21d:9ff:fe8b:8e94 keep state  lab
 pass  log  quick inet6  from fe80::/64  to any keep state  label "RULE 9 -- ACCEPT "  
 # 
 # Rule  10 (global)
+# firewall-ipv6-2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)'  below it
+
 pass  log  quick inet6  from <tbl.r4.sx>  to any keep state  label "RULE 10 -- ACCEPT "  
 # 
 # Rule  11 (global)
--- a/test/pf/firewall-ipv6-2.fw.orig
+++ b/test/pf/firewall-ipv6-2.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_pf v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:10:19 2011 PST by vadim
+#  Generated Sun Feb 20 21:16:42 2011 PST by vadim
 #
 # files: * firewall-ipv6-2.fw pf.fw
 # files:   firewall-ipv6-2.conf pf.conf
@ -179,7 +179,7 @@ configure_interfaces() {
    update_addresses_of_interface "lo ::1/128 127.0.0.1/0xff000000" ""
 }

-log "Activating firewall script generated Sun Feb 20 20:10:19 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:16:42 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/pf/firewall-ipv6-3.fw.orig
+++ b/test/pf/firewall-ipv6-3.fw.orig
@ -3,7 +3,7 @@
 #
 #  Firewall Builder  fwb_pf v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:10:19 2011 PST by vadim
+#  Generated Sun Feb 20 21:16:42 2011 PST by vadim
 #
 # files: * firewall-ipv6-3.fw /etc/firewall-ipv6-3.fw
 # files:   firewall-ipv6-3.conf /etc/firewall-ipv6-3.conf
--- a/test/pf/firewall.conf.orig
+++ b/test/pf/firewall.conf.orig
@ -67,6 +67,7 @@ block in   log  quick on eth1 inet  from 192.168.1.0/24  to any  label "RULE 2 -
 # Rule  3 (eth0)
 # комментарий по-русски, Проверяем конвертацию в Utf-8
 # firewall:Policy:3: warning: Changing rule direction due to self reference
+
 pass in   quick on eth0 inet proto udp  from 192.168.1.0/24  to <tbl.r2> port 53 keep state  label "RULE 3 - ACCEPT"  
 # 
 # Rule  4 (eth0)
@ -105,7 +106,9 @@ pass  quick inet  from any  to 192.168.1.10 keep state  label "RULE 16 - ACCEPT"
 # 
 # Rule  18 (global)
 # Automatically generated 'masquerading' rule
+# firewall:Policy:18: error: Rule '18 (global)' shadows rule '21 (global)'  below it
 # firewall:Policy:18: warning: Changing rule direction due to self reference
+
 pass out  quick inet  from <tbl.r2>  to any keep state  label "RULE 18 - ACCEPT"  
 pass  quick inet  from 192.168.1.0/24  to any keep state  label "RULE 18 - ACCEPT"  
 # 
@ -117,6 +120,9 @@ pass  quick inet proto {tcp udp icmp gre}  from any  to any    keep state  label
 # Rule  20 (global)
 # bug #2791950  "no way to generate "pass out" rule with no interface"
 # Interface field should be "any", direction "outbound"
+# firewall:Policy:20: error: Rule '20 (global)' shadows rule '22 (global)'  below it
+# firewall:Policy:20: error: Rule '20 (global)' shadows rule '23 (global)'  below it
+
 pass out  quick inet  from any  to any keep state  label "RULE 20 - ACCEPT"  
 # 
 # Rule  21 (global)
--- a/test/pf/firewall.fw.orig
+++ b/test/pf/firewall.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_pf v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:09:41 2011 PST by vadim
+#  Generated Sun Feb 20 21:16:04 2011 PST by vadim
 #
 # files: * firewall.fw /etc/pf.fw
 # files:   firewall.conf /etc/pf.conf
@ -167,7 +167,7 @@ configure_interfaces() {
    update_addresses_of_interface "lo 127.0.0.1/0xff000000" ""
 }

-log "Activating firewall script generated Sun Feb 20 20:09:41 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:16:04 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/pf/firewall1.conf.orig
+++ b/test/pf/firewall1.conf.orig
@ -142,6 +142,7 @@ block  log  quick inet proto icmp  from ! <tbl.r11>  to any icmp-type 3
 # Rule  10 (global)
 # this rule is shaded by rule above.
 # firewall1:Policy:10: warning: Changing rule direction due to self reference
+
 block in   log  quick inet proto icmp  from ! <tbl.r11>  to <tbl.r9> icmp-type 3  
 # 
 # Rule  11 (global)
@ -165,6 +166,7 @@ pass  quick inet  from 192.168.1.0/24  to any keep state
 # 
 # Rule  18 (global)
 # firewall1:Policy:18: warning: Changing rule direction due to self reference
+
 pass in   quick inet proto tcp  from any  to <tbl.r9> port 3128 keep state 
 # 
 # Rule  19 (eth0)
--- a/test/pf/firewall1.fw.orig
+++ b/test/pf/firewall1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_pf v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:09:41 2011 PST by vadim
+#  Generated Sun Feb 20 21:16:05 2011 PST by vadim
 #
 # files: * firewall1.fw /etc/fw/firewall1.fw
 # files:   firewall1.conf /etc/fw/firewall1.conf
@ -76,7 +76,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 20:09:41 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:16:05 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/test/pf/firewall10-1.fw.orig
+++ b/test/pf/firewall10-1.fw.orig
@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_pf v4.2.0.3483
 #
-#  Generated Sun Feb 20 20:09:43 2011 PST by vadim
+#  Generated Sun Feb 20 21:16:06 2011 PST by vadim
 #
 # files: * firewall10-1.fw /etc/fw/firewall10-1.fw
 # files:   firewall10-1.conf /etc/fw/firewall10-1.conf
@ -74,7 +74,7 @@ configure_interfaces() {
    
 }

-log "Activating firewall script generated Sun Feb 20 20:09:43 2011 by vadim"
+log "Activating firewall script generated Sun Feb 20 21:16:06 2011 by vadim"

 set_kernel_vars
 configure_interfaces
--- a/Show More
+++ b/Show More