shorewall_code/Shorewall/functions

#!/bin/sh
#
# Shorewall 3.0 -- /usr/share/shorewall/functions

#
# Message to stderr
#
error_message() # $* = Error Message
{
   echo "   $@" >&2
}

# Function to truncate a string -- It uses 'cut -b -<n>'
# rather than ${v:first:last} because light-weight shells like ash and
# dash do not support that form of expansion.
#

truncate() # $1 = length
{
    cut -b -${1}
}

#
# Split a colon-separated list into a space-separated list
#
split() {
    local ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
}

#
# Search a list looking for a match -- returns zero if a match found
# 1 otherwise
#
list_search() # $1 = element to search for , $2-$n = list
{
    local e=$1

    while [ $# -gt 1 ]; do
	shift
	[ "x$e" = "x$1" ] && return 0
    done

    return 1
}

#
# Functions to count list elements
# - - - - - - - - - - - - - - - -
# Whitespace-separated list
#
list_count1() {
    echo $#
}
#
# Comma-separated list
#
list_count() {
    list_count1 $(separate_list $1)
}

#
# Conditionally produce message
#
progress_message() # $* = Message
{
    [ $QUIET -lt 1 ] && echo "$@"
}

progress_message2() # $* = Message
{
    [ $QUIET -lt 2 ] && echo "$@"
}

#
# Suppress all output for a command
#
qt()
{
    "$@" >/dev/null 2>&1
}

#
# Determine if Shorewall is "running"
#
shorewall_is_started() {
    qt $IPTABLES -L shorewall -n
}

#
# Perform variable substitution on the passed argument and echo the result
#
expand() # $@ = contents of variable which may be the name of another variable
{
    eval echo \"$@\"
}

#
# Perform variable substitition on the values of the passed list of variables
#
expandv() # $* = list of variable names
{
    local varval

    while [ $# -gt 0 ]; do
	eval varval=\$${1}
	eval $1=\"$varval\"
	shift
    done
}

#
# Replace all leading "!" with "! " in the passed argument list
#

fix_bang() {
    local i;

    for i in $@; do
	case $i in
	    !*)
		echo "! ${i#!}"
		;;
	    *)
		echo $i
		;;
	esac
    done
}

#
# Set default config path
#
ensure_config_path() {
    local F=/usr/share/shorewall/configpath
    if [ -z "$CONFIG_PATH" ]; then
	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
	. $F
    fi
}

#
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
#
find_file()
{
    local saveifs= directory

    case $1 in
	/*)
	    echo $1
	    ;;
	*)
	    if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
		echo $SHOREWALL_DIR/$1
	    else
		saveifs=$IFS
		IFS=:
		for directory in $CONFIG_PATH; do
		    if [ -f $directory/$1 ]; then
			echo $directory/$1
			IFS=$saveifs
			return
		    fi
		done

		IFS=$saveifs

		echo /etc/shorewall/$1
	    fi
	    ;;
    esac
}

#
# Get fully-qualified name of file
#
resolve_file() # $1 = file name
{
    local pwd=$PWD

    case $1 in
	/*)
	    echo $1
	    ;;
	./*)
	    echo ${pwd}${1#.}
	    ;;
	../*)
	    cd ..
	    echo ${PWD}${1#..}
	    cd $pwd
	    ;;
	*)
	    echo $pwd/$1
	    ;;
    esac
}

#
# Replace commas with spaces and echo the result
#
separate_list() {
    local list="$@"
    local part
    local newlist
    local firstpart
    local lastpart
    local enclosure

    case "$list" in
	*,|,*|*,,*|*[[:space:]]*)
	    #
	    # There's been whining about us not catching embedded white space in
	    # comma-separated lists. This is an attempt to snag some of the cases.
	    #
	    # The 'TERMINATOR' function will be set by the 'firewall' script to
	    # either 'startup_error' or 'fatal_error' depending on the command and
	    # command phase
	    #
            [ -n "$TERMINATOR" ] && \
		$TERMINATOR "Invalid comma-separated list \"$@\""
            echo "WARNING -- invalid comma-separated list \"$@\"" >&2
	    ;;
	*\[*\]*)
	    #
	    # Where we need to embed comma-separated lists within lists, we enclose them
	    # within square brackets
	    #
	    firstpart=${list%%\[*}
	    lastpart=${list#*\[}
	    enclosure=${lastpart%%\]*}
	    lastpart=${lastpart#*\]}
	    case $lastpart in
		\,*)
		    case $firstpart in
			*\,)
			    echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})"
			    ;;
			*)
			    echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
			    ;;
		    esac
		    ;;
		*)
		    case $firstpart in
			*\,)
			    echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)"
			    ;;
			*)
			    echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
			    ;;
		    esac
		    ;;
	    esac
	    return
	    ;;
    esac

    list="$@"
    part="${list%%,*}"
    newlist="$part"

    while [ "x$part" != "x$list" ]; do
	list="${list#*,}";
	part="${list%%,*}";
	newlist="$newlist $part";
    done

    echo "$newlist"
}

#
# Load a Kernel Module
#
loadmodule() # $1 = module name, $2 - * arguments
{
    local modulename=$1
    local modulefile
    local suffix
    moduleloader=modprobe

    if ! qt mywhich modprobe; then
	moduleloader=insmod
    fi

    if [ -z "$(lsmod | grep $modulename)" ]; then
	shift

	for suffix in $MODULE_SUFFIX ; do
	    modulefile=$MODULESDIR/${modulename}.${suffix}

	    if [ -f $modulefile ]; then
		case $moduleloader in
		    insmod)
			insmod $modulefile $*
			;;
		    *)
			modprobe $modulename $*
			;;
		esac

		return
	    fi
	done
    fi
}

#
# Reload the Modules
#
reload_kernel_modules() {

    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter

    while read command; do
	eval $command
    done

}

#
# Load kernel modules required for Shorewall
#
load_kernel_modules()
{
    save_modules_dir=$MODULESDIR

    [ -z "$MODULESDIR" ] && \
	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter

    modules=$(find_file modules)

    if [ -f $modules -a -d $MODULESDIR ]; then
	progress_message "Loading Modules..."
	. $modules
    fi

    MODULESDIR=$save_modules_dir
}

#
# Call this function to assert MUTEX with Shorewall. If you invoke the
# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as
# the first argument. Example "shorewall nolock refresh"
#
# This function uses the lockfile utility from procmail if it exists.
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
# behavior of lockfile.
#
mutex_on()
{
    local try=0
    local lockf=/var/lib/shorewall/lock

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

    if [ $MUTEX_TIMEOUT -gt 0 ]; then

	[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall

	if qt mywhich lockfile; then
	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
	else
	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
		sleep 1
		try=$((${try} + 1))
	    done

	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
	        # Create the lockfile
		echo $$ > ${lockf}
	    else
		echo "Giving up on lock file ${lockf}" >&2
	    fi
	fi
    fi
}

#
# Call this function to release MUTEX
#
mutex_off()
{
    rm -f /var/lib/shorewall/lock
}

#
# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
#
#     None - No mktemp
#     BSD  - BSD mktemp (Mandrake)
#     STD  - mktemp.org mktemp
#
find_mktemp() {
    local mktemp=`mywhich mktemp 2> /dev/null`

    if [ -n "$mktemp" ]; then
	if qt mktemp -V ; then
	    MKTEMP=STD
	else
	    MKTEMP=BSD
	fi
    else
	MKTEMP=None
    fi
}

#
# create a temporary file. If a directory name is passed, the file will be created in
# that directory. Otherwise, it will be created in a temporary directory.
#
mktempfile() {

    [ -z "$MKTEMP" ] && find_mktemp

    if [ $# -gt 0 ]; then
	case "$MKTEMP" in
	    BSD)
		mktemp $1/shorewall.XXXXXX
		;;
	    STD)
		mktemp -p $1 shorewall.XXXXXX
		;;
	    None)
		> $1/shorewall-$$ && echo $1/shorewall-$$
		;;
	    *)
		echo "   ERROR:Internal error in mktempfile" >&2
		;;
	esac
    else
	case "$MKTEMP" in
	    BSD)
		mktemp /tmp/shorewall.XXXXXX
		;;
	    STD)
		mktemp -t shorewall.XXXXXX
		;;
	    None)
		rm -f /tmp/shorewall-$$
		> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
		;;
	    *)
		echo "   ERROR:Internal error in mktempfile" >&2
		;;
	esac
    fi
}

#
# create a temporary directory
#
mktempdir() {

    [ -z "$MKTEMP" ] && find_mktemp

    case "$MKTEMP" in
	STD)
	    mktemp -td shorewall.XXXXXX
	    ;;
	None|BSD)
	    #
	    # Not all versions of the BSD mktemp support the -d option under Linux
	    #
	    mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
	    ;;
	*)
	    echo "   ERROR:Internal error in mktempdir" >&2
	    ;;
	esac
}

#
# Read a file and handle "INCLUDE" directives
#

read_file() # $1 = file name, $2 = nest count
{
    local first rest

    if [  -f $1 ]; then
	while read first rest; do
	    if [ "x$first"  = "xINCLUDE" ]; then
		if [ $2 -lt 4 ]; then
		    read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
		else
		    echo "   WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
		fi
	    else
		echo "$first $rest"
	    fi
	done < $1
    else
	[ -n "$TERMINATOR" ] && $TERMINATOR "No such file: $1"
	echo "WARNING -- No such file: $1"
    fi
}

#
# Function for including one file into another
#
INCLUDE() {
    . $(find_file $(expand $@))
}

#
# Strip comments and blank lines from a file and place the result in the
# temporary directory
#
strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
{
    local fname

    [ $# = 1 ] && fname=$(find_file $1) || fname=$2

    if [ -f $fname ]; then
	read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
    else
	> $TMP_DIR/$1
    fi
}

#
#  Note: The following set of IP address manipulation functions have anomalous
#        behavior when the shell only supports 32-bit signed arithmatic and
#        the IP address is 128.0.0.0 or 128.0.0.1.
#
#
# So that emacs doesn't get lost, we use $LEFTSHIFT rather than <<
#
LEFTSHIFT='<<'

#
# Convert an IP address in dot quad format to an integer
#
decodeaddr() {
    local x
    local temp=0
    local ifs=$IFS

    IFS=.

    for x in $1; do
	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
    done

    echo $temp

    IFS=$ifs
}

#
# convert an integer to dot quad format
#
encodeaddr() {
    addr=$1
    local x
    local y=$(($addr & 255))

    for x in 1 2 3 ; do
	addr=$(($addr >> 8))
	y=$(($addr & 255)).$y
    done

    echo $y
}

#
# Enumerate the members of an IP range -- When using a shell supporting only
# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
#
# Comes in two flavors:
#
# ip_range() - produces a mimimal list of network/host addresses that spans
#              the range.
#
# ip_range_explicit() - explicitly enumerates the range.
#
ip_range() {
    local first last l x y z vlsm

    case $1 in
	!*)
	    #
	    # Let iptables complain if it's a range
	    #
	    echo $1
	    return
	    ;;
	[0-9]*.*.*.*-*.*.*.*)
            ;;
	*)
	    echo $1
	    return
	    ;;
    esac

    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})

    if [ $first -gt $last ]; then
	fatal_error "Invalid IP address range: $1"
    fi

    l=$(( $last + 1 ))

    while [ $first -le $last ]; do
	vlsm=
	x=31
	y=2
	z=1

	while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do
	    vlsm=/$x
	    x=$(( $x - 1 ))
	    z=$y
	    y=$(( $y * 2 ))
	done

	echo $(encodeaddr $first)$vlsm
	first=$(($first + $z))
    done
}

ip_range_explicit() {
    local first last

    case $1 in
    [0-9]*.*.*.*-*.*.*.*)
	;;
    *)
	echo $1
	return
	;;
    esac

    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})

    if [ $first -gt $last ]; then
	fatal_error "Invalid IP address range: $1"
    fi

    while [ $first -le $last ]; do
	echo $(encodeaddr $first)
	first=$(($first + 1))
    done
}

#
# Netmask from CIDR
#
ip_netmask() {
    local vlsm=${1#*/}

    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
}

#
# Network address from CIDR
#
ip_network() {
    local decodedaddr=$(decodeaddr ${1%/*})
    local netmask=$(ip_netmask $1)

    echo $(encodeaddr $(($decodedaddr & $netmask)))
}

#
# The following hack is supplied to compensate for the fact that many of
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
#

ip_broadcast() {
    local x=$(( 32 - ${1#*/} ))

    [ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
}

#
# Calculate broadcast address from CIDR
#
broadcastaddress() {
    local decodedaddr=$(decodeaddr ${1%/*})
    local netmask=$(ip_netmask $1)
    local broadcast=$(ip_broadcast $1)

    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
}

#
# Test for network membership
#
in_network() # $1 = IP address, $2 = CIDR network
{
    local netmask=$(ip_netmask $2)

    test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask ))
}

#
# Netmask to VLSM
#
ip_vlsm() {
    local mask=$(decodeaddr $1)
    local vlsm=0
    local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000

    while [ $(( $x & $mask )) -ne 0 ]; do
	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
	vlsm=$(($vlsm + 1))
    done

    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
	echo "Invalid net mask: $1" >&2
    else
	echo $vlsm
    fi
}


#
# Chain name base for an interface -- replace all periods with underscores in the passed name.
#                                     The result is echoed (less trailing "+").
#
chain_base() #$1 = interface
{
    local c=${1%%+}

    while true; do
	case $c in
	    *.*)
		c="${c%.*}_${c##*.}"
		;;
	    *-*)
		c="${c%-*}_${c##*-}"
		;;
	    *%*)
		c="${c%\%*}_${c##*%}"
		;;
	    *)
		echo ${c:=common}
		return
		;;
	esac
    done
}

#
# Loosly Match the name of an interface
#

if_match() # $1 = Name in interfaces file - may end in "+"
           # $2 = Full interface name - may also end in "+"
{
    local pattern=${1%+}

    case $1 in
	*+)
	    test  "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"
	    ;;
	*)
	    test "x$1" = "x$2"
	    ;;
    esac
}

#
# Find the value 'dev' in the passed arguments then echo the next value
#

find_device() {
    while [ $# -gt 1 ]; do
	[ "x$1" = xdev ] && echo $2 && return
	shift
    done
}

#
# Find the value 'via' in the passed arguments then echo the next value
#

find_gateway() {
    while [ $# -gt 1 ]; do
	[ "x$1" = xvia ] && echo $2 && return
	shift
    done
}

#
# Find the value 'peer' in the passed arguments then echo the next value up to
# "/"
#

find_peer() {
    while [ $# -gt 1 ]; do
	[ "x$1" = xpeer ] && echo ${2%/*} && return
	shift
    done
}

#
# Find the interfaces that have a route to the passed address - the default
# route is not used.
#

find_rt_interface() {
    ip route ls | while read addr rest; do
	case $addr in
	    */*)
		in_network ${1%/*} $addr && echo $(find_device $rest)
		;;
	    default)
		;;
	    *)
		if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
		    echo $(find_device $rest)
		fi
		;;
	esac
    done
}

#
# Try to find the gateway through an interface looking for 'nexthop'

find_nexthop() # $1 = interface
{
    echo $(find_gateway `ip route ls | grep "[[:space:]]nexthop.* $1"`)
}

#
# Find the default route's interface
#
find_default_interface() {
    ip route ls | while read first rest; do
	[ "$first" = default ] && echo $(find_device $rest) && return
    done
}

#
# Echo the name of the interface(s) that will be used to send to the
# passed address
#

find_interface_by_address() {
    local dev="$(find_rt_interface $1)"
    local first rest

    [ -z "$dev" ] && dev=$(find_default_interface)

    [ -n "$dev" ] && echo $dev
}

#
# Find the interface with the passed MAC address
#

find_interface_by_mac() {
    local mac=$1 first second rest dev

    ip link ls | while read first second rest; do
	case $first in
	    *:)
                dev=$second
		;;
	    *)
	        if [ "$second" = $mac ]; then
		    echo ${dev%:}
		    return
		fi
	esac
    done
}

#
# Find interface address--returns the first IP address assigned to the passed
# device
#
find_first_interface_address() # $1 = interface
{
    #
    # get the line of output containing the first IP address
    #
    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
    #
    # If there wasn't one, bail out now
    #
    [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
    #
    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
    # along with everything else on the line
    #
    echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
}

#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
#
find_interface_addresses() # $1 = interface
{
    ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
}

#
#  echo the list of networks routed out of a given interface
#
get_routed_networks() # $1 = interface name
{
    local address
    local rest

    ip route show dev $1 2> /dev/null |
	while read address rest; do
	    if [ "x$address" = xdefault ]; then
		error_message "WARNING: default route ignored on interface $1"
	    else
		[ "$address" = "${address%/*}" ] && address="${address}/32"
		echo $address
	    fi
        done
}

#
# Internal version of 'which'
#
mywhich() {
    local dir

    for dir in $(split $PATH); do
	if [ -x $dir/$1 ]; then
	    echo $dir/$1
	    return 0
	fi
    done

    return 2
}

#
# Set the Shorewall state
#
set_state () # $1 = state
{
    echo "$1 ($(date))" > /var/lib/shorewall/state
}

#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=

    CONNTRACK_MATCH=
    MULTIPORT=
    XMULTIPORT=
    POLICY_MATCH=
    PHYSDEV_MATCH=
    IPRANGE_MATCH=
    RECENT_MATCH=
    OWNER_MATCH=
    IPSET_MATCH=
    CONNMARK=
    CONNMARK_MATCH=
    RAW_TABLE=
    IPP2P_MATCH=
    CLASSIFY_TARGET=
    ENHANCED_REJECT=

    qt $IPTABLES -N fooX1234
    qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT               && MULTIPORT=Yes
    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT               && XMULTIPORT=Yes
    qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT                   && POLICY_MATCH=Yes
    qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
    qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT                               && RECENT_MATCH=Yes
    qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT                           && OWNER_MATCH=Yes
    qt $IPTABLES -A fooX1234 -m connmark --mark 2  -j ACCEPT                            && CONNMARK_MATCH=Yes
    qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT                          && IPP2P_MATCH=Yes
    qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited               && ENHANCED_REJECT=Yes

    qt $IPTABLES -t mangle -N fooX1234
    qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark                          && CONNMARK=Yes
    qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1                      && CLASSIFY_TARGET=Yes
    qt $IPTABLES -t mangle -F fooX1234
    qt $IPTABLES -t mangle -X fooX1234

    qt $IPTABLES -t raw	   -L -n							&& RAW_TABLE=Yes

    if qt mywhich ipset; then
	qt ipset -X fooX1234 # Just in case something went wrong the last time

	if qt ipset -N fooX1234 iphash ; then
	    if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
		qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
		IPSET_MATCH=Yes
	    fi
	    qt ipset -X fooX1234
	fi
    fi

    qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes

    qt $IPTABLES -F fooX1234
    qt $IPTABLES -X fooX1234
}

report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{
    local setting=

    [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"

    echo "  " $1: $setting
}

report_capabilities() {
    if [ $QUIET -lt 2 ]; then
	echo "Shorewall has detected the following iptables/netfilter capabilities:"
	report_capability "NAT" $NAT_ENABLED
	report_capability "Packet Mangling" $MANGLE_ENABLED
	report_capability "Multi-port Match" $MULTIPORT
	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
	report_capability "Packet Type Match" $USEPKTTYPE
	report_capability "Policy Match" $POLICY_MATCH
	report_capability "Physdev Match" $PHYSDEV_MATCH
	report_capability "IP range Match" $IPRANGE_MATCH
	report_capability "Recent Match" $RECENT_MATCH
	report_capability "Owner Match" $OWNER_MATCH
	report_capability "Ipset Match" $IPSET_MATCH
	report_capability "CONNMARK Target" $CONNMARK
	report_capability "Connmark Match" $CONNMARK_MATCH
	report_capability "Raw Table" $RAW_TABLE
	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
	report_capability "Extended REJECT" $ENHANCED_REJECT
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=

}

# Add IP Aliases
#
add_ip_aliases() # $1 = List of addresses
{
    local addresses external interface inet cidr rest val arping=$(mywhich arping)

    address_details()
    {
	#
	# Folks feel uneasy if they don't see all of the same
	# decoration on these IP addresses that they see when their
	# distro's net config tool adds them. In an attempt to reduce
	# the anxiety level, we have the following code which sets
	# the VLSM and BRD from an existing address in the same networks
	#
	# Get all of the lines that contain inet addresses with broadcast
	#
	ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
	    case $cidr in
		*/*)
		    if in_network $external $cidr; then
			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
			break
		    fi
		    ;;
	    esac
	done
    }

    do_one()
    {
	val=$(address_details)

	ip addr add ${external}${val} dev $interface $label
	[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
	echo "$external $interface" >> $STATEDIR/nat
	[ -n "$label" ] && label="with $label"
	progress_message "   IP Address $external added to interface $interface $label"
    }

    progress_message "Adding IP Addresses..."

    while [ $# -gt 0 ]; do
	external=$1
	interface=$2
	label=

	if [ "$interface" != "${interface%:*}" ]; then
	    label="${interface#*:}"
	    interface="${interface%:*}"
	    label="label $interface:$label"
	fi

	shift 2

	list_search $external $(find_interface_addresses $interface) || do_one
    done
}

detect_gateway() # $1 = interface
{
    local interface=$1
    #
    # First assume that this is some sort of point-to-point interface
    #
    gateway=$( find_peer $(ip addr ls $interface ) )
    #
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $(ip route ls dev $interface))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
    #
    # Be sure we found one
    #
    [ -n "$gateway" ] && echo $gateway
}

#
# Disable IPV6
#
disable_ipv6() {
    local foo="$(ip -f inet6 addr ls 2> /dev/null)"

    if [ -n "$foo" ]; then
	if qt mywhich ip6tables; then
	    ip6tables -P FORWARD DROP
	    ip6tables -P INPUT DROP
	    ip6tables -P OUTPUT DROP
	    ip6tables -F
	    ip6tables -X
	    ip6tables -A OUTPUT -o lo -j ACCEPT
	    ip6tables -A INPUT -i lo -j ACCEPT
	else
	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
	fi
    fi
}

#
# Add a logging rule.
#
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
{
    local level=$1
    local chain=$2
    local displayChain=$3
    local disposition=$4
    local rulenum=
    local limit="${5:-$LOGLIMIT}"
    local tag=${6:+$6 }
    local command=${7:--A}
    local prefix
    local base=$(chain_base $displayChain)

    shift 7

    if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
	displayChain=$tag
	tag=
    fi

    if [ -n "$LOGRULENUMBERS" ]; then
	eval rulenum=\$${base}_logrules

	rulenum=${rulenum:-1}

	prefix="$(printf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}"

	rulenum=$(($rulenum + 1))
	eval ${base}_logrules=$rulenum
    else
	prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}"
    fi

    if [ ${#prefix} -gt 29 ]; then
	prefix="$(echo $prefix | truncate 29)"
	error_message "WARNING: Log Prefix shortened to \"$prefix\""
    fi

    case $level in
	ULOG)
	    run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
	    ;;
	*)
	    run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
	    ;;
    esac

    if [ $? -ne 0 ] ; then
	[ -z "$STOPPING" ] && { stop_firewall; exit 2; }
    fi
}

log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
{
    local level=$1
    local chain=$2
    local disposition=$3

    shift 3

    log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
}

SHOREWALL_LIBRARY=Loaded