Avoid Shorewall/Shorewall-lite compatibility issues in the future

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4533 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/compiler

@@ -4633,8 +4633,9 @@ SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 
-. \${SHAREDIR}/functions
 __EOF__
+
+	cat ${SHAREDIR}/lib.base >&3
     else
 	cat >&3 << __EOF__
 SHAREDIR=/usr/share/shorewall
@@ -4771,15 +4772,6 @@ __EOF__
 
     if [ -n "$EXPORT" ]; then
 	cat >&3 << __EOF__
-    if [ ! -f \${SHAREDIR}/version ]; then
-	fatal_error "This script requires Shorewall Lite which do not appear to be installed on this system"
-    fi
-
-    local version=\$(cat \${SHAREDIR}/version)
-
-    if [ \${LIBVERSION:-0} -lt 30200 ]; then
-	fatal_error "This script requires Shorewall Lite version 3.2.3 or later; current version is \$version"
-    fi
     #
     # These variables are required by the library functions called in this script
     #

Shorewall/lib.base

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Shorewall 3.2 -- /usr/share/shorewall/lib.common
+# Shorewall 3.2 -- /usr/share/shorewall/lib.base
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
@@ -79,6 +79,22 @@ split() {
     IFS=$ifs
 }
 
+#
+# Search a list looking for a match -- returns zero if a match found
+# 1 otherwise
+#
+list_search() # $1 = element to search for , $2-$n = list
+{
+    local e=$1
+
+    while [ $# -gt 1 ]; do
+	shift
+	[ "x$e" = "x$1" ] && return 0
+    done
+
+    return 1
+}
+
 #
 # Suppress all output for a command
 #
@@ -806,6 +822,31 @@ find_file()
     esac
 }
 
+#
+# Get fully-qualified name of file
+#
+resolve_file() # $1 = file name
+{
+    local pwd=$PWD
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	./*)
+	    echo ${pwd}${1#.}
+	    ;;
+	../*)
+	    cd ..
+	    resolve_file ${1#../}
+	    cd $pwd
+	    ;;
+	*)
+	    echo $pwd/$1
+	    ;;
+    esac
+}
+
 #
 # Set the Shorewall state
 #
@@ -1194,439 +1235,17 @@ delete_tc1()
 }
 
 #
-# Determine the value for a parameter that defaults to Yes
+# Detect a device's MTU
 #
-added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
+get_device_mtu() # $1 = device
 {
-    local val="$2"
+    local output="$(ip link ls dev $1 2> /dev/null)" # quotes required for /bin/ash
 
-    if [ -z "$val" ]; then
+    if [ -n "$output" ]; then
-	echo "Yes"
+	echo $(find_mtu $output)
-    else case $val in
-	[Yy][Ee][Ss])
-	    echo "Yes"
-	    ;;
-	[Nn][Oo])
-	    echo ""
-	    ;;
-	*)
-	    startup_error "Invalid value ($val) for $1"
-	    ;;
-	esac
-    fi
-}
-
-#
-# Determine the value for a parameter that defaults to No
-#
-added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
-{
-    local val="$2"
-
-    if [ -z "$val" ]; then
-	echo ""
-    else case $val in
-	[Yy][Ee][Ss])
-	    echo "Yes"
-	    ;;
-	[Nn][Oo])
-	    echo ""
-	    ;;
-	*)
-	    startup_error "Invalid value ($val) for $1"
-	    ;;
-	esac
-    fi
-}
-
-#
-# Initialize this program
-#
-do_initialize() {
-
-    # Run all utility programs using the C locale
-    #
-    # Thanks to Vincent Planchenault for this tip #
-
-    export LC_ALL=C
-
-    # Make sure umask is sane
-    umask 077
-
-    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
-    #
-    # Establish termination function
-    #
-    TERMINATOR=fatal_error
-    #
-    # Clear all configuration variables
-    #
-    VERSION=
-    IPTABLES=
-    FW=
-    SUBSYSLOCK=
-    ALLOWRELATED=Yes
-    LOGRATE=
-    LOGBURST=
-    ADD_IP_ALIASES=
-    ADD_SNAT_ALIASES=
-    TC_ENABLED=
-    BLACKLIST_DISPOSITION=
-    BLACKLIST_LOGLEVEL=
-    CLAMPMSS=
-    ROUTE_FILTER=
-    LOG_MARTIANS=
-    DETECT_DNAT_IPADDRS=
-    MUTEX_TIMEOUT=
-    FORWARDPING=
-    MACLIST_DISPOSITION=
-    MACLIST_LOG_LEVEL=
-    TCP_FLAGS_DISPOSITION=
-    TCP_FLAGS_LOG_LEVEL=
-    RFC1918_LOG_LEVEL=
-    MARK_IN_FORWARD_CHAIN=
-    VERSION_FILE=
-    LOGFORMAT=
-    LOGRULENUMBERS=
-    ADMINISABSENTMINDED=
-    BLACKLISTNEWONLY=
-    MODULE_SUFFIX=
-    ACTIONS=
-    USEDACTIONS=
-    SMURF_LOG_LEVEL=
-    DISABLE_IPV6=
-    BRIDGING=
-    DYNAMIC_ZONES=
-    PKTTYPE=
-    USEPKTYPE=
-    RETAIN_ALIASES=
-    DELAYBLACKLISTLOAD=
-    LOGTAGONLY=
-    LOGALLNEW=
-    RFC1918_STRICT=
-    MACLIST_TTL=
-    SAVE_IPSETS=
-    RESTOREFILE=
-    MAPOLDACTIONS=
-    IMPLICIT_CONTINUE=
-    HIGH_ROUTE_MARKS=
-    TC_EXPERT=
-    MODULESDIR=
-    IPSECFILE=
-    IP_FORWARDING=
-    CLEAR_TC=
-    MACLIST_TABLE=
-    FASTACCEPT=
-    USE_ACTIONS=
-    DROP_DEFAULT=
-    REJECT_DEFAULT=
-    ACCEPT_DEFAULT=
-    QUEUE_DEFAULT=
-
-    LOGLIMIT=
-    LOGPARMS=
-    OUTPUT=
-    TMP_DIR=
-    ALL_INTERFACES=
-    ROUTEMARK_INTERFACES=
-    IPSECMARK=256
-    PROVIDERS=
-    CRITICALHOSTS=
-    EXCLUSION_SEQ=1
-    STOPPING=
-    HAVE_MUTEX=
-    ALIASES_TO_ADD=
-    SECTION=ESTABLISHED
-    SECTIONS=
-    ALL_PORTS=
-    DEFAULT_MACROS=
-
-    TMP_DIR=$(mktempdir)
-
-    [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \
-       fatal_error "Can't create a temporary directory"
-
-    case $PROGRAM in
-	compiler)
-	    trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9
-	    ;;
-	firewall)
-	    trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
-	    ;;
-    esac
-
-    ensure_config_path
-
-    VERSION_FILE=$SHAREDIR/version
-
-    [ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE)
-
-    run_user_exit params
-
-    config=$(find_file shorewall.conf)
-
-    if [ -f $config ]; then
-	if [ -r $config ]; then
-	    progress_message "Processing $config..."
-	    . $config
     else
-	    fatal_error "Cannot read $config (Hint: Are you root?)"
+	echo 1500
     fi
-    else
-	fatal_error "$config does not exist!"
-    fi
-
-    #
-    # Restore CONFIG_PATH if the shorewall.conf file cleared it
-    #
-    ensure_config_path
-    #
-    # Determine the capabilities of the installed iptables/netfilter
-    # We load the kernel modules here to accurately determine
-    # capabilities when module autoloading isn't enabled.
-    #
-    PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    if [ -z "$EXPORT" -a "$(whoami)" = root ]; then
-
-	load_kernel_modules
-
-	if [ -z "$IPTABLES" ]; then
-	    IPTABLES=$(mywhich iptables 2> /dev/null)
-
-	    [ -z "$IPTABLES" ] && fatal_error "Can't find iptables executable"
-	else
-	    [ -e "$IPTABLES" ] || fatal_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
-	fi
-	determine_capabilities
-
-    else
-	f=$(find_file capabilities)
-
-	[ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file"
-    fi
-
-    ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
-    [ -n "$ALLOWRELATED" ] || \
-	fatal_error "ALLOWRELATED=No is not supported"
-    ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
-
-    if [ -n "${LOGRATE}${LOGBURST}" ]; then
-	LOGLIMIT="--match limit"
-	[ -n "$LOGRATE" ]  && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
-	[ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
-    fi
-
-    if [ -n "$IP_FORWARDING" ]; then
-	case "$IP_FORWARDING" in
-	[Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp])
-	    ;;
-	*)
-	    fatal_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
-	    ;;
-	esac
-    else
-	IP_FORWARDING=On
-    fi
-
-   [ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
-
-    case "$CLAMPMSS" in
-	[0-9]*)
-	    ;;
-	*)
-	    CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
-	    ;;
-    esac
-
-    ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
-    ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
-    LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
-    DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
-    FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
-    [ -n "$FORWARDPING" ] && \
-	fatal_error "FORWARDPING=Yes is no longer supported"
-
-    maclist_target=reject
-
-    if [ -n "$MACLIST_DISPOSITION" ] ; then
-	case $MACLIST_DISPOSITION in
-	    REJECT)
-		;;
-	    DROP)
-		maclist_target=DROP
-		;;
-	    ACCEPT)
-		maclist_target=RETURN
-		;;
-	    *)
-		fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
-		;;
-	esac
-    else
-	MACLIST_DISPOSITION=REJECT
-    fi
-
-    if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
-	case $TCP_FLAGS_DISPOSITION in
-	    REJECT|ACCEPT|DROP)
-		;;
-	    *)
-		fatal_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
-		;;
-	esac
-    else
-	TCP_FLAGS_DISPOSITION=DROP
-    fi
-
-    [ -n "${RFC1918_LOG_LEVEL:=info}" ]
-
-    MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
-    [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
-    CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
-
-    if [ -n "$LOGFORMAT" ]; then
-	if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
-	    LOGRULENUMBERS=Yes
-	    temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null)
-	    if [ $? -ne 0 ]; then
-		fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
-	    fi
-	else
-	    temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null)
-	    if [ $? -ne 0 ]; then
-		fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
-	    fi
-	fi
-
-	[ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
-    else
-	LOGFORMAT="Shorewall:%s:%s:"
-    fi
-
-    ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
-    BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
-    DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
-    BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
-
-    DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
-    if [ -n "$DYNAMIC_ZONES" ]; then
-	[ -n "$EXPORT" ] && fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option"
-	lib_avail dynamiczones || error_message "WARNING: DYNAMIC_ZONES=Yes requires the Shorewall dynamiczones library (${SHAREDIR}/lib.dynamiczones) which is not installed"
-    fi
-
-    STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
-    RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
-    [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
-    DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
-    LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
-    RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
-    SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
-    MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
-    FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
-    IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
-    HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
-    TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
-    USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
-    [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
-    
-    [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
-    [ -n "$XMARK" ] || XCONNMARK=
-
-    [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
-
-    case ${IPSECFILE:=ipsec} in
-	ipsec|zones)
-	    ;;
-	*)
-	    fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option"
-	    ;;
-    esac
-
-    case ${MACLIST_TABLE:=filter} in
-	filter)
-	    ;;
-	mangle)
-	    [ $MACLIST_DISPOSITION = reject ] && fatal_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
-	    ;;	*)
-	    fatal_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
-	    ;;
-    esac
-
-   TC_SCRIPT=
-
-   if [ -n "$TC_ENABLED" ] ; then
-	case "$TC_ENABLED" in
-	    [Yy][Ee][Ss])
-		TC_ENABLED=
-		TC_SCRIPT=$(find_file tcstart)
-		[ -f $TC_SCRIPT ] || fatal_error "Unable to find tcstart file"
-		;;
-	    [Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
-		TC_ENABLED=Yes
-		;;
-	    [Nn][Oo])
-		TC_ENABLED=
-		;;
-	esac
-    else
-	TC_ENABLED=Yes
-    fi
-
-    if [ -n "$TC_ENABLED" ];then
-	[ -n "$MANGLE_ENABLED" ] || fatal_error "Traffic Shaping requires mangle support in your kernel and iptables"
-    fi
-
-    [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
-    [ -n "${RESTOREFILE:=restore}" ]
-
-    case "${DROP_DEFAULT:=Drop}" in
-	None)
-	    DROP_DEFAULT=none
-	    ;;
-    esac
-
-    case "${REJECT_DEFAULT:=Reject}" in
-	None)
-	    REJECT_DEFAULT=none
-	    ;;
-    esac
-
-    case "${QUEUE_DEFAULT:=none}" in
-	None)
-	    QUEUE_DEFAULT=none
-	    ;;
-    esac
-
-    case "${ACCEPT_DEFAULT:=none}" in
-	None)
-	    ACCEPT_DEFAULT=none
-	    ;;
-    esac
-
-    #
-    # Strip the files that we use often
-    #
-    strip_file interfaces
-    strip_file hosts
-    #
-    # Check out the user's shell
-    #
-    [ -n "${SHOREWALL_SHELL:=/bin/sh}" ]
-
-    temp=$(decodeaddr 192.168.1.1)
-    if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
-	fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
-    fi
-
-    if [ -z "$KLUDGEFREE" ]; then
-	rm -f $TMP_DIR/physdev
-	rm -f $TMP_DIR/iprange
-    fi
-
-    qt mywhich awk && HAVEAWK=Yes || HAVEAWK=
 }
 
 SHOREWALL_LIBRARY=Loaded

Shorewall/lib.common

@@ -134,22 +134,6 @@ truncate() # $1 = length
     cut -b -${1}
 }
 
-#
-# Search a list looking for a match -- returns zero if a match found
-# 1 otherwise
-#
-list_search() # $1 = element to search for , $2-$n = list
-{
-    local e=$1
-
-    while [ $# -gt 1 ]; do
-	shift
-	[ "x$e" = "x$1" ] && return 0
-    done
-
-    return 1
-}
-
 #
 # Return a space separated list of values matching
 #
@@ -227,31 +211,6 @@ fix_bang()
     echo $result
 }
 
-#
-# Get fully-qualified name of file
-#
-resolve_file() # $1 = file name
-{
-    local pwd=$PWD
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	./*)
-	    echo ${pwd}${1#.}
-	    ;;
-	../*)
-	    cd ..
-	    resolve_file ${1#../}
-	    cd $pwd
-	    ;;
-	*)
-	    echo $pwd/$1
-	    ;;
-    esac
-}
-
 #
 # This function assumes that the TMP_DIR variable is set and that
 # its value names an existing directory.
@@ -1614,15 +1573,437 @@ verify_mark() # $1 = value to test
 }
 
 #
-# Detect a device's MTU
+# Determine the value for a parameter that defaults to Yes
 #
-get_device_mtu() # $1 = device
+added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
 {
-    local output="$(ip link ls dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local val="$2"
 
-    if [ -n "$output" ]; then
+    if [ -z "$val" ]; then
-	echo $(find_mtu $output)
+	echo "Yes"
-    else
+    else case $val in
-	echo 1500
+	[Yy][Ee][Ss])
+	    echo "Yes"
+	    ;;
+	[Nn][Oo])
+	    echo ""
+	    ;;
+	*)
+	    startup_error "Invalid value ($val) for $1"
+	    ;;
+	esac
     fi
 }
+
+#
+# Determine the value for a parameter that defaults to No
+#
+added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
+{
+    local val="$2"
+
+    if [ -z "$val" ]; then
+	echo ""
+    else case $val in
+	[Yy][Ee][Ss])
+	    echo "Yes"
+	    ;;
+	[Nn][Oo])
+	    echo ""
+	    ;;
+	*)
+	    startup_error "Invalid value ($val) for $1"
+	    ;;
+	esac
+    fi
+}
+
+#
+# Initialize this program
+#
+do_initialize() {
+
+    # Run all utility programs using the C locale
+    #
+    # Thanks to Vincent Planchenault for this tip #
+
+    export LC_ALL=C
+
+    # Make sure umask is sane
+    umask 077
+
+    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+    #
+    # Establish termination function
+    #
+    TERMINATOR=fatal_error
+    #
+    # Clear all configuration variables
+    #
+    VERSION=
+    IPTABLES=
+    FW=
+    SUBSYSLOCK=
+    ALLOWRELATED=Yes
+    LOGRATE=
+    LOGBURST=
+    ADD_IP_ALIASES=
+    ADD_SNAT_ALIASES=
+    TC_ENABLED=
+    BLACKLIST_DISPOSITION=
+    BLACKLIST_LOGLEVEL=
+    CLAMPMSS=
+    ROUTE_FILTER=
+    LOG_MARTIANS=
+    DETECT_DNAT_IPADDRS=
+    MUTEX_TIMEOUT=
+    FORWARDPING=
+    MACLIST_DISPOSITION=
+    MACLIST_LOG_LEVEL=
+    TCP_FLAGS_DISPOSITION=
+    TCP_FLAGS_LOG_LEVEL=
+    RFC1918_LOG_LEVEL=
+    MARK_IN_FORWARD_CHAIN=
+    VERSION_FILE=
+    LOGFORMAT=
+    LOGRULENUMBERS=
+    ADMINISABSENTMINDED=
+    BLACKLISTNEWONLY=
+    MODULE_SUFFIX=
+    ACTIONS=
+    USEDACTIONS=
+    SMURF_LOG_LEVEL=
+    DISABLE_IPV6=
+    BRIDGING=
+    DYNAMIC_ZONES=
+    PKTTYPE=
+    USEPKTYPE=
+    RETAIN_ALIASES=
+    DELAYBLACKLISTLOAD=
+    LOGTAGONLY=
+    LOGALLNEW=
+    RFC1918_STRICT=
+    MACLIST_TTL=
+    SAVE_IPSETS=
+    RESTOREFILE=
+    MAPOLDACTIONS=
+    IMPLICIT_CONTINUE=
+    HIGH_ROUTE_MARKS=
+    TC_EXPERT=
+    MODULESDIR=
+    IPSECFILE=
+    IP_FORWARDING=
+    CLEAR_TC=
+    MACLIST_TABLE=
+    FASTACCEPT=
+    USE_ACTIONS=
+    DROP_DEFAULT=
+    REJECT_DEFAULT=
+    ACCEPT_DEFAULT=
+    QUEUE_DEFAULT=
+
+    LOGLIMIT=
+    LOGPARMS=
+    OUTPUT=
+    TMP_DIR=
+    ALL_INTERFACES=
+    ROUTEMARK_INTERFACES=
+    IPSECMARK=256
+    PROVIDERS=
+    CRITICALHOSTS=
+    EXCLUSION_SEQ=1
+    STOPPING=
+    HAVE_MUTEX=
+    ALIASES_TO_ADD=
+    SECTION=ESTABLISHED
+    SECTIONS=
+    ALL_PORTS=
+    DEFAULT_MACROS=
+
+    TMP_DIR=$(mktempdir)
+
+    [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \
+       fatal_error "Can't create a temporary directory"
+
+    case $PROGRAM in
+	compiler)
+	    trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9
+	    ;;
+	firewall)
+	    trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
+	    ;;
+    esac
+
+    ensure_config_path
+
+    VERSION_FILE=$SHAREDIR/version
+
+    [ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE)
+
+    run_user_exit params
+
+    config=$(find_file shorewall.conf)
+
+    if [ -f $config ]; then
+	if [ -r $config ]; then
+	    progress_message "Processing $config..."
+	    . $config
+	else
+	    fatal_error "Cannot read $config (Hint: Are you root?)"
+	fi
+    else
+	fatal_error "$config does not exist!"
+    fi
+
+    #
+    # Restore CONFIG_PATH if the shorewall.conf file cleared it
+    #
+    ensure_config_path
+    #
+    # Determine the capabilities of the installed iptables/netfilter
+    # We load the kernel modules here to accurately determine
+    # capabilities when module autoloading isn't enabled.
+    #
+    PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    if [ -z "$EXPORT" -a "$(whoami)" = root ]; then
+
+	load_kernel_modules
+
+	if [ -z "$IPTABLES" ]; then
+	    IPTABLES=$(mywhich iptables 2> /dev/null)
+
+	    [ -z "$IPTABLES" ] && fatal_error "Can't find iptables executable"
+	else
+	    [ -e "$IPTABLES" ] || fatal_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
+	fi
+	determine_capabilities
+
+    else
+	f=$(find_file capabilities)
+
+	[ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file"
+    fi
+
+    ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
+    [ -n "$ALLOWRELATED" ] || \
+	fatal_error "ALLOWRELATED=No is not supported"
+    ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
+
+    if [ -n "${LOGRATE}${LOGBURST}" ]; then
+	LOGLIMIT="--match limit"
+	[ -n "$LOGRATE" ]  && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
+	[ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
+    fi
+
+    if [ -n "$IP_FORWARDING" ]; then
+	case "$IP_FORWARDING" in
+	[Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp])
+	    ;;
+	*)
+	    fatal_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
+	    ;;
+	esac
+    else
+	IP_FORWARDING=On
+    fi
+
+   [ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
+
+    case "$CLAMPMSS" in
+	[0-9]*)
+	    ;;
+	*)
+	    CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
+	    ;;
+    esac
+
+    ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
+    ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
+    LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
+    DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
+    FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
+    [ -n "$FORWARDPING" ] && \
+	fatal_error "FORWARDPING=Yes is no longer supported"
+
+    maclist_target=reject
+
+    if [ -n "$MACLIST_DISPOSITION" ] ; then
+	case $MACLIST_DISPOSITION in
+	    REJECT)
+		;;
+	    DROP)
+		maclist_target=DROP
+		;;
+	    ACCEPT)
+		maclist_target=RETURN
+		;;
+	    *)
+		fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
+		;;
+	esac
+    else
+	MACLIST_DISPOSITION=REJECT
+    fi
+
+    if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
+	case $TCP_FLAGS_DISPOSITION in
+	    REJECT|ACCEPT|DROP)
+		;;
+	    *)
+		fatal_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
+		;;
+	esac
+    else
+	TCP_FLAGS_DISPOSITION=DROP
+    fi
+
+    [ -n "${RFC1918_LOG_LEVEL:=info}" ]
+
+    MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
+    [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
+    CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
+
+    if [ -n "$LOGFORMAT" ]; then
+	if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
+	    LOGRULENUMBERS=Yes
+	    temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null)
+	    if [ $? -ne 0 ]; then
+		fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
+	    fi
+	else
+	    temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null)
+	    if [ $? -ne 0 ]; then
+		fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
+	    fi
+	fi
+
+	[ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
+    else
+	LOGFORMAT="Shorewall:%s:%s:"
+    fi
+
+    ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
+    BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
+    DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
+    BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
+
+    DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
+    if [ -n "$DYNAMIC_ZONES" ]; then
+	[ -n "$EXPORT" ] && fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option"
+	lib_avail dynamiczones || error_message "WARNING: DYNAMIC_ZONES=Yes requires the Shorewall dynamiczones library (${SHAREDIR}/lib.dynamiczones) which is not installed"
+    fi
+
+    STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
+    RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
+    [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
+    DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
+    LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
+    RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
+    SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
+    MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
+    FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
+    IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
+    HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
+    TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
+    USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
+    [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
+    
+    [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
+    [ -n "$XMARK" ] || XCONNMARK=
+
+    [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
+
+    case ${IPSECFILE:=ipsec} in
+	ipsec|zones)
+	    ;;
+	*)
+	    fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option"
+	    ;;
+    esac
+
+    case ${MACLIST_TABLE:=filter} in
+	filter)
+	    ;;
+	mangle)
+	    [ $MACLIST_DISPOSITION = reject ] && fatal_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
+	    ;;	*)
+	    fatal_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
+	    ;;
+    esac
+
+   TC_SCRIPT=
+
+   if [ -n "$TC_ENABLED" ] ; then
+	case "$TC_ENABLED" in
+	    [Yy][Ee][Ss])
+		TC_ENABLED=
+		TC_SCRIPT=$(find_file tcstart)
+		[ -f $TC_SCRIPT ] || fatal_error "Unable to find tcstart file"
+		;;
+	    [Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
+		TC_ENABLED=Yes
+		;;
+	    [Nn][Oo])
+		TC_ENABLED=
+		;;
+	esac
+    else
+	TC_ENABLED=Yes
+    fi
+
+    if [ -n "$TC_ENABLED" ];then
+	[ -n "$MANGLE_ENABLED" ] || fatal_error "Traffic Shaping requires mangle support in your kernel and iptables"
+    fi
+
+    [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
+    [ -n "${RESTOREFILE:=restore}" ]
+
+    case "${DROP_DEFAULT:=Drop}" in
+	None)
+	    DROP_DEFAULT=none
+	    ;;
+    esac
+
+    case "${REJECT_DEFAULT:=Reject}" in
+	None)
+	    REJECT_DEFAULT=none
+	    ;;
+    esac
+
+    case "${QUEUE_DEFAULT:=none}" in
+	None)
+	    QUEUE_DEFAULT=none
+	    ;;
+    esac
+
+    case "${ACCEPT_DEFAULT:=none}" in
+	None)
+	    ACCEPT_DEFAULT=none
+	    ;;
+    esac
+
+    #
+    # Strip the files that we use often
+    #
+    strip_file interfaces
+    strip_file hosts
+    #
+    # Check out the user's shell
+    #
+    [ -n "${SHOREWALL_SHELL:=/bin/sh}" ]
+
+    temp=$(decodeaddr 192.168.1.1)
+    if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
+	fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
+    fi
+
+    if [ -z "$KLUDGEFREE" ]; then
+	rm -f $TMP_DIR/physdev
+	rm -f $TMP_DIR/iprange
+    fi
+
+    qt mywhich awk && HAVEAWK=Yes || HAVEAWK=
+}