#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
#
#	Options are:
#
#	    -n				  Don't alter Routing
#	    -v and -q			  Standard Shorewall Verbosity control
#           -t                            Timestamp progress messages
#           -p                            Purge conntrack table
#           -r                            Recover from failed start/restart
#           -V <verbosity>                Set verbosity level explicitly
#           -R <restore>                  Overrides RESTOREFILE setting
#
#	Commands are:
#
#	   start			  Starts the firewall
#          refresh                        Refresh the firewall
#	   restart			  Restarts the firewall
#	   reload			  Reload the firewall
#	   clear			  Removes all firewall rules
#	   stop				  Stops the firewall
#	   status			  Displays firewall status
#	   version			  Displays the version of Shorewall that
#	   				  generated this program
#
################################################################################
# Functions imported from /usr/share/shorewall/lib.core
################################################################################
#                     Address family-neutral Functions
################################################################################
#
# Conditionally produce message
#
progress_message() # $* = Message
{
    local timestamp
    timestamp=

    if [ $VERBOSITY -gt 1 ]; then
	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
	echo "${timestamp}$@"
    fi

    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
}

progress_message2() # $* = Message
{
    local timestamp
    timestamp=

    if [ $VERBOSITY -gt 0 ]; then
	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
	echo "${timestamp}$@"
    fi

    if [ $LOG_VERBOSITY -gt 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
}

progress_message3() # $* = Message
{
    local timestamp
    timestamp=

    if [ $VERBOSITY -ge 0 ]; then
	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
	echo "${timestamp}$@"
    fi

    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
}

#
# Set a standard chain's policy
#
setpolicy() # $1 = name of chain, $2 = policy
{
    run_iptables -P $1 $2
}

#
# Generate a list of all network interfaces on the system
#
find_all_interfaces() {
    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
}

#
# Generate a list of all network interfaces on the system that have an ipvX address
#
find_all_interfaces1() {
    ${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
}

#
# Find the value 'dev' in the passed arguments then echo the next value
#

find_device() {
    while [ $# -gt 1 ]; do
	[ "x$1" = xdev ] && echo $2 && return
	shift
    done
}

#
# Find the value 'via' in the passed arguments then echo the next value
#

find_gateway() {
    while [ $# -gt 1 ]; do
	[ "x$1" = xvia ] && echo $2 && return
	shift
    done
}

#
# Find the value 'mtu' in the passed arguments then echo the next value
#

find_mtu() {
    while [ $# -gt 1 ]; do
	[ "x$1" = xmtu ] && echo $2 && return
	shift
    done
}

#
# Find the value 'peer' in the passed arguments then echo the next value up to
# "/"
#

find_peer() {
    while [ $# -gt 1 ]; do
	[ "x$1" = xpeer ] && echo ${2%/*} && return
	shift
    done
}

#
# Try to find the gateway through an interface looking for 'nexthop'

find_nexthop() # $1 = interface
{
    echo $(find_gateway `$IP -$g_family route list | grep "[[:space:]]nexthop.* $1"`)
}

#
# Find the default route's interface
#
find_default_interface() {
    $IP -$g_family route list | while read first rest; do
	[ "$first" = default ] && echo $(find_device $rest) && return
    done
}

#
# Determine if Interface is up
#
interface_is_up() {
    [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
}

#
#  echo the list of networks routed out of a given interface
#
get_routed_networks() # $1 = interface name, $2-n = Fatal error message
{
    local address
    local rest
    local mask

    [ $g_family -eq 4 ] && mask=32 || mask=128

    $IP -$g_family route show dev $1 2> /dev/null |
	while read address rest; do
	    case "$address" in
		default)
		    if [ $# -gt 1 ]; then
			shift
			fatal_error "$@"
		    else
			echo "WARNING: default route ignored on interface $1" >&2
		    fi
		    ;;
		multicast|broadcast|prohibit|nat|throw|nexthop)
		    ;;
		[2-3]*)
		    [ "$address" = "${address%/*}" ] && address="${address}/${mask}"
		    echo $address
		    ;;
		*)
		    if [ $g_family -eq 4 ]; then
			[ "$address" = "${address%/*}" ] && address="${address}/${mask}"
			echo $address
		    fi
		    ;;
	    esac
        done
}

#
# Clear the current traffic shaping configuration
#

delete_tc1()
{
    clear_one_tc() {
        $TC qdisc del dev $1 root 2> /dev/null
        $TC qdisc del dev $1 ingress 2> /dev/null

    }

    run_tcclear_exit

    run_ip link list | \
    while read inx interface details; do
        case $inx in
            [0-9]*)
                clear_one_tc ${interface%:}
                ;;
            *)
                ;;
        esac
    done
}

#
# Detect a device's MTU -- echos the passed device's MTU
#
get_device_mtu() # $1 = device
{
    local output
    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash

    if [ -n "$output" ]; then
	echo $(find_mtu $output)
    else
	echo 1500
    fi
}

#
# Version of the above that doesn't generate any output for MTU 1500.
# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
#
get_device_mtu1() # $1 = device
{
    local output
    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
    local mtu

    if [ -n "$output" ]; then
	mtu=$(find_mtu $output)
	if [ -n "$mtu" ]; then
	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
	fi
    fi

}

#
# Undo changes to routing
#
undo_routing() {
    local undofiles
    local f

    if [ -z "$g_noroutes"  ]; then
	#
	# Restore rt_tables database
	#
	if [ -f ${VARDIR}/rt_tables ]; then
	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
	    rm -f ${VARDIR}/rt_tables
	fi
	#
	# Restore the rest of the routing table
	#
	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"

	if [ -n "$undofiles" ]; then
	    for f in $undofiles; do
		. $f
	    done

	    rm -f $undofiles

            progress_message "Shorewall-generated routing tables and routing rules removed"
	fi
    fi

}

#
# Save the default route
#
save_default_route() {
    awk \
    'BEGIN        {defroute=0;};
     /^default /  {defroute=1; print; next};
     /nexthop/    {if (defroute == 1 ) {print ; next} };
                  { defroute=0; };'
}

#
# Restore the default route that was in place before the initial 'shorewall start'
#
replace_default_route() # $1 = USE_DEFAULT_RT
{
    #
    # default_route and result are inherited from the caller
    #
    if [ -n "$default_route" ]; then
	case "$default_route" in
	    *metric*)
	        #
	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
	        #
		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
		default_route=
		;;
	    *)
		qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
		result=0
		default_route=
		;;
	esac
    fi
}

restore_default_route() # $1 = USE_DEFAULT_RT
{
    local result
    result=1

    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
	local default_route
	default_route=
	local route

	while read route ; do
	    case $route in
		default*)
		    replace_default_route $1
		    default_route="$default_route $route"
		    ;;
		*)
		    default_route="$default_route $route"
		    ;;
	    esac
	done < ${VARDIR}/default_route

	replace_default_route $1

	if [ $result = 1 ]; then
	    #
	    # We didn't restore a default route with metric 0
	    #
	    if $IP -$g_family -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
	       #
	       # But we added a default route with metric 0
	       #
	       qt $IP -$g_family route del default metric 0 && progress_message "Default route with metric 0 deleted"
	    fi
	fi

	rm -f ${VARDIR}/default_route
    fi

    return $result
}

#
# Flush the conntrack table if $g_purge is non-empty
#
conditionally_flush_conntrack() {

    if [ -n "$g_purge" ]; then
	if [ -n $(mywhich conntrack) ]; then
            conntrack -F
	else
            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
	fi
    fi
}

#
# Issue a message and stop/restore the firewall.
#
fatal_error()
{
    echo "   ERROR: $@" >&2

    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%_b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi

    stop_firewall
    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
    exit 2
}

#
# Run iptables/ip6tables and if an error occurs, stop/restore the firewall
#
run_iptables()
{
    local status

    while [ 1 ]; do
	$g_tool $@
	status=$?
	[ $status -ne 4 ] && break
    done

    if [ $status -ne 0 ]; then
        error_message "ERROR: Command \"$g_tool $@\" Failed"
	stop_firewall
        exit 2
    fi
}

#
# Run iptables/ip6tables retrying exit status 4
#
do_iptables()
{
    local status

    while [ 1 ]; do
	$g_tool $@
	status=$?
	[ $status -ne 4 ] && return $status;
    done
}

#
# Run ip and if an error occurs, stop/restore the firewall
#
run_ip()
{
    if ! $IP -$g_family $@; then
	error_message "ERROR: Command \"$IP -$g_family $@\" Failed"
	stop_firewall
	exit 2
    fi
}

#
# Run tc and if an error occurs, stop/restore the firewall
#
run_tc() {
    if ! $TC $@ ; then
	error_message "ERROR: Command \"$TC $@\" Failed"
	stop_firewall
	exit 2
    fi
}

#
# Run the .iptables_restore_input as a set of discrete iptables commands
#
debug_restore_input() {
    local first second rest table chain
    #
    # Clear the ruleset
    #
    qt1 $g_tool -t mangle -F
    qt1 $g_tool -t mangle -X

    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
	qt1 $g_tool -t mangle -P $chain ACCEPT
    done

    qt1 $g_tool -t raw    -F
    qt1 $g_tool -t raw    -X

    for chain in PREROUTING OUTPUT; do
	qt1 $g_tool -t raw -P $chain ACCEPT
    done

    qt1 $g_tool -t rawpost -F
    qt1 $g_tool -t rawpost    -X

    for chain in POSTROUTING; do
	qt1 $g_tool -t rawpost -P $chain ACCEPT
    done

    qt1 $g_tool -t nat    -F
    qt1 $g_tool -t nat    -X

    for chain in PREROUTING POSTROUTING; do
        qt1 $g_tool -t nat -P $chain ACCEPT
    done

    qt1 $g_tool -t filter -F
    qt1 $g_tool -t filter -X

    for chain in INPUT FORWARD OUTPUT; do
	qt1 $g_tool -t filter -P $chain -P ACCEPT
    done

    while read first second rest; do
	case $first in
	    -*)
		#
		# We can't call run_iptables() here because the rules may contain quoted strings
		#
		eval $g_tool -t $table $first $second $rest

		if [ $? -ne 0 ]; then
		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
		    stop_firewall
		    exit 2
		fi
		;;
	    :*)
		chain=${first#:}

		if [ "x$second" = x- ]; then
		    do_iptables -t $table -N $chain
		else
		    do_iptables -t $table -P $chain $second
		fi

		if [ $? -ne 0 ]; then
		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
		    stop_firewall
		    exit 2
		fi
		;;
	    #
	    # This grotesque hack with the table names works around a bug/feature with ash
	    #
	    '*'raw)
		table=raw
		;;
	    '*'rawpost)
		table=rawpost
		;;
	    '*'mangle)
		table=mangle
		;;
	    '*'nat)
		table=nat
		;;
	    '*'filter)
		table=filter
		;;
	esac
    done
}

interface_up() {
    return $(cat ${VARDIR}/$1.status)
}

distribute_load() {
    local interface
    local totalload
    local load
    local mark
    local maxload

    maxload=$1
    shift

    totalload=0

    for interface in $@; do
	if interface_up $interface; then
	    load=$(cat ${VARDIR}/${interface}_load)
	    eval ${interface}_load=$load
	    mark=$(cat ${VARDIR}/${interface}_mark)
	    eval ${interface}_mark=$mark
	    totalload=$( bc <<EOF
scale=8
$totalload + $load
EOF
)
	fi
    done

    if [ $totalload ]; then
	for interface in $@; do
	    qt $g_tool -t mangle -F ~$interface
	    eval load=\$${interface}_load
	    eval mark=\$${interface}_mark

	    if [ -n "$load" ]; then
		load=$(bc <<EOF
scale=8
( $load / $totalload ) * $maxload
EOF
)
		totalload=$(bc <<EOF
scale=8
$totalload - $load
EOF
)
		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark
	    fi
	done
    fi
}

?IF __IPV4
#################################################################################
#                        IPv4-specific Functions
#################################################################################
#
# Determine if interface is usable from a Netfilter perspective
#
interface_is_usable() # $1 = interface
{
    local status;
    status=0

    if [ "$1" != lo ]; then
	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
	    [ "$COMMAND" = enable ] || run_isusable_exit $1
	    status=$?
	else
	    status=1
	fi
    fi

    return $status
}

#
# Find interface addresses--returns the set of addresses assigned to the passed device
#
find_interface_addresses() # $1 = interface
{
    $IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
}

#
# Find the value 'weight' in the passed arguments then echo the next value
#
find_weight() {
    while [ $# -gt 1 ]; do
	[ "x$1" = xweight ] && echo $2 && return
	shift
    done
}

#
# Find the interfaces that have a route to the passed address - the default
# route is not used.
#

find_rt_interface() {
    $IP -4 route list | while read addr rest; do
	case $addr in
	    */*)
		in_network ${1%/*} $addr && echo $(find_device $rest)
		;;
	    default)
		;;
	    *)
		if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
		    echo $(find_device $rest)
		fi
		;;
	esac
    done
}

#
# Echo the name of the interface(s) that will be used to send to the
# passed address
#

find_interface_by_address() {
    local dev
    dev="$(find_rt_interface $1)"
    local first
    local rest

    [ -z "$dev" ] && dev=$(find_default_interface)

    [ -n "$dev" ] && echo $dev
}

#
#  echo the list of networks routed out of a given interface
#
get_routed_networks() # $1 = interface name, $2-n = Fatal error message
{
    local address
    local rest

    $IP -4 route show dev $1 2> /dev/null |
	while read address rest; do
	    case "$address" in
		default)
		    if [ $# -gt 1 ]; then
			shift
			fatal_error "$@"
		    else
			echo "WARNING: default route ignored on interface $1" >&2
		    fi
		    ;;
		multicast|broadcast|prohibit|nat|throw|nexthop)
		    ;;
		*)
		    [ "$address" = "${address%/*}" ] && address="${address}/32"
		    echo $address
		    ;;
	    esac
        done
}

#
# Get the broadcast addresses associated with an interface
#
get_interface_bcasts() # $1 = interface
{
    local addresses
    addresses=

    $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}

#
# Delete IP address
#
del_ip_addr() # $1 = address, $2 = interface
{
    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
}

# Add IP Aliases
#
add_ip_aliases() # $* = List of addresses
{
    local local
    local addresses
    local external
    local interface
    local inet
    local cidr
    local rest
    local val
    local arping
    arping=$(mywhich arping)

    address_details()
    {
	#
	# Folks feel uneasy if they don't see all of the same
	# decoration on these IP addresses that they see when their
	# distro's net config tool adds them. In an attempt to reduce
	# the anxiety level, we have the following code which sets
	# the VLSM and BRD from an existing address in the same network
	#
	# Get all of the lines that contain inet addresses with broadcast
	#
	$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
	    case $cidr in
		*/*)
		    if in_network $external $cidr; then
			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
			break
		    fi
		    ;;
	    esac
	done
    }

    do_one()
    {
	val=$(address_details)

	$IP addr add ${external}${val} dev $interface $label
	[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
	echo "$external $interface" >> $VARDIR/nat
	[ -n "$label" ] && label="with $label"
	progress_message "   IP Address $external added to interface $interface $label"
    }

    progress_message "Adding IP Addresses..."

    while [ $# -gt 0 ]; do
	external=$1
	interface=$2
	label=

	if [ "$interface" != "${interface%:*}" ]; then
	    label="${interface#*:}"
	    interface="${interface%:*}"
	    label="label $interface:$label"
	fi

	shift 2

	list_search $external $(find_interface_addresses $interface) || do_one
    done
}

#
# Detect the gateway through a PPP or DHCP-configured interface
#
detect_dynamic_gateway() { # $1 = interface
    local interface
    interface=$1
    local GATEWAYS
    GATEWAYS=
    local gateway

    gateway=$(run_findgw_exit $1);

    if [ -z "$gateway" ]; then
	gateway=$( find_peer $($IP addr list $interface ) )
    fi

    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi

    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
    fi

    [ -n "$gateway" ] && echo $gateway
}

#
# Detect the gateway through an interface
#
detect_gateway() # $1 = interface
{
    local interface
    interface=$1
    local gateway
    #
    # First assume that this is some sort of dynamic interface
    #
    gateway=$( detect_dynamic_gateway $interface )
    #
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
    #
    # Be sure we found one
    #
    [ -n "$gateway" ] && echo $gateway
}

#
# Disable IPV6
#
disable_ipv6() {
    local foo
    foo="$($IP -f inet6 addr list 2> /dev/null)"

    if [ -n "$foo" ]; then
	if [ -x "$IP6TABLES" ]; then
	    $IP6TABLES -P FORWARD DROP
	    $IP6TABLES -P INPUT DROP
	    $IP6TABLES -P OUTPUT DROP
	    $IP6TABLES -F
	    $IP6TABLES -X
	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
	    $IP6TABLES -A INPUT -i lo -j ACCEPT
	else
	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
	fi
    fi
}

#
# Add an additional gateway to the default route
#
add_gateway() # $1 = Delta $2 = Table Number
{
    local route
    local weight
    local delta
    local dev

    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`

    if [ -z "$route" ]; then
	run_ip route add default scope global table $2 $1
    else
	delta=$1

	if ! echo $route | fgrep -q ' nexthop '; then
	    route=`echo $route | sed 's/via/nexthop via/'`
	    dev=$(find_device $route)
	    if [ -f ${VARDIR}/${dev}_weight ]; then
		weight=`cat ${VARDIR}/${dev}_weight`
		route="$route weight $weight"
	    fi
	fi

	run_ip route replace default scope global table $2 $route $delta
    fi
}

#
# Remove a gateway from the default route
#
delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
{
    local route
    local gateway
    local dev

    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1

    if [ -n "$route" ]; then
	if echo $route | fgrep -q ' nexthop '; then
	    gateway="nexthop $gateway"
	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
	    run_ip route replace table $2 $route
	else
	    dev=$(find_device $route)
	    [ "$dev" = "$3" ] && run_ip route delete default table $2
	fi
    fi
}

#
# Determine the MAC address of the passed IP through the passed interface
#
find_mac() # $1 = IP address, $2 = interface
{
    if interface_is_usable $2 ; then
	qt ping -nc 1 -t 2 -I $2 $1

	local result
	result=$($IP neigh list |  awk "/^$1 / {print \$5}")

	case $result in
	    \<*\>)
		;;
	    *)
		[ -n "$result" ] && echo $result
		;;
	esac
    fi
}

#
# Clear Proxy Arp
#
delete_proxyarp() {
    if [ -f ${VARDIR}/proxyarp ]; then
	while read address interface external haveroute; do
	    qtnoin $IP -4 neigh del proxy $address dev $external
	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
	    [ -f $f ] && echo 0 > $f
	done < ${VARDIR}/proxyarp

	rm -f ${VARDIR}/proxyarp
    fi
}

#
# Remove all Shorewall-added rules
#
clear_firewall() {
    stop_firewall

    setpolicy INPUT ACCEPT
    setpolicy FORWARD ACCEPT
    setpolicy OUTPUT ACCEPT

    run_iptables -F
    qt $IPTABLES -t raw -F

    echo 1 > /proc/sys/net/ipv4/ip_forward

    if [ -n "$DISABLE_IPV6" ]; then
	if [ -x $IP6TABLES ]; then
    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
	fi
    fi

    run_clear_exit

    set_state "Cleared"

    logger -p kern.info "$g_product Cleared"
}

#
# Get a list of all configured broadcast addresses on the system
#
get_all_bcasts()
{
    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}

?ELSE
#################################################################################
#                        IPv6-specific Functions
#################################################################################
#
# Determine if interface is usable from a Netfilter perspective
#
interface_is_usable() # $1 = interface
{
    local status;
    status=0

    if [ "$1" != lo ]; then
	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
	    [ "$COMMAND" = enable ] || run_isusable_exit $1
	    status=$?
	else
	    status=1
	fi
    fi

    return $status
}

#
# Find interface addresses--returns the set of addresses assigned to the passed device
#
find_interface_addresses() # $1 = interface
{
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
}

#
# Get all interface addresses with VLSMs
#

find_interface_full_addresses() # $1 = interface
{
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
}

#
# Normalize an IPv6 Address by compressing out consecutive zero elements
#
normalize_address() # $1 = valid IPv6 Address
{
    local address
    address=$1
    local j

    while true; do
	case $address in
	    ::*)
		address=0$address
		;;
	    *::*)
		list_count $(split $address)

		j=$?

		if [ $j -eq 7 ]; then
		    address=${address%::*}:0:${address#*::}
		elif [ $j -eq 8 ]; then
		    $address=${address%::*}:${address#*::}
		    break 2
		else
		    address=${address%::*}:0::${address#*::}
		fi
		;;
	    *)
		echo $address
		break 2
		;;
	esac
    done
}

#
# Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
# that defines a /120 or larger network, it sends to STDOUT:
#
#    The corresponding subnet-router anycast address (all host address bits are zero)
#    The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
#
convert_to_anycast() {
    local address
    local badress
    local vlsm
    local host
    local o
    local m
    m=
    local z
    z=65535
    local l

    while read address; do
	case $address in
	    2*|3*)
		vlsm=${address#*/}
		vlsm=${vlsm:=128}

		if [ $vlsm -le 120 ]; then
	            #
	            # Defines a viable subnet -- first get the subnet-router anycast address
	            #
		    host=$((128 - $vlsm))

		    address=$(normalize_address ${address%/*})

		    while [ $host -ge 16 ]; do
			address=${address%:*}
			host=$(($host - 16))
		    done

		    if [ $host -gt 0 ]; then
			#
			# VLSM is not a multiple of 16
			#
			host=$((16 - $host))
			o=$((0x${address##*:}))
			m=0
			while [ $host -gt 0 ]; do
			    m=$((($m >> 1) | 0x8000))
			    z=$(($z >> 1))
			    host=$(($host - 1))
			done

			o=$(($o & $m))

			badress=${address%:*}

			address=$badress:$(printf %04x $o)

			z=$(($o | $z))

			if [ $vlsm -gt 112 ]; then
			    z=$(($z & 0xff80))
			fi

			badress=$badress:$(printf %04x $z)
		    else
			badress=$address
		    fi
		    #
		    # Note: at this point $address and $badress are the same except possibly for
		    #       the contents of the last half-word
		    #
		    list_count $(split $address)

		    l=$?
		    #
		    # Now generate the anycast addresses defined by RFC 2526
		    #
		    if [ $l -lt 8 ]; then
			#
			# The subnet-router address
			#
			echo $address::

		    	while [ $l -lt 8 ]; do
			    badress=$badress:ffff
			    l=$(($l + 1 ))
			done
		    else
			#
			# The subnet-router address
			#
			echo $address
		    fi
		    #
		    # And the RFC 2526 addresses
		    #
		    echo $badress/121
		fi
		;;
	esac
    done
}

#
# Generate a list of anycast addresses for a given interface
#

get_interface_acasts() # $1 = interface
{
    local addresses
    addresses=

    find_interface_full_addresses $1 | convert_to_anycast | sort -u
}

#
# Get a list of all configured anycast addresses on the system
#
get_all_acasts()
{
    find_interface_full_addresses | convert_to_anycast | sort -u
}

#
# Detect the gateway through an interface
#
detect_gateway() # $1 = interface
{
    local interface
    interface=$1
    #
    # First assume that this is some sort of point-to-point interface
    #
    gateway=$( find_peer $($IP -6 addr list $interface ) )
    #
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
    #
    # Be sure we found one
    #
    [ -n "$gateway" ] && echo $gateway
}

#
# Add an additional gateway to the default route
#
add_gateway() # $1 = Delta $2 = Table Number
{
    local route
    local weight
    local delta
    local dev

    run_ip route add default scope global table $2 $1
}

#
# Remove a gateway from the default route
#
delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
{
    local route
    local gateway
    local dev

    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1

    dev=$(find_device $route)
    [ "$dev" = "$3" ] && run_ip route delete default table $2
}

#
# Clear Proxy NDP
#
delete_proxyndp() {
    if [ -f ${VARDIR}/proxyndp ]; then
	while read address interface external haveroute; do
	    qt $IP -6 neigh del proxy $address dev $external
	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
	    [ -f $f ] && echo 0 > $f
	done < ${VARDIR}/proxyndp

	rm -f ${VARDIR}/proxyndp
    fi
}

#
# Remove all Shorewall-added rules
#
clear_firewall() {
    stop_firewall

    setpolicy INPUT ACCEPT
    setpolicy FORWARD ACCEPT
    setpolicy OUTPUT ACCEPT

    run_iptables -F
    qt $IP6TABLES -t raw -F

    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

    run_clear_exit

    set_state "Cleared"

    logger -p kern.info "$g_product Cleared"
}

?ENDIF