--- ../../3.4/Shorewall/compiler	2007-10-26 19:10:45.000000000 -0400
+++ compiler	2008-03-09 16:00:16.000000000 -0400
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V3.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V4.0
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -35,6 +35,11 @@
 #	    SHOREWALL_DIR                       A directory name was passed to /sbin/shorewall
 #	    VERBOSE                             Standard Shorewall verbosity control.
 
+BASE_VERSION=40000
+BASE_VERSION_PRINTABLE=4.0.0
+CONFIG_VERSION=40000
+CONFIG_VERSION_PRINTABLE=4.0.0
+
 #
 # Fatal error -- stops the compiler after issuing the error message
 #
@@ -128,7 +133,8 @@
 #
 append_file() # $1 = File Name
 {
-    local user_exit=$(find_file $1)
+    local user_exit
+    user_exit=$(find_file $1)
 
     case $user_exit in
 	$SHAREDIR/*)
@@ -210,7 +216,8 @@
 #
 finish_chain_section() # $1 = canonical chain $2 = state list
 {
-    local policy policychain
+    local policy
+    local policychain
 
     [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
 
@@ -241,7 +248,9 @@
 
 finish_section() # $1 = Section(s)
 {
-    local zone zone1 chain
+    local zone
+    local zone1
+    local chain
 
     for zone in $ZONES $FW; do
 	for zone1 in $ZONES $FW; do
@@ -263,7 +272,8 @@
 #
 createchain() # $1 = chain name, $2 = If "yes", do section-end processing
 {
-    local c=$(chain_base $1)
+    local c
+    c=$(chain_base $1)
 
     run_iptables -N $1
 
@@ -286,7 +296,8 @@
 #
 createchain2() # $1 = chain name, $2 = If "yes", create default rules
 {
-    local c=$(chain_base $1)
+    local c
+    c=$(chain_base $1)
 
     ensurechain $1
 
@@ -313,7 +324,8 @@
 #
 havechain() # $1 = name of chain
 {
-    local c=$(chain_base $1)
+    local c
+    c=$(chain_base $1)
 
     eval test \"\$exists_${c}\" = Yes
 }
@@ -675,11 +687,11 @@
     progress_message2 "Compiling IP Forwarding..."
 
     case "$IP_FORWARDING" in
-	On|on)
+	On|on|ON|Yes|yes|YES)
 	    save_progress_message "IP Forwarding Enabled"
 	    save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
 	    ;;
-	Off|off)
+	Off|off|OFF|No|no|NO)
 	    save_progress_message "IP Forwarding Disabled!"
 	    save_command "echo 0 > /proc/sys/net/ipv4/ip_forward"
 	    ;;
@@ -719,16 +731,25 @@
 #
 log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
 {
-    local level=$1
-    local chain=$2
-    local displayChain=$3
-    local disposition=$4
-    local rulenum=
-    local limit=
-    local tag=$6
-    local command=${7:--A}
+    local level
+    level=$1
+    local chain
+    chain=$2
+    local displayChain
+    displayChain=$3
+    local disposition
+    disposition=$4
+    local rulenum
+    rulenum=
+    local limit
+    limit=
+    local tag
+    tag=$6
+    local command
+    command=${7:--A}
     local prefix
-    local base=$(chain_base $displayChain)
+    local base
+    base=$(chain_base $displayChain)
 
     limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
 
@@ -739,9 +760,12 @@
 
 log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
 {
-    local level=$1
-    local chain=$2
-    local disposition=$3
+    local level
+    level=$1
+    local chain
+    chain=$2
+    local disposition
+    disposition=$3
 
     shift 3
 
@@ -756,9 +780,12 @@
 	# $2 = synparams
         # $3 = loglevel
 {
-    local chain=@$1
-    local limit=$2
-    local limit_burst=
+    local chain
+    chain=@$1
+    local limit
+    limit=$2
+    local limit_burst
+    limit_burst=
 
     case $limit in
 	*:*)
@@ -837,8 +864,10 @@
 #
 setup_ecn() # $1 = file name
 {
-    local interfaces=""
-    local hosts=
+    local interfaces
+    interfaces=""
+    local hosts
+    hosts=
     local h
 
     if [ -s ${TMP_DIR}/ecn ]; then
@@ -886,7 +915,8 @@
 #
 build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
 {
-    local c=excl_${EXCLUSION_SEQ} net
+    local c
+    c=excl_${EXCLUSION_SEQ} net
 
     EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
 
@@ -916,7 +946,10 @@
 # Setup queuing and classes
 #
 setup_tc1() {
-    local mark_part= comment=
+    local mark_part
+    mark_part=
+    local comment
+    comment=
     #
     # Create the TC mangle chains
     #
@@ -1025,7 +1058,8 @@
 #
 refresh_tc() {
 
-    local comment=
+    local comment
+    comment=
 
     if [ -n "$CLEAR_TC" ]; then
 	delete_tc
@@ -1089,9 +1123,12 @@
 #
 compile_refresh_firewall()
 {
-    local INDENT=""
-    local DOING="Compiling Refresh of"
-    local DONE="Compiled"
+    local INDENT
+    INDENT=""
+    local DOING
+    DOING="Compiling Refresh of"
+    local DONE
+    DONE="Compiled"
     local indent
 
     save_command "refresh_firewall()"
@@ -1142,7 +1179,8 @@
 process_action_file() # $1 = File Name
 {
     if ! list_search $1 $BUILTIN_ACTIONS; then
-	local user_exit=$(find_file $1)
+	local user_exit
+	user_exit=$(find_file $1)
 
 	if [ -f $user_exit ]; then
 	    progress_message "Processing $user_exit ..."
@@ -1173,7 +1211,12 @@
 
 createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
 {
-    local actchain= action=$1 level=$2
+    local actchain
+    actchain=
+    local action
+    action=$1
+    local level
+    level=$2
 
     eval actchain=\${${action}_actchain}
 
@@ -1259,7 +1302,14 @@
 #
 find_logactionchain() # $1 = Action, including log level and tag if any
 {
-    local fullaction=$1 action=${1%%:*} level= chains=
+    local fullaction
+    fullaction=$1
+    local action
+    action=${1%%:*}
+    local level
+    level=
+    local chains
+    chains=
 
     find_simpleaction() {
 	havechain $action ||  fatal_error "Fatal error in find_logactionchain"
@@ -1302,7 +1352,10 @@
 #
 merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
 {
-    local superior=$1 subordinate=$2
+    local superior
+    superior=$1
+    local subordinate
+    subordinate=$2
 
     set -- $(split $1)
 
@@ -1379,7 +1432,9 @@
 #
 map_old_action() # $1 = Potential Old Action
 {
-    local macro= aktion
+    local macro
+    macro=
+    local aktion
 
     if [ -n "$MAPOLDACTIONS" ]; then
 	case $1 in
@@ -1432,7 +1487,8 @@
 #
 substitute_action() # $1 = parameter, $2 = action
 {
-    local logpart=${2#*:}
+    local logpart
+    logpart=${2#*:}
 
     case $2 in
 	*:*)
@@ -1630,7 +1686,8 @@
 #	 policy		= Applicable Policy
 #
 add_a_rule() {
-    local natrule=
+    local natrule
+    natrule=
 
     do_ports() {
 	if [ -n "$port" ]; then
@@ -2118,19 +2175,32 @@
                # $9 = userspec
                # $10= mark
 {
-    local target="$1"
-    local clients="$2"
-    local servers="$3"
-    local protocol="$4"
-    local ports="$5"
-    local cports="$6"
-    local address="$7"
-    local ratelimit="$8"
-    local userspec="$9"
-    local mark="${10}"
-    local userandgroup=
-    local logtag=
-    local nonat=
+    local target
+    target="$1"
+    local clients
+    clients="$2"
+    local servers
+    servers="$3"
+    local protocol
+    protocol="$4"
+    local ports
+    ports="$5"
+    local cports
+    cports="$6"
+    local address
+    address="$7"
+    local ratelimit
+    ratelimit="$8"
+    local userspec
+    userspec="$9"
+    local mark
+    mark="${10}"
+    local userandgroup
+    userandgroup=
+    local logtag
+    logtag=
+    local nonat
+    nonat=
 
     # # # # # F u n c t i o n   B o d y # # # # #
 
@@ -2483,21 +2553,35 @@
                # $9 = userspec
                # $10= mark
 {
-    local itarget="$1"
-    local param="$2"
-    local iclients="$3"
-    local iservers="$4"
-    local iprotocol="$5"
-    local iports="$6"
-    local icports="$7"
-    local iaddress="$8"
-    local iratelimit="$9"
-    local iuserspec="${10}"
-    local imark="${11}"
+    local itarget
+    itarget="$1"
+    local param
+    param="$2"
+    local iclients
+    iclients="$3"
+    local iservers
+    iservers="$4"
+    local iprotocol
+    iprotocol="$5"
+    local iports
+    iports="$6"
+    local icports
+    icports="$7"
+    local iaddress
+    iaddress="$8"
+    local iratelimit
+    iratelimit="$9"
+    local iuserspec
+    iuserspec="${10}"
+    local imark
+    imark="${11}"
 
     progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
 
     while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
+
+	[ $mtarget = COMMENT ] && continue
+
 	mtarget=$(merge_levels $itarget $mtarget)
 
 	case $mtarget in
@@ -2575,13 +2659,19 @@
 #
 process_rules()
 {
-    local comment= optimize
+    local comment
+    comment=
+    local optimize
     #
     # Process a rule where the source or destination is "all"
     #
     process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic
     {
-	local yclients yservers ysourcezone ydestzone ypolicy
+	local yclients
+	local yservers
+	local ysourcezone
+	local ydestzone
+	local ypolicy
 
 	for yclients in $xclients; do
 	    for yservers in $xservers; do
@@ -2614,7 +2704,8 @@
 
     do_it() # $1 = "Yes" if the target is a macro.
     {
-	local intrazone=
+	local intrazone
+	intrazone=
 
 	if [ -z "$SECTIONS" ]; then
 	    finish_section ESTABLISHED,RELATED
@@ -2794,17 +2885,35 @@
 #
 process_default_macro() # $1 = macro name
 {
-    local macro=$1
-    local address=
-    local multioption=
-    local servport=
-    local chain=$1
-    local logchain=$1
-    local userandgroup=
-    local logtag=
-    local excludesource=
-    local target client server protocol port cport ratelimit userspec rule
-    local f=$(find_file macro.${macro})
+    local macro
+    macro=$1
+    local address
+    address=
+    local multioption
+    multioption=
+    local servport
+    servport=
+    local chain
+    chain=$1
+    local logchain
+    logchain=$1
+    local userandgroup
+    userandgroup=
+    local logtag
+    logtag=
+    local excludesource
+    excludesource=
+    local target
+    local client
+    local server
+    local protocol
+    local port
+    local cport
+    local ratelimit
+    local userspec
+    local rule
+    local f
+    f=$(find_file macro.${macro})
 
     havechain $macro && fatal_error "Illegal duplicate default macro name: $macro"
 
@@ -3062,7 +3171,10 @@
 #
 process_tos() # $1 = name of tos file
 {
-    local chain=pretos stdchain=PREROUTING
+    local chain
+    chain=pretos
+    local stdchain
+    stdchain=PREROUTING
 
     if [ -n "$MANGLE_FORWARD" ]; then
 	chain=fortos
@@ -3093,8 +3205,10 @@
 	       # $3 = loglevel
                # $4 = Default Action/Macro
 {
-    local target="$2"
-    local default="$4"
+    local target
+    target="$2"
+    local default
+    default="$4"
 
     if [ -n "$default" ]; then
 	[ "$default" = none ] || run_iptables -A $1 -j $default
@@ -3131,9 +3245,12 @@
 #
 default_policy() # $1 = client $2 = server
 {
-    local chain="${1}2${2}"
-    local policy=
-    local loglevel=
+    local chain
+    chain="${1}2${2}"
+    local policy
+    policy=
+    local loglevel
+    loglevel=
     local chain1
 
     jump_to_policy_chain() {
@@ -3235,14 +3352,18 @@
 #
 complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
 {
-    local policy=
-    local loglevel=
-    local policychain=
-    local default=
+    local policy
+    policy=
+    local loglevel
+    loglevel=
+    local policychain
+    policychain=
+    local default
+    default=
 
     run_user_exit $1
 
-    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+    [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
     eval policychain=\$${2}2${3}_policychain
 
@@ -3267,7 +3388,8 @@
 #
 rules_chain() # $1 = source zone, $2 = destination zone
 {
-    local chain=${1}2${2} local policy
+    local chain
+    chain=${1}2${2} local policy
 
     havechain $chain && { echo $chain; return; }
 
@@ -3376,8 +3498,10 @@
 
 process_blacklist()
 {
-    local disposition=$BLACKLIST_DISPOSITION
-    local f=$(find_file blacklist)
+    local disposition
+    disposition=$BLACKLIST_DISPOSITION
+    local f
+    f=$(find_file blacklist)
     local target
 
     if [ -s $TMP_DIR/blacklist ]; then
@@ -3411,8 +3535,10 @@
 # Setup the Black List
 #
 setup_blacklist() {
-    local hosts="$(find_hosts_by_option blacklist)"
-    local ipsec policy
+    local hosts
+    hosts="$(find_hosts_by_option blacklist)"
+    local ipsec
+    local policy
 
     if [ -n "$hosts" -a -s ${TMP_DIR}/blacklist ]; then
 	progress_message2 "$DOING Blacklisting..."
@@ -3457,8 +3583,10 @@
 # Construct zone-independent rules
 #
 add_common_rules() {
-    local savelogparms="$LOGPARMS"
-    local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
+    local savelogparms
+    savelogparms="$LOGPARMS"
+    local broadcasts
+    broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
     #
     # Populate the smurf chain
     #
@@ -3788,7 +3916,7 @@
 
 	save_progress_message "Setting up Route Filtering..."
 
-	if [ -z "$ROUTE_FILTER" ]; then
+	if [ "$ROUTE_FILTER" = no ]; then
 	    indent >&3 << __EOF__
 
 for f in /proc/sys/net/ipv4/conf/*; do
@@ -3812,8 +3940,10 @@
 
 	save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter"
 
-	if [ -n "$ROUTE_FILTER" ]; then
+	if [ "$ROUTE_FILTER" = yes ]; then
 	    save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter"
+	elif [ "$ROUTE_FILTER" = no ]; then
+	    save_command "echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter"
 	fi
 
 	save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache"
@@ -3829,7 +3959,7 @@
 
 	save_progress_message "Setting up Martian Logging..."
 
-	if [ -z "$LOG_MARTIANS" ]; then
+	if [ "$LOG_MARTIANS" = no ]; then
 	    indent >&3 << __EOF__
 
 for f in /proc/sys/net/ipv4/conf/*; do
@@ -3852,9 +3982,12 @@
 __EOF__
 	    done
 	
-	if [ -n "$LOG_MARTIANS" ]; then
+	if [ "$LOG_MARTIANS" = yes ]; then
 	    save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians"
 	    save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians"
+	elif [ "$LOG_MARTIANS" = no ]; then
+	    save_command "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians"
+	    save_command "echo 0 > /proc/sys/net/ipv4/conf/default/log_martians"
 	fi
 
     fi
@@ -3984,14 +4117,19 @@
 #
 activate_rules()
 {
-    local PREROUTING_rule=1
-    local POSTROUTING_rule=1
+    local PREROUTING_rule
+    PREROUTING_rule=1
+    local POSTROUTING_rule
+    POSTROUTING_rule=1
     #
     # Jump to a NAT chain from one of the builtin nat chains
     #
     addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
     {
-	local sourcechain=$1 destchain=$2
+	local sourcechain
+	sourcechain=$1
+        local destchain
+        destchain=$2
 	shift
 	shift
 
@@ -4009,7 +4147,10 @@
     #
     addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
     {
-	local sourcechain=$1 destchain=$2
+	local sourcechain
+	sourcechain=$1
+	local destchain
+	destchain=$2
 	shift
 	shift
 
@@ -4037,7 +4178,15 @@
     #
     insert_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
     {
-	local t=$1 c=$2 num=0 host1 interface1 networks1
+	local t
+	t=$1
+	local c
+	c=$2
+	local num
+	num=0
+	local host1
+	local interface1
+	local networks1
 
 	shift 2
 
@@ -4053,7 +4202,13 @@
     #
     add_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
     {
-	local t=$1 c=$2 host1 interface1 networks1
+	local t
+	t=$1
+	local c
+	c=$2
+	local host1
+	local interface1
+	local networks1
 
 	shift 2
 
@@ -4101,7 +4256,8 @@
 	    eval exclusions=\"\$${zone}_exclusions\"
 
 	    if [ -n "$exclusions" ]; then
-		local num=1
+		local num
+		num=1
 		in_chain=${zone}_input
 		out_chain=${zone}_output
 		createchain $in_chain No
@@ -4549,8 +4705,10 @@
 # from that script are available here
 #
 compile_stop_firewall() {
-    local IPTABLES_COMMAND="\$IPTABLES"
-    local INDENT="    "
+    local IPTABLES_COMMAND
+    IPTABLES_COMMAND="\$IPTABLES"
+    local INDENT
+    INDENT="    "
 
     cat >&3 << __EOF__
 
@@ -4894,10 +5052,18 @@
 #
 compile_firewall() # $1 = File Name
 {
-    local IPTABLES_COMMAND=run_iptables
-    local INDENT=""
-    local checking= outfile=$1 dir=
-    local match=
+    local IPTABLES_COMMAND
+    IPTABLES_COMMAND=run_iptables
+    local INDENT
+    INDENT=""
+    local checking
+    checking=
+    local outfile
+    outfile=$1
+    local dir
+    dir=
+    local match
+    match=
 
     setup_mss()
     {
@@ -4951,7 +5117,7 @@
 
     cat >&3 << __EOF__
 #
-# Compiled firewall script generated by Shorewall $VERSION - $(date)"
+# Compiled firewall script generated by Shorewall-shell $VERSION - $(date)"
 #
 __EOF__
 
@@ -4959,7 +5125,10 @@
 	cat >&3 << __EOF__
 SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-VARDIR=/var/lib/shorewall-lite
+
+[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir
+
+[ -n "\${VARDIR:=/var/lib/shorewall-lite}" ]
 
 __EOF__
 
@@ -4976,7 +5145,10 @@
 	cat >&3 << __EOF__
 SHAREDIR=/usr/share/shorewall
 CONFDIR=/etc/shorewall
-VARDIR=/var/lib/shorewall
+
+[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir
+
+[ -n "\${VARDIR:=/var/lib/shorewall}" ]
 
 . \${SHAREDIR}/lib.base
 __EOF__
@@ -5139,7 +5311,8 @@
 	fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget "-e" when you compiled?)"
     fi
 
-    local version=\$(cat \${SHAREDIR}/version)
+    local version
+    version=\$(cat \${SHAREDIR}/version)
 
     if [ \${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then
 	fatal_error "This script requires Shorewall version 3.3.3 or later; current version is \$version"
@@ -5178,6 +5351,7 @@
     LOCKFILE="$LOCKFILE"
     PATH="$PATH"
     TERMINATOR=fatal_error
+    DONT_LOAD="$DONT_LOAD"
 
 __EOF__
     if [ -n "$IPTABLES" ]; then
@@ -5278,7 +5452,8 @@
 # Start/Restart/Reload the firewall
 #
 define_firewall() {
-    local restore_file=\$1
+    local restore_file
+    restore_file=\$1
 __EOF__
 
     INDENT="    "
@@ -5727,9 +5902,9 @@
 # E X E C U T I O N    B E G I N S   H E R E
 #
 #
-# Start trace if first arg is "debug"
+# Start trace if first arg is "debug" or "trace"
 #
-[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
+[ $# -gt 1 ] && [ "x$1" = xdebug -o "x$1" = xtrace ] && { set -x ; shift ; } 
 
 NOLOCK=
 
@@ -5754,6 +5929,11 @@
     fi
 done
 
+VERSION=$(cat $SHELLSHAREDIR/version)
+
+[ "$SHOREWALL_LIBVERSION"    -eq $BASE_VERSION ]   || fatal_error "Shorewall-shell $VERSION requires Shorewall-common lib.base version $BASE_VERSION_PRINTABLE"
+[ "$SHOREWALL_CONFIGVERSION" -eq $CONFIG_VERSION ] || fatal_error "Shorewall-shell $VERSION requires Shorewall-common lib.config version $CONFIG_VERSION_PRINTABLE"
+
 PROGRAM=compiler
 
 COMMAND="$1"