#
# Shorewall 4.5 -- /usr/share/shorewall/lib.cli.
#
#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
#
#	Complete documentation is available at http://shorewall.net
#
#	This program is free software; you can redistribute it and/or modify
#	it under the terms of Version 2 of the GNU General Public License
#	as published by the Free Software Foundation.
#
#	This program is distributed in the hope that it will be useful,
#	but WITHOUT ANY WARRANTY; without even the implied warranty of
#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#	GNU General Public License for more details.
#
#	You should have received a copy of the GNU General Public License
#	along with this program; if not, write to the Free Software
#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This library contains the command processing code common to /sbin/shorewall[6] and
# /sbin/shorewall[6]-lite.
#

if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
    #
    . /usr/share/shorewall/shorewallrc

    g_libexec="$LIBEXECDIR"
    g_sharedir="$SHAREDIR"/$g_program
    g_sbindir="$SBINDIR"
    g_perllib="$PERLLIBDIR"
    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
fi

. ${SHAREDIR}/shorewall/lib.base


#
# Fatal Error
#
fatal_error() # $@ = Message
{
    echo "   ERROR: $@" >&2
    exit 2
}

#
# Issue an error message and die
#
startup_error() {
    echo "   ERROR: $@" >&2
    kill $$
    exit 1
}

#
# Display a chain if it exists
#

showfirstchain() # $1 = name of chain
{
    awk \
    'BEGIN	 {prnt=0; rslt=1; }; \
    /^$/	 { next; };\
    /^Chain/	 {if ( prnt == 1 ) { rslt=0; exit 0; }; };\
    /Chain '$1'/ { prnt=1; }; \
		 { if (prnt == 1)  print; };\
    END		 { exit rslt; }' $TMPFILE
}

showchain() # $1 = name of chain
{
    if [ "$firstchain" = "Yes" ]; then
	if showfirstchain $1; then
	    firstchain=
	fi
    else
	awk \
	'BEGIN	     {prnt=0;};\
	/^$|^ pkts/  { next; };\
	/^Chain/     {if ( prnt == 1 ) exit; };\
	/Chain '$1'/ { prnt=1; };\
		     { if (prnt == 1)  print; }' $TMPFILE
    fi
}

#
# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
#

iptablesbug()
{
    if [ $g_family -eq 4 ]; then
	if qt mywhich awk ; then
	    awk 'BEGIN           { sline=""; };\
             /^-[jg]/            { print sline $0; next };\
             /-m policy.*-[jg] / { print $0; next };\
             /-m policy/         { sline=$0; next };\
             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
                                 { print ; sline="" }'
        else
	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
	    cat
	fi
    else
	cat
    fi
}

#
# Validate the value of RESTOREFILE
#
validate_restorefile() # $* = label
{
    case $RESTOREFILE in
	*/*)
	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
	    exit 2
	    ;;
	.safe|.try)
	    ;;
	.*|NONE)
	    error_message "ERROR: Reserved File Name: $RESTOREFILE"
	    exit 2
	    ;;
    esac
}

#
# Clear descriptor 1 if it is a terminal
#
clear_term() {
    [ -t 1 ] && clear
}

#
# Delay $timeout seconds -- if we're running on a recent bash2 then allow
# <enter> to terminate the delay
#
timed_read ()
{
    read -t $timeout foo 2> /dev/null

    test $? -eq 2 && sleep $timeout
}

#
# Determine if 'syslog -C' is running
#
syslog_circular_buffer() {
    local pid
    local tty
    local flags
    local cputime
    local path
    local args
    local arg

    ps ax 2> /dev/null | while read pid tty flags cputime path args; do
	case $path in
	    syslogd|*/syslogd)
		for arg in $args; do
		    if [ x$arg = x-C ]; then
			echo Yes
			return
		    fi
		done
		;;
	esac
    done
}

#
# Display the last $1 packets logged
#
packet_log() # $1 = number of messages
{
    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
	if [ $g_family -eq 4 ]; then
	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
	else
	    $g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
	fi
    elif [ $g_family -eq 4 ]; then
	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
    else
	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
    fi
}

search_log() # $1 = IP address to search for
{
    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
        if [ $g_family -eq 4 ]; then
	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
	else
	    $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
	fi
    elif [ $g_family -eq 4 ]; then
	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
    else
	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
    fi
}

#
# Show traffic control information
#
show_tc() {

    show_one_tc() {
	local device
	device=${1%@*}
	qdisc=$(tc qdisc list dev $device)

	if [ -n "$qdisc" ]; then
	    echo Device $device:
	    tc -s -d qdisc show dev $device
	    echo
	    tc -s -d class show dev $device
	    echo
	fi
    }

    if [ $# -gt 0 ]; then
	show_one_tc $1
    else
	ip -o link list | while read inx interface details; do
	    show_one_tc ${interface%:}
	done
    fi

}

#
# Show classifier information
#
show_classifiers() {

    show_one_classifier() {
	local device
	device=${1%@*}
	qdisc=$(tc qdisc list dev $device)

	if [ -n "$qdisc" ]; then
	    echo Device $device:
	    tc -s filter ls dev $device
	    echo
	fi
    }

    ip -o link list | while read inx interface details; do
	show_one_classifier ${interface%:}
    done

}

#
# Watch the Firewall Log
#
logwatch() # $1 = timeout -- if negative, prompt each time that
	   #		     an 'interesting' packet count changes
{
    if [ -z "$LOGFILE" ]; then
	LOGFILE=/var/log/messages

	if [ -n "$(syslog_circular_buffer)" ]; then
	    g_logread="logread | tac"
	elif [ -r $LOGFILE ]; then
	    g_logread="tac $LOGFILE"
	else
	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
	    exit 2
	fi
    fi

    host=$(echo $g_hostname | sed 's/\..*$//')
    oldrejects=$($g_tool -L -v -n | grep 'LOG')

    if [ $1 -lt 0 ]; then
	timeout=$((- $1))
	pause="Yes"
    else
	pause="No"
	timeout=$1
    fi

    qt mywhich awk && haveawk=Yes || haveawk=

    while true; do
	clear_term
	echo "$banner $(date)"
	echo

	echo "Dropped/Rejected Packet Log ($LOGFILE)"
	echo

	show_reset

	rejects=$($g_tool -L -v -n | grep 'LOG')

	if [ "$rejects" != "$oldrejects" ]; then
	    oldrejects="$rejects"

	    $g_ring_bell

	    packet_log 40

	    if [ "$pause" = "Yes" ]; then
		echo
		echo $g_echo_n 'Enter any character to continue: '
		read foo
	    else
		timed_read
	    fi
	else
	    echo
	    packet_log 40
	    timed_read
	fi
    done
}

#
# Save currently running configuration
#
do_save() {
    local status
    status=0

    if [ -f ${VARDIR}/firewall ]; then
	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
	    cp -f ${VARDIR}/firewall $g_restorepath
	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
	    chmod +x $g_restorepath
	    echo "   Currently-running Configuration Saved to $g_restorepath"
	    run_user_exit save
	else
	    rm -f ${VARDIR}/restore-$$
	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
	    status=1
	fi
    else
	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
	status=1
    fi

    case ${SAVE_IPSETS:=No} in
	[Yy]es)
	    case ${IPSET:=ipset} in
		*/*)
		    if [ ! -x "$IPSET" ]; then
			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
			IPSET=
		    fi
		    ;;
		*)
		    IPSET="$(mywhich $IPSET)"
		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
		    ;;
	    esac

	    if [ -n "$IPSET" ]; then
		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
                    #
                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
                    #
		    hack='| grep -v /31'
		else
		    hack=
		fi

		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
                    #
                    # Don't save an 'empty' file
                    #
		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
		fi
	    fi
	    ;;
	[Nn]o)
	    ;;
	*)
	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
	    ;;
    esac

    return $status
}

save_config() {

    local result
    result=1

    iptables_save=${g_tool}-save

    [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2

    if product_is_started ; then
	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}

	if [ -f $g_restorepath -a ! -x $g_restorepath ]; then
	    echo "   ERROR: $g_restorepath exists and is not a saved $g_product configuration" >&2
	else
	    case $RESTOREFILE in
		capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones)
		    echo "   ERROR: Reserved file name: $RESTOREFILE" >&2
		    ;;
		*)
		    validate_restorefile RESTOREFILE
		    do_save && rm -f ${VARDIR}/save
		    ;;
	    esac
	fi
    else
	echo "$g_product isn't started" >&2
    fi

    return 0

}

#
# Recent Linux systems seem to like to print a randomly-ordered
# view of routing tables. This hack sorts the output into the
# order we all know and love
#
sort_routes() {
    local dest
    local rest
    local crvsn

    while read dest rest; do
	if [ -n "$dest" ]; then
	    case "$dest" in
		default)
		    echo "00 $dest $rest"
		    ;;
		*/*)
		    crvsn=${dest#*/}
		    printf "%02d %s\n" $crvsn "$dest $rest"
		    ;;
		*)
		    echo "32 $dest $rest"
		    ;;
	    esac
	fi
    done | sort -r | while read dest rest; do echo $rest; done
}

#
# Isolate the table in the routing rules being read from stdin.
# Piping through sed to remove trailing whitespace works around
# recent 'features' in dash and ip.
#
find_tables() {
    sed -r 's/[[:space:]]+$//' | while read rule; do
	echo ${rule##* }
    done
}

#
# Show routing configuration
#
show_routing() {
    local rule
    local table

    if [ -n "$(ip -$g_family rule list)" ]; then
	heading "Routing Rules"
	ip -$g_family rule list
	ip -$g_family rule list | find_tables | sort -u | while read table; do
	    heading "Table $table:"
	    if [ $g_family -eq 6 ]; then
		ip -$g_family -o route list table $table | fgrep -v cache
	    else
		ip -4 -o route list table $table | sort_routes
	    fi
	done

	if [ -n "$g_routecache" ]; then
	    heading "Route Cache"
	    ip -$g_family route list cache
	fi
    else
	heading "Routing Table"
	if [ $g_family -eq 6 ]; then
	    ip -$g_family -o route list | fgrep -v cache
	else
	    ip -4 -o route list table $table | sort_routes
	fi
    fi
}

#
# 'list dynamic' command executor
#
find_sets() {
    local junk
    local setname

    ipset -L -n | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
}

list_zone() {

    local sets
    local setname

    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"

    if [ $g_family -eq 4 ]; then
	sets=$(ipset -L -n | grep '^$1_');
     else
	sets=$(ipset -L -n | grep "^6_$1_")
    fi

    [ -n "$sets" ] || sets=$(find_sets $1)

    for setname in $sets; do
	echo "${setname#${1}_}:"
	ipset -L $setname -n | awk 'BEGIN        {prnt=0;}; \
                                    /^Members:/  {prnt=1; next; }; \
                                    /^Bindings:/ {prnt=0; }; \
                                                 { if (prnt == 1) print "   ", $1; };'
    done
}

version_command() {
    local finished
    finished=0
    local all
    all=
    local product

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			a*)
			    all=Yes
			    option=${option#a}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    [ $# -gt 0 ] && usage 1

    if [ -n "$all" ]; then
	echo "shorewall-core: $(cat $g_sharedir/coreversion)"

	for product in shorewall shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
	    if [ -f ${SHAREDIR}/$product/version ]; then
		echo "$product: $(cat ${SHAREDIR}/$product/version)"
	    fi
	done
    else
	echo $SHOREWALL_VERSION
    fi
}

#
# Show Filter - For Shorewall[6]-lite, if there was an scfilter file at compile-time,
#               then the compiler generated another version of this function and
#               embedded it in the firewall.conf file. That version supersedes this
#               one.
#
show_connections_filter() {
    local filter
    local command
    local first

    command=${SHOREWALL_SHELL}

    filter=$(find_file scfilter)

    if [ -f $filter ]; then
	first=$(head -n1 $filter)

	case $first in
	    \#!*)
		command=${first#\#!}
		;;
	esac

	$command $filter
    else
	cat -
    fi
}

#
# Show Command Executor
#
show_command() {
    local finished
    finished=0
    local table
    table=filter
    local table_given
    table_given=

    show_macro() {
	foo=`grep 'This macro' $macro | sed 's/This macro //'`
	if [ -n "$foo" ]; then
	    macro=${macro#*.}
	    foo=${foo%.*}
	    if [ ${#macro} -gt 10 ]; then
		echo "   $macro  ${foo#\#}"
	    else
		$g_echo_e "   $macro  \t${foo#\#}"
	    fi
	fi
    }

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			v*)
			    VERBOSITY=$(($VERBOSITY + 1 ))
			    option=${option#v}
			    ;;
			x*)
			    g_ipt_options="-xnv"
			    option=${option#x}
			    ;;
			m*)
			    g_showmacs=Yes
			    option=${option#m}
			    ;;
			f*)
			    g_filemode=Yes
			    option=${option#f}
			    ;;
			t)
			    [ $# -eq 1 ] && usage 1

			    case $2 in
				mangle|nat|filter|raw|rawpost)
				    table=$2
				    table_given=Yes
				    ;;
				*)
				    fatal_error "Invalid table name ($s)"
				    ;;
			    esac

			    option=
			    shift
			    ;;
			l*)
			    g_ipt_options1="--line-numbers"
			    option=${option#l}
			    ;;
			c*)
			    g_routecache=Yes
			    option=${option#c}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    g_ipt_options="$g_ipt_options $g_ipt_options1"


    [ -n "$g_debugging" ] && set -x
    case "$1" in
	connections)
	    [ $# -gt 1 ] && usage 1

	    if [ $g_family -eq 4 ]; then
		if [ -d /proc/sys/net/netfilter/ ]; then
		    local count
		    local max
		    count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
		    max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
		    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
		else
		    echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
		fi

		echo

		if qt mywhich conntrack ; then
		    conntrack -f ipv${g_family} -L | show_connections_filter
		else
		    if [ -f /proc/net/ip_conntrack ]; then
			cat /proc/net/ip_conntrack | show_connections_filter
		    else
			grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
		    fi
	        fi
	    elif qt mywhich conntrack ; then
		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
		echo
		conntrack -f ipv6 -L | show_connections_filter
	    else
		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
		echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
		echo
		grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
	    fi
	    ;;
	nat)
	    [ $# -gt 1 ] && usage 1
	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
	    echo
	    show_reset
	    $g_tool -t nat -L $g_ipt_options
	    ;;
	raw)
	    [ $# -gt 1 ] && usage 1
	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
	    echo
	    show_reset
	    $g_tool -t raw -L $g_ipt_options
	    ;;
	rawpost)
	    [ $# -gt 1 ] && usage 1
	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
	    echo
	    show_reset
	    $g_tool -t rawpost -L $g_ipt_options
	    ;;
	tos|mangle)
	    [ $# -gt 1 ] && usage 1
	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
	    echo
	    show_reset
	    $g_tool -t mangle -L $g_ipt_options
	    ;;
	log)
	    [ $# -gt 2 ] && usage 1

	    if [ -z "$LOGFILE" ]; then
		LOGFILE=/var/log/messages

		if [ -n "$(syslog_circular_buffer)" ]; then
		    g_logread="logread | tac"
		elif [ -r $LOGFILE ]; then
		    g_logread="tac $LOGFILE"
		else
		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
		    exit 2
		fi
	    fi

	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
	    echo
	    show_reset
	    host=$(echo $g_hostname | sed 's/\..*$//')

	    if [ $# -eq 2 ]; then
		search_log $2
	    else
		packet_log 20
	    fi
	    ;;
	tc)
	    [ $# -gt 2 ] && usage 1
	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
	    echo
	    shift

	    if [ -z "$1" ]; then
		$g_tool -t mangle -L -n -v
		echo
	    fi

	    show_tc $1
	    ;;
	classifiers|filters)
	    [ $# -gt 1 ] && usage 1
	    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
	    echo
	    show_classifiers
	    ;;
	zones)
	    [ $# -gt 1 ] && usage 1
	    if [ -f ${VARDIR}/zones ]; then
		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
		echo
		while read zone type hosts; do
		    echo "$zone ($type)"
		    for host in $hosts; do
			case $host in
			    exclude)
				echo "  exclude:"
				;;
			    *)
				echo "   $host"
				;;
			esac
		    done
		done < ${VARDIR}/zones
		echo
	    else
		echo "   ERROR: ${VARDIR}/zones does not exist" >&2
		exit 1
	    fi
	    ;;
	capabilities)
	    [ $# -gt 1 ] && usage 1
	    determine_capabilities
	    VERBOSITY=2
	    if [ -n "$g_filemode" ]; then
		report_capabilities1
	    else
		report_capabilities
	    fi
	    ;;
	ip)
	    [ $# -gt 1 ] && usage 1
	    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
	    echo
	    ip -$g_family addr list
	    ;;
	routing)
	    [ $# -gt 1 ] && usage 1
	    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
	    echo
	    show_routing
	    ;;
	config)
	    . ${g_sharedir}/configpath
	    if [ -n "$g_filemode" ]; then
		echo "CONFIG_PATH=$CONFIG_PATH"
		echo "VARDIR=$VARDIR"
		echo "LIBEXEC=$g_libexec"
		echo "SBINDIR=$g_sbindir"
		echo "CONFDIR=${CONFDIR}"
		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
	    else
		echo "Default CONFIG_PATH is $CONFIG_PATH"
		echo "Default VARDIR is /var/lib/$g_program"
		echo "LIBEXEC is $g_libexec"
		echo "SBINDIR is $g_sbindir"
		echo "CONFDIR is ${CONFDIR}"
		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
	    fi
	    ;;
	chain)
	    shift
	    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
	    echo
	    show_reset
	    if [ $# -gt 0 ]; then
		for chain in $*; do
		    $g_tool -t $table -L $chain $g_ipt_options
		    echo
		done
	    else
		$g_tool -t $table -L $g_ipt_options
	    fi
	    ;;
	vardir)
	    echo $VARDIR;
	    ;;
	policies)
	    [ $# -gt 1 ] && usage 1
	    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
	    echo
	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
	    ;;
	ipa)
	    [ $g_family -eq 4 ] || usage 1
	    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
	    echo
	    [ $# -gt 1 ] && usage 1
	    perip_accounting
	    ;;
	marks)
	    [ $# -gt 1 ] && usage 1
	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
	    echo
	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
	    ;;
	*)
	    case "$g_program" in
		*-lite)
		    ;;
	    	*)
		    case $1 in
			actions)
			    [ $# -gt 1 ] && usage 1
			    echo "A_ACCEPT            # Audit and accept the connection"
			    echo "A_DROP              # Audit and drop the connection"
			    echo "A_REJECT            # Audit and reject the connection "
			    echo "allowBcast          # Silently Allow Broadcast/multicast"
			    echo "allowInvalid        # Accept packets that are in the INVALID conntrack state."
			    echo "allowinUPnP         # Allow UPnP inbound (to firewall) traffic"
			    echo "allowoutUPnP        # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
			    echo "dropBcast           # Silently Drop Broadcast/multicast"
			    echo "dropInvalid         # Silently Drop packets that are in the INVALID conntrack state"
			    echo "dropNotSyn          # Silently Drop Non-syn TCP packets"
			    echo "forwardUPnP         # Allow traffic that upnpd has redirected from"
			    echo "rejNotSyn           # Silently Reject Non-syn TCP packets"

			    if [ -f ${g_confdir}/actions ]; then
				cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
			    else
				grep -Ev '^\#|^$' ${g_sharedir}/actions.std
			    fi

			    return
			    ;;
			macro)
			    [ $# -ne 2 ] && usage 1
			    for directory in $(split $CONFIG_PATH); do
				if [ -f ${directory}/macro.$2 ]; then
				    echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
				    cat ${directory}/macro.$2
				    return
				fi
			    done
			    echo "   WARNING: Macro $2 not found" >&2
			    return
			    ;;
			macros)
			    [ $# -gt 1 ] && usage 1

			    for directory in $(split $CONFIG_PATH); do
				temp=
				for macro in ${directory}/macro.*; do
				    case $macro in
					*\*)
                                            ;;
					*)
				            if [ -z "$temp" ]; then
						echo
						echo "Macros in $directory:"
						echo
						temp=Yes
					    fi
					    show_macro
					    ;;
				    esac
				done
			    done
			    return
			    ;;
		    esac
		    ;;
	    esac

	    if [ $# -gt 0 ]; then
		if [ $1 = dynamic -a $# -gt 1 ]; then
		    shift
		    [ $# -eq 1 ] || usage 1
		    list_zone $1
		    return;
                fi

		[ -n "$table_given" ] || for chain in $*; do
		    if ! qt $g_tool -t $table -L $chain $g_ipt_options; then
			error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
			exit 1
		    fi
		done

		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
		echo
		show_reset
		for chain in $*; do
		    $g_tool -t $table -L $chain $g_ipt_options
		    echo
		done
	    else
		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
		echo
		show_reset
		$g_tool -t $table -L $g_ipt_options
	    fi
	    ;;
    esac
}

perip_accounting() {
    if qt mywhich iptaccount; then
	local hnames
	local hname

	hnames=$(iptaccount -a | grep '^Found table:' | cut -d ' ' -f 3)

	if [ -n "$hnames" ]; then
	    for hname in $hnames; do
		iptaccount -l $hname | egrep '^IP:|^Show'
		echo
	    done
	else
	    echo "   No IP Accounting Tables Defined"
	    echo
	fi
    else
	echo "   iptaccount is not installed"
    fi
}

#
# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time,
#               then the compiler generated another version of this function and
#               embedded it in the firewall.conf file. That version supersedes this
#               one.
#
dump_filter() {
    local filter
    local command
    local first

    command=${SHOREWALL_SHELL}

    filter=$(find_file dumpfilter)

    if [ -f $filter ]; then
	first=$(head -n1 $filter)

	case $first in
	    \#!*)
		command=${first#\#!}
		;;
	esac

	$command $filter
    else
	cat -
    fi
}

#
# Dump Command Executor
#
do_dump_command() {
    local finished
    finished=0

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			x*)
			    g_ipt_options="-xnv"
			    option=${option#x}
			    ;;
			m*)
			    g_showmacs=Yes
			    option=${option#m}
			    ;;
			l*)
			    g_ipt_options1="--line-numbers"
			    option=${option#l}
			    ;;
			c*)
			    g_routecache=Yes
			    option=${option#c}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    if [ -z "$LOGFILE" ]; then
	LOGFILE=/var/log/messages

	if [ -n "$(syslog_circular_buffer)" ]; then
	    g_logread="logread | tac"
	elif [ -r $LOGFILE ]; then
	    g_logread="tac $LOGFILE"
	else
	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
	    exit 2
	fi
    fi

    g_ipt_options="$g_ipt_options $g_ipt_options1"

    [ $VERBOSITY -lt 2 ] && VERBOSITY=2

    [ -n "$g_debugging" ] && set -x
    [ $# -eq 0 ] || usage 1
    clear_term
    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo

    if [ $g_family -eq 6 ] && [ -f ${SHAREDIR}/shorewall/version ]; then
	echo "   Shorewall $(cat ${SHAREDIR}/shorewall/version)"
	echo
    fi
    show_status
    show_reset
    host=$(echo $g_hostname | sed 's/\..*$//')
    $g_tool -L $g_ipt_options

    heading "Log ($LOGFILE)"
    packet_log 20

    if qt $g_tool -t nat -L -n; then
	heading "NAT Table"
	$g_tool -t nat -L $g_ipt_options
    fi

    if qt $g_tool -t mangle -L -n; then
	heading "Mangle Table"
	$g_tool -t mangle -L $g_ipt_options
    fi

    if qt $g_tool -t raw -L -n; then
	heading "Raw Table"
	$g_tool -t raw -L $g_ipt_options
    fi

    if qt $g_tool -t rawpost -L -n; then
	heading "Rawpost Table"
	$g_tool -t rawpost -L $g_ipt_options
    fi

    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)

    heading "Conntrack Table ($count out of $max)"

    if [ $g_family -eq 4 ]; then
    	[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
    else
	grep '^ipv6' /proc/net/nf_conntrack
    fi

    heading "IP Configuration"
    ip -$g_family addr list

    heading "IP Stats"
    ip -stat link list

    if qt mywhich brctl; then
	heading "Bridges"
	brctl show
    fi

    if [ $g_family -eq 4 ]; then
	heading "Per-IP Counters"

	perip_accounting
    fi

    if qt mywhich setkey; then
	heading "PFKEY SPD"
	setkey -DP
	heading "PFKEY SAD"
	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
    fi

    heading "/proc"
    show_proc /proc/version

    if [ $g_family -eq 4 ]; then
	show_proc /proc/sys/net/ipv4/ip_forward
	show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all

	for directory in /proc/sys/net/ipv4/conf/*; do
	    for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do
		show_proc $directory/$file
	    done
	done
    else
	for directory in /proc/sys/net/ipv6/conf/*; do
	    for file in forwarding proxy_ra proxy_ndp; do
		show_proc $directory/$file
	    done
	done
    fi

    show_routing

    if [ $g_family -eq 4 ]; then
	heading "ARP"
	arp -na
    else
	heading "Neighbors"
	ip -6 neigh ls
    fi

    if qt mywhich lsmod; then
	heading "Modules"

	if [ $g_family -eq 4 ]; then
	    lsmod | grep -E '^(ip_|ipt_|iptable_|nf_|xt_)' | sort
	else
	    lsmod | grep -E '^(x_|ip6|nf_|xt_)' | sort
	fi
    fi

    determine_capabilities
    echo
    report_capabilities

    echo

    if qt netstat -4; then
	netstat -${g_family}tunap
    else
	netstat -tunap
    fi

    if [ -n "$TC_ENABLED" ]; then
	heading "Traffic Control"
	show_tc
	heading "TC Filters"
	show_classifiers
	fi
}

dump_command() {
    do_dump_command | dump_filter
}

#
# Restore Comand Executor
#
restore_command() {
    local finished
    finished=0

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			n*)
			    g_noroutes=Yes
			    option=${option#n}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    case $# in
    0)
	;;
    1)
	RESTOREFILE="$1"
	validate_restorefile '<restore file>'
	;;
    *)
	usage 1
	;;
    esac

    if [ -z "$STARTUP_ENABLED" ]; then
	error_message "ERROR: Startup is disabled"
	exit 2
    fi

    g_restorepath=${VARDIR}/$RESTOREFILE

    [ -n "$g_nolock" ] || mutex_on

    if [ -x $g_restorepath ]; then
	progress_message3 "Restoring $g_product..."

	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"

	[ -n "$g_nolock" ] || mutex_off
    else
	echo "File $g_restorepath: file not found"
	[ -n "$g_nolock" ] || mutex_off
	exit 2
    fi
}

#
# Display the time that the counters were last reset
#
show_reset() {
    [ -f ${VARDIR}/restarted ] && \
	echo "Counters reset $(cat ${VARDIR}/restarted)" && \
	echo
}

#
# Display's the passed file name followed by "=" and the file's contents.
#
show_proc() # $1 = name of a file
{
    [ -f $1 ] && echo "   $1 = $(cat $1)"
}

read_yesno_with_timeout() {
    local timeout
    timeout=${1:-60}

    case $timeout in
	*s)
	    ;;
	*m)
	    timeout=$((${timeout%m} * 60))
	    ;;
	*h)
	    timeout=$((${timeout%h} * 3600))
	    ;;
    esac

    read -t $timeout yn 2> /dev/null
    if [ $? -eq 2 ]
    then
	# read doesn't support timeout
	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
	return $?
    else
	# read supports timeout
	case "$yn" in
	    y|Y)
		return 0
		;;
	    *)
		return 1
		;;
	esac
    fi
}

#
# Print a heading with leading and trailing black lines
#
heading() {
    echo
    echo "$@"
    echo
}

#
# Create the appropriate -q option to pass onward
#
make_verbose() {
    local v
    v=$g_verbose_offset
    local option
    option=-

    if [ -n "$g_use_verbosity" ]; then
	echo "-v$g_use_verbosity"
    elif [ $g_verbose_offset -gt 0 ]; then
	while [ $v -gt 0 ]; do
	    option="${option}v"
	    v=$(($v - 1))
	done

	echo $option
    elif [ $g_verbose_offset -lt 0 ]; then
	while [ $v -lt 0 ]; do
	    option="${option}q"
	    v=$(($v + 1))
	done

	echo $option
    fi
}

#
# Executor for drop,reject,... commands
#
block() # $1 = command, $2 = Finished, $3 - $n addresses
{
    local chain
    chain=$1
    local finished
    finished=$2
    local which
    which='-s'
    local range
    range='--src-range'

    if ! chain_exists dynamic; then
	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
	[ -n "$g_nolock" ] || mutex_off
	exit 2
    fi

    shift 3

    while [ $# -gt 0 ]; do
	case $1 in
	    from)
		which='-s'
		range='--src-range'
		shift
		continue
		;;
	    to)
		which='-d'
		range='--dst-range'
		shift
		continue
		;;
	    *-*)
		qt $g_tool -D dynamic -m iprange $range $1 -j reject
		qt $g_tool -D dynamic -m iprange $range  $1 -j DROP
		qt $g_tool -D dynamic -m iprange $range $1 -j logreject
		qt $g_tool -D dynamic -m iprange $range $1 -j logdrop
		$g_tool -A dynamic -m iprange $range $1 -j $chain || break 1
		;;
	    *)
		qt $g_tool -D dynamic $which $1 -j reject
		qt $g_tool -D dynamic $which $1 -j DROP
		qt $g_tool -D dynamic $which $1 -j logreject
		qt $g_tool -D dynamic $which $1 -j logdrop
		$g_tool -A dynamic $which $1 -j $chain || break 1
		;;
	esac

	echo "$1 $finished"
	shift
    done
}

#
# Replace commas with spaces and echo the result
#
separate_list() {
    local list
    list="$@"
    local part
    local newlist
    local firstpart
    local lastpart
    local enclosure

    case "$list" in
	*,|,*|*,,*|*[[:space:]]*)
	    #
	    # There's been whining about us not catching embedded white space in
	    # comma-separated lists. This is an attempt to snag some of the cases.
	    #
            echo "WARNING -- invalid comma-separated list \"$@\"" >&2
	    ;;
	*\[*\]*)
	    #
	    # Where we need to embed comma-separated lists within lists, we enclose them
	    # within square brackets.
	    #
	    firstpart=${list%%\[*}
	    lastpart=${list#*\[}
	    enclosure=${lastpart%%\]*}
	    lastpart=${lastpart#*\]}
	    case $lastpart in
		\,*)
		    case $firstpart in
			*\,)
			    echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})"
			    ;;
			*)
			    echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
			    ;;
		    esac
		    ;;
		*)
		    case $firstpart in
			*\,)
			    echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)"
			    ;;
			*)
			    echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
			    ;;
		    esac
		    ;;
	    esac
	    return
	    ;;
    esac

    list="$@"
    part="${list%%,*}"
    newlist="$part"

    while [ "x$part" != "x$list" ]; do
	list="${list#*,}";
	part="${list%%,*}";
	newlist="$newlist $part";
    done

    echo "$newlist"
}

#
# add command executor
#
add_command() {
    local interface host hostlist zone ipset
    if ! product_is_started ; then
	echo "$g_product Not Started" >&2
	exit 2
    fi

    case "$IPSET" in
	*/*)
	    ;;
	*)
	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
	    ;;
    esac
    #
    # Normalize host list
    #
    while [ $# -gt 1 ]; do
	interface=${1%%:*}
	host=${1#*:}
	[ "$host" = "$1" ] && host=

	if [ -z "$host" ]; then
	    if [ $g_family -eq 4 ]; then
	        hostlist="$hostlist $interface:0.0.0.0/0"
	    else
		hostlist="$hostlist $interface:::/0"
	    fi
	else
	    for h in $(separate_list $host); do
		hostlist="$hostlist $interface:$h"
	    done
	fi

	shift
    done

    zone=$1

    for host in $hostlist; do
	if [ $g_family -eq 4 ]; then
	    interface=${host%:*}
	    ipset=${zone}_${interface};
	else
	    interface=${host%%:*}
	    ipset=6_${zone}_${interface};
	fi

	if ! qt $IPSET -L $ipset -n; then
	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
	fi

	host=${host#*:}

	if $IPSET -A $ipset $host; then
	    echo "Host $interface:$host added to zone $zone"
	else
	    fatal_error "Unable to add $interface:$host to zone $zone"
	fi
    done

}

#
# delete command executor
#
delete_command() {
    local interface host hostent hostlist zone ipset
    if ! product_is_started ; then
	echo "$g_product Not Started" >&2
	exit 2;
    fi

    case "$IPSET" in
	*/*)
	    ;;
	*)
	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
	    ;;
    esac

    #
    # Normalize host list
    #
    while [ $# -gt 1 ]; do
	interface=${1%%:*}
	host=${1#*:}
	[ "$host" = "$1" ] && host=

	if [ -z "$host" ]; then
	    if [ $g_family -eq 4 ]; then
		hostlist="$hostlist $interface:0.0.0.0/0"
	    else
		hostlist="$hostlist $interface:::/0"
	    fi
	else
	    for h in $(separate_list $host); do
		hostlist="$hostlist $interface:$h"
	    done
	fi

	shift
    done

    zone=$1

    for hostent in $hostlist; do
	if [ $g_family -eq 4 ]; then
	    interface=${hostent%:*}
	    ipset=${zone}_${interface};
	else
	    interface=${hostent%%:*}
	    ipset=6_${zone}_${interface};
	fi

	if ! qt $IPSET -L $ipset -n; then
	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
	fi

	host=${hostent#*:}

	if $IPSET -D $ipset $host; then
	    echo "Host $hostent deleted from zone $zone"
	else
	    echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
	fi
    done

}

#
# 'hits' commmand executor
#
hits_command() {
    local finished
    finished=0
    local today
    today=

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			t*)
			    today=$(date +'^%b %_d.*')
			    option=${option#t}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    [ $# -eq 0 ] || usage 1

    clear_term
    echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
    echo

    timeout=30

    if $g_logread | grep -q "${today}IN=.* OUT=" ; then
	echo "   HITS IP	        DATE"
	echo "   ---- --------------- ------"
	$g_logread | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | while read count address month day; do
	    printf '%7d %-15s %3s %2d\n' $count $address $month $day
	done

	echo ""

	echo "   HITS IP	        PORT"
	echo "   ---- --------------- -----"
	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
						t
						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
	    [ -z "$port" ] && port=0
	    printf '%7d %-15s %d\n' $count $address $port
	done

	echo ""

	echo "   HITS DATE"
	echo "   ---- ------"
	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
	    printf '%7d %3s %2d\n' $count $month $day
	done

	echo ""

	echo "   HITS  PORT SERVICE(S)"
	echo "   ---- ----- ----------"
	$g_logread | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
	    # List all services defined for the given port
	    srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u)
	    srv=$(echo $srv | sed 's/ /,/g')

	    if [ -n "$srv" ] ; then
		printf '%7d %5d %s\n' $count $port $srv
	    else
		printf '%7d %5d\n' $count $port
	    fi
	done
    fi
}

#
# 'allow' command executor
#
allow_command() {
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && usage 1
    if product_is_started ; then
	local which
	which='-s'
	local range
	range='--src-range'

	if ! chain_exists dynamic; then
	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
	    exit 2
	fi

	[ -n "$g_nolock" ] || mutex_on
	while [ $# -gt 1 ]; do
	    shift
	    case $1 in
		from)
		    which='-s'
		    range='--src-range'
		    continue
		    ;;
		to)
		    which='-d'
		    range='--dst-range'
		    continue
		    ;;
		*-*)
		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
			then
			echo "$1 Allowed"
		    else
			echo "$1 Not Dropped or Rejected"
		    fi
		    ;;
		*)
		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
			qt $g_tool -D dynamic $which $1 -j DROP      ||\
			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
			qt $g_tool -D dynamic $which $1 -j logreject
			then
			echo "$1 Allowed"
		    else
			echo "$1 Not Dropped or Rejected"
		    fi
		    ;;
	    esac
	done
	[ -n "$g_nolock" ] || mutex_off
    else
	error_message "ERROR: $g_product is not started"
	exit 2
    fi
}

#
# 'logwatch' command executor
#
logwatch_command() {
    shift

    finished=0

    while [ $finished -eq 0 -a $# -ne 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		[ -z "$option" ] && usage 1

		while [ -n "$option" ]; do
		    case $option in
			v*)
			    VERBOSITY=$(($VERBOSITY + 1 ))
			    option=${option#v}
			    ;;
			q*)
			    VERBOSITY=$(($VERBOSITY - 1 ))
			    option=${option#q}
			    ;;
			m*)
			    g_showmacs=Yes
			    option=${option#m}
			    ;;
			-)
			    finished=1
			    option=
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    [ -n "$g_debugging" ] && set -x

    if [ $# -eq 1 ]; then
	logwatch $1
    elif [ $# -eq 0 ]; then
	logwatch 30
    else
	usage 1
    fi
}

#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {

    local tool
    local chain
    local chain1

    if [ -z "$g_tool" ]; then
	[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables

	g_tool=$(mywhich $tool)

	if [ -z "$g_tool" ]; then
	    echo "   ERROR: No executable $tool binary can be found on your PATH" >&2
	    exit 1
	fi
    fi

    qt $g_tool -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
    qt $g_tool -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=

    [ "$IP" = ip -o -z "$IP" ] && IP=$(which ip)

    [ -n "$IP" -a -x "$IP" ] || IP=

    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)

    [ -n "$TC" -a -x "$TC" ] || TC=

    CONNTRACK_MATCH=
    NEW_CONNTRACK_MATCH=
    OLD_CONNTRACK_MATCH=
    MULTIPORT=
    XMULTIPORT=
    POLICY_MATCH=
    PHYSDEV_MATCH=
    PHYSDEV_BRIDGE=
    IPRANGE_MATCH=
    RECENT_MATCH=
    OWNER_MATCH=
    OWNER_NAME_MATCH=
    IPSET_MATCH=
    OLD_IPSET_MATCH=
    IPSET_V5=
    CONNMARK=
    XCONNMARK=
    CONNMARK_MATCH=
    XCONNMARK_MATCH=
    RAW_TABLE=
    RAWPOST_TABLE=
    IPP2P_MATCH=
    OLD_IPP2P_MATCH=
    LENGTH_MATCH=
    CLASSIFY_TARGET=
    ENHANCED_REJECT=
    USEPKTTYPE=
    KLUDGEFREE=
    MARK=
    XMARK=
    EXMARK=
    TPROXY_TARGET=
    MANGLE_FORWARD=
    COMMENTS=
    ADDRTYPE=
    TCPMSS_MATCH=
    HASHLIMIT_MATCH=
    NFQUEUE_TARGET=
    REALM_MATCH=
    HELPER_MATCH=
    CONNLIMIT_MATCH=
    TIME_MATCH=
    GOTO_TARGET=
    LOGMARK_TARGET=
    IPMARK_TARGET=
    LOG_TARGET=Yes
    ULOG_TARGET=
    NFLOG_TARGET=
    PERSISTENT_SNAT=
    FLOW_FILTER=
    FWMARK_RT_MASK=
    MARK_ANYWHERE=
    HEADER_MATCH=
    ACCOUNT_TARGET=
    AUDIT_TARGET=
    CONDITION_MATCH=
    IPTABLES_S=
    BASIC_FILTER=
    CT_TARGET=
    STATISTIC_MATCH=
    IMQ_TARGET=
    DSCP_MATCH=
    DSCP_TARGET=

    chain=fooX$$

    if [ -n "$NAT_ENABLED" ]; then
	if qt $g_tool -t nat -N $chain; then
	    if [ $g_family -eq 4 ]; then
		qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
	    fi
	    qt $g_tool -t nat -F $chain
	    qt $g_tool -t nat -X $chain
	fi
    fi

    qt $g_tool -F $chain
    qt $g_tool -X $chain
    if ! $g_tool -N $chain; then
	echo "   ERROR: The command \"$g_tool -N $chain\" failed" >&2
	exit 1
    fi

    chain1=${chain}1

    qt $g_tool -F $chain1
    qt $g_tool -X $chain1
    if ! $g_tool -N $chain1; then
	qt $g_tool -X $CHAIN
	echo "   ERROR: The command \"$g_tool -N $chain1\" failed" >&2
	exit 1
    fi

    if ! qt $g_tool -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT &&
       ! qt $g_tool -A $chain -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; then
	qt $g_tool -x $chain
	qt $g_tool -x $chain1
	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- $g_product will not run on this system" >&2
	exit 1
    fi

    if [ $g_family -eq 4 ]; then
	qt $g_tool -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
    else
	qt $g_tool -A $chain -m conntrack --ctorigdst ::1 -j ACCEPT && CONNTRACK_MATCH=Yes
    fi

    if [ -n "$CONNTRACK_MATCH" ]; then
	qt $g_tool -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes

	if [ $g_family -eq 4 ]; then
	    qt $g_tool -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes
	else
	    qt $g_tool -A $chain -m conntrack ! --ctorigdst ::1 || OLD_CONNTRACK_MATCH=Yes
	fi
    fi

    if qt $g_tool -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
	MULTIPORT=Yes
	qt $g_tool -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
    fi

    qt $g_tool -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes
    qt $g_tool -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes

    if qt $g_tool -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
	PHYSDEV_MATCH=Yes
	qt $g_tool -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
	if [ -z "${KLUDGEFREE}" ]; then
	    qt $g_tool -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
	fi
    fi

    if [ $g_family -eq 4 ]; then
	if qt $g_tool -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
	    IPRANGE_MATCH=Yes
	    if [ -z "${KLUDGEFREE}" ]; then
		qt $g_tool -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
	    fi
	fi
    elif qt $g_tool -A $chain -m iprange --src-range ::1-::2 -j ACCEPT; then
	IPRANGE_MATCH=Yes
	if [ -z "${KLUDGEFREE}" ]; then
	    qt $g_tool -A $chain -m iprange --src-range ::1-::2 -m iprange --dst-range ::1-::2 -j ACCEPT && KLUDGEFREE=Yes
	fi
    fi

    qt $g_tool -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
    qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes

    local name
    name=$(id -un 2> /dev/null)

    [ -n "$name" ] && qt $g_tool -A $chain -m owner --uid-owner $name -j ACCEPT && OWNER_NAME_MATCH=Yes

    if qt $g_tool -A $chain -m connmark --mark 2  -j ACCEPT; then
	CONNMARK_MATCH=Yes
	qt $g_tool -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
    fi

    qt $g_tool -A $chain -p tcp -m ipp2p --edk -j ACCEPT       && IPP2P_MATCH=Yes
    if [ -n "$IPP2P_MATCH" ]; then
	qt $g_tool -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
    fi

    qt $g_tool -A $chain -m length --length 10:20 -j ACCEPT    && LENGTH_MATCH=Yes

    if [ $g_family -eq 4 ]; then
        qt $g_tool -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
    else
	qt $g_tool -A $chain -j REJECT --reject-with icmp6-adm-prohibited && ENHANCED_REJECT=Yes
    fi

    qt $g_tool -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes

    if [ -n "$MANGLE_ENABLED" ]; then
	qt $g_tool -t mangle -N $chain

	if qt $g_tool -t mangle -A $chain -j MARK --set-mark 1; then
	    MARK=Yes
	    qt $g_tool -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
	    qt $g_tool -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
	fi

	if qt $g_tool -t mangle -A $chain -j CONNMARK --save-mark; then
	    CONNMARK=Yes
	    qt $g_tool -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
	fi

	qt $g_tool -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
	qt $g_tool -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
	qt $g_tool -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes

	qt $g_tool -t mangle -F $chain
	qt $g_tool -t mangle -X $chain

	qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
    fi

    qt $g_tool -t raw	    -L -n && RAW_TABLE=Yes
    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes

    if [ -n "$RAW_TABLE" ]; then
	qt $g_tool -t raw -N $chain
	qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes
	qt $g_tool -t raw -N $chain
	qt $g_tool -t raw -F $chain
	qt $g_tool -t raw -X $chain
    fi

    if qt mywhich ipset; then
	qt ipset -X $chain # Just in case something went wrong the last time

	local have_ipset

	if [ $g_family -eq 4 ]; then
	    if qt ipset -N $chain hash:ip family inet; then
		IPSET_V5=Yes
		have_ipset=Yes
	    elif qt ipset -N $chain iphash ; then
		have_ipset=Yes
	    fi

	    if [ -n "$have_ipset" ]; then
		if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
		    qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
		    IPSET_MATCH=Yes
		elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
		    qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
		    IPSET_MATCH=Yes
		    OLD_IPSET_MATCH=Yes
		fi
		qt ipset -X $chain
	    fi
	elif qt ipset -N $chain hash:ip family inet6; then
	    IPSET_V5=Yes
	    if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
		qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
		IPSET_MATCH=Yes
	    elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
		qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
		IPSET_MATCH=Yes
		OLD_IPSET_MATCH=Yes
	    fi
	    qt ipset -X $chain
	fi
    fi

    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
    qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
    if [ -z "$HASHLIMIT_MATCH" ]; then
	qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
	HASHLIMIT_MATCH=$OLD_HL_MATCH
    fi
    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
    qt $g_tool -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
    qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
    qt $g_tool -A $chain -j LOG || LOG_TARGET=
    qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes
    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes

    if [ $g_family -eq 4 ]; then
	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
    else
	qt $g_tool -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
	qt $g_tool -A $chain -j ACCOUNT --addr ::1/122 --tname $chain && ACCOUNT_TARGET=Yes
    fi

    qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
    qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
    qt $g_tool -S INPUT && IPTABLES_S=Yes
    qt $g_tool -F $chain
    qt $g_tool -X $chain
    qt $g_tool -F $chain1
    qt $g_tool -X $chain1

    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
    [ -n "$TC" ] && $TC filter add basic help 2>&1 | grep -q ^Usage && BASIC_FILTER=Yes
    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes

    CAPVERSION=$SHOREWALL_CAPVERSION

    KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//')

    case "$KERNELVERSION" in
	*.*.*)
	    KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
	    ;;
	*)
	    KERNELVERSION=$(printf "%d%02d00" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
	    ;;
    esac
}

report_capabilities() {
    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
    {
	local setting
	setting=

	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"

	echo "  " $1: $setting
    }

    if [ $VERBOSITY -gt 1 ]; then
	echo "$g_product has detected the following iptables/netfilter capabilities:"
	report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
	report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
	report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
	report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
	if [ -n "$CONNTRACK_MATCH" ]; then
	    report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
	fi
	report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
	report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
	report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
	report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
	report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
	report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
	report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
	report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
	report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
	if [ -n "$IPSET_MATCH" ]; then
	    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
	fi
	report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
	report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
	report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
	report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
	report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
	report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
	report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT
	report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE
	report_capability "MARK Target (MARK)" $MARK
	[ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK
	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK
	report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD
	report_capability "Comments (COMMENTS)" $COMMENTS
	report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE
	report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH
	report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH
	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH
	report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET
	report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH
	report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH
	report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH
	report_capability "Time Match (TIME_MATCH)" $TIME_MATCH
	report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET
	report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET
	report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET
	report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET
	report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET
	report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET
	report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT
	report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
	report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
	report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
	report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE
	report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
        report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
	report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
	report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
	report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
	report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
	report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET

	if [ $g_family -eq 4 ]; then
	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
	else
	    report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
	fi

	report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
	report_capability "CT Target (CT_TARGET)" $CT_TARGET
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=

}

report_capabilities1() {
    report_capability1() # $1 = Capability
    {
	eval echo $1=\$$1
    }

    echo "#"
    echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
    echo "#"
    report_capability1 NAT_ENABLED
    report_capability1 MANGLE_ENABLED
    report_capability1 MULTIPORT
    report_capability1 XMULTIPORT
    report_capability1 CONNTRACK_MATCH
    report_capability1 NEW_CONNTRACK_MATCH
    report_capability1 OLD_CONNTRACK_MATCH
    report_capability1 USEPKTTYPE
    report_capability1 POLICY_MATCH
    report_capability1 PHYSDEV_MATCH
    report_capability1 PHYSDEV_BRIDGE
    report_capability1 LENGTH_MATCH
    report_capability1 IPRANGE_MATCH
    report_capability1 RECENT_MATCH
    report_capability1 OWNER_MATCH
    report_capability1 OWNER_NAME_MATCH
    report_capability1 IPSET_MATCH
    report_capability1 OLD_IPSET_MATCH
    report_capability1 CONNMARK
    report_capability1 XCONNMARK
    report_capability1 CONNMARK_MATCH
    report_capability1 XCONNMARK_MATCH
    report_capability1 RAW_TABLE
    report_capability1 RAWPOST_TABLE
    report_capability1 IPP2P_MATCH
    report_capability1 OLD_IPP2P_MATCH
    report_capability1 CLASSIFY_TARGET
    report_capability1 ENHANCED_REJECT
    report_capability1 KLUDGEFREE
    report_capability1 MARK
    report_capability1 XMARK
    report_capability1 EXMARK
    report_capability1 MANGLE_FORWARD
    report_capability1 COMMENTS
    report_capability1 ADDRTYPE
    report_capability1 TCPMSS_MATCH
    report_capability1 HASHLIMIT_MATCH
    report_capability1 OLD_HL_MATCH
    report_capability1 NFQUEUE_TARGET
    report_capability1 REALM_MATCH
    report_capability1 HELPER_MATCH
    report_capability1 CONNLIMIT_MATCH
    report_capability1 TIME_MATCH
    report_capability1 GOTO_TARGET
    report_capability1 LOGMARK_TARGET
    report_capability1 IPMARK_TARGET
    report_capability1 LOG_TARGET
    report_capability1 ULOG_TARGET
    report_capability1 NFLOG_TARGET
    report_capability1 PERSISTENT_SNAT
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
    report_capability1 FWMARK_RT_MASK
    report_capability1 MARK_ANYWHERE
    report_capability1 HEADER_MATCH
    report_capability1 ACCOUNT_TARGET
    report_capability1 AUDIT_TARGET
    report_capability1 IPSET_V5
    report_capability1 CONDITION_MATCH
    report_capability1 IPTABLES_S
    report_capability1 BASIC_FILTER
    report_capability1 CT_TARGET
    report_capability1 STATISTIC_MATCH
    report_capability1 IMQ_TARGET
    report_capability1 DSCP_MATCH
    report_capability1 DSCP_TARGET

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
}

show_status() {
    if product_is_started ; then
	echo "$g_product is running"
	status=0
    else
	echo "$g_product is stopped"
	status=4
    fi

    if [ -f ${VARDIR}/state ]; then
	state="$(cat ${VARDIR}/state)"
	case $state in
	    Stopped*|Closed*|Clear*)
		status=3
		;;
	esac
    else
	state=Unknown
    fi
    echo "State:$state"
}

status_command() {
    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
    echo
    show_status
    echo
    exit $status
}

drop_command() {
    if product_is_started ; then
	if ! chain_exists dynamic; then
	    echo "Dynamic blacklisting is not supported in the current $g_product configuration"
	    exit 2
	fi

	[ -n "$g_nolock" ] || mutex_on
	block DROP Dropped $*
	[ -n "$g_nolock" ] || mutex_off
    else
	fatal_error "$g_product is not started"
    fi
}

logdrop_command() {
    if product_is_started ; then
	if ! chain_exists dynamic; then
	    echo "Dynamic blacklisting is not supported in the current $g_product configuration"
	    exit 2
	fi

	[ -n "$g_nolock" ] || mutex_on
	block logdrop Dropped $*
	[ -n "$g_nolock" ] || mutex_off
    else
	fatal_error "$g_product is not started"
    fi
}

reject_command() {
    if product_is_started ; then
	[ -n "$g_nolock" ] || mutex_on
	block $1 Rejected $*
	[ -n "$g_nolock" ] || mutex_off
    else
	fatal_error "$g_product is not started"
    fi
}

save_command() {
    case $# in
	1)
	    ;;
	2)
	    RESTOREFILE="$2"
	    validate_restorefile '<restore file>'
	    ;;
	*)
	    usage 1
	    ;;
	esac

    g_restorepath=${VARDIR}/$RESTOREFILE

    [ -n "$g_nolock" ] || mutex_on

    save_config

    result=$?

    [ -n "$g_nolock" ] || mutex_off

    exit $result
}

forget_command() {
    case $# in
	1)
	    ;;
	2)
	    RESTOREFILE="$2"
	    validate_restorefile '<restore file>'
	    ;;
	*)
	    usage 1
	    ;;
    esac

    g_restorepath=${VARDIR}/$RESTOREFILE

    if [ -x $g_restorepath ]; then
	rm -f $g_restorepath
	rm -f ${g_restorepath}-iptables
	rm -f ${g_restorepath}-ipsets
	echo "    $g_restorepath removed"
    elif [ -f $g_restorepath ]; then
	echo "   $g_restorepath exists and is not a saved $g_product configuration"
    fi
    rm -f ${VARDIR}/save
}

ipcalc_command() {
    local address
    local vlsm

    [ $g_family -eq 6 ] && usage 1

    if [ $# -eq 2 ]; then
	address=${2%/*}
	vlsm=${2#*/}
    elif [ $# -eq 3 ]; then
	address=$2
	vlsm=$(ip_vlsm $3)
    else
	usage 1
    fi

    valid_address $address || fatal_error "Invalid IP address: $address"
    [ -z "$vlsm" ] && usage 2
    [ "x$address" = "x$vlsm" ] && usage 2
    [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2

    address=$address/$vlsm

    echo "   CIDR=$address"
    temp=$(ip_netmask $address);       echo "   NETMASK=$(encodeaddr $temp)"
    temp=$(ip_network $address);       echo "   NETWORK=$temp"
    temp=$(broadcastaddress $address); echo "   BROADCAST=$temp"
}

iprange_command() {
    local range

    [ $g_family -eq 6 ] && usage 1

    range=''

    while [ $# -gt 0 ]; do
	shift
	range="${range}${1}"
    done

    case $range in
	*.*.*.*-*.*.*.*)
	    for address in ${range%-*} ${range#*-}; do
		valid_address $address || fatal_error "Invalid IP address: $address"
	    done

	    ip_range $range
	    ;;
	*)
	    usage 1
	    ;;
    esac
}

ipdecimal_command() {
    [ $# -eq 2 ] || usage 1

    [ $g_family -eq 6 ] && usage 1

    case $2 in
	*.*.*.*)
	    valid_address $2 || fatal_error "Invalid IP address: $2"
	    echo "   $(decodeaddr $2)"
	    ;;
	*)
	    echo "   $(encodeaddr $2)"
	    ;;
    esac
}

iptrace_command() {
    if product_is_started ; then
	$g_tool -t raw -A PREROUTING $@ -j TRACE
	$g_tool -t raw -A OUTPUT $@ -j TRACE
    else
	fatal_error "$g_product is not started"
    fi
}

noiptrace_command() {
    if product_is_started ; then
	$g_tool -t raw -D PREROUTING $@ -j TRACE
	$g_tool -t raw -D OUTPUT $@ -j TRACE
    else
	fatal_error "$g_product is not started"
    fi
}
#
# Set the configuration variables from shorewall-lite.conf
#
get_config() {

    ensure_config_path

    config=$(find_file ${g_program}.conf)

    if [ -f $config ]; then
	if [ -r $config ]; then
	    . $config
	else
	    echo "Cannot read $config! (Hint: Are you root?)" >&2
	    exit 1
	fi
    else
	echo "$config does not exist!" >&2
	exit 2
    fi

    ensure_config_path

    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf

    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages

    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
	g_logread="logread | tac"
    elif [ -r $LOGFILE ]; then
	g_logread="tac $LOGFILE"
    else
	echo "LOGFILE ($LOGFILE) does not exist!" >&2
	exit 2
    fi
    #
    # See if we have a real version of "tail" -- use separate redirection so
    # that ash (aka /bin/sh on LRP) doesn't crap
    #
    if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then
	realtail="Yes"
    else
	realtail=""
    fi

    [ -n "$FW" ] || FW=fw

    if [ $g_family -eq 4 ]; then
	if [ -n "$IPTABLES" ]; then
	    if [ ! -x "$IPTABLES" ]; then
		echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
		exit 2
	    fi
	else
	    IPTABLES=$(mywhich iptables 2> /dev/null)
	    if [ -z "$IPTABLES" ] ; then
		echo "   ERROR: Can't find iptables executable" >&2
		exit 2
	    fi
	fi

	g_tool=$IPTABLES
    else
	if [ -n "$IP6TABLES" ]; then
	    if [ ! -x "$IP6TABLES" ]; then
		echo "   ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2
		exit 2
	    fi
	else
	    IP6TABLES=$(mywhich ip6tables 2> /dev/null)
	    if [ -z "$IP6TABLES" ] ; then
		echo "   ERROR: Can't find ip6tables executable" >&2
		exit 2
	    fi
	fi

	g_tool=$IP6TABLES
    fi

    if [ -n "$SHOREWALL_SHELL" ]; then
	if [ ! -x "$SHOREWALL_SHELL" ]; then
	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
	    SHOREWALL_SHELL=/bin/sh
	fi
    fi

    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore

    validate_restorefile RESTOREFILE

    [ -n "${VERBOSITY:=2}" ]

    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))

    if [ $VERBOSITY -lt -1 ]; then
	VERBOSITY=-1
    elif [ $VERBOSITY -gt 2 ]; then
	VERBOSITY=2
    fi

    g_hostname=$(hostname 2> /dev/null)

    IP=$(mywhich ip 2> /dev/null)
    if [ -z "$IP" ] ; then
	echo "   ERROR: Can't find ip executable" >&2
	exit 2
    fi

    IPSET=ipset
    TC=tc

}

#
# Verify that we have a compiled firewall script
#
verify_firewall_script() {
    if [ ! -f $g_firewall ]; then
	echo "   ERROR: $g_product is not properly installed" >&2
	if [ -L $g_firewall ]; then
	    echo "          $g_firewall is a symbolic link to a" >&2
	    echo "          non-existant file" >&2
	else
	    echo "          The file $g_firewall does not exist" >&2
	fi

	exit 2
    fi
}

################################################################################
# The remaining functions are used by the Lite cli - they are overloaded by
# the Standard CLI by loading lib.cli-std
################################################################################
#
# Start Command Executor
#
start_command() {
    local finished
    finished=0

    do_it() {
	local rc
	rc=0
	[ -n "$g_nolock" ] || mutex_on

	if [ -x ${VARDIR}/firewall ]; then
	    run_it ${VARDIR}/firewall $g_debugging start
	    rc=$?
	else
	    error_message "${VARDIR}/firewall is missing or is not executable"
	    logger -p kern.err "ERROR:$g_product start failed"
	    rc=2
	fi

	[ -n "$g_nolock" ] || mutex_off
	exit $rc
    }

    verify_firewall_script

    if product_is_started; then
	if [ $g_family -eq 4 ]; then
	    error_message "Shorewall is already running"
	else
	    error_message "Shorewall6 is already running"
	fi

	exit 0
    fi

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			p*)
			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
			    g_purge=Yes
			    option=${option%p}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    case $# in
	0)
	    ;;
	*)
	    usage 1
	    ;;
    esac

    do_it
}

#
# Restart Command Executor
#
restart_command() {
    local finished
    finished=0
    local rc
    rc=0

    verify_firewall_script

    while [ $finished -eq 0 -a $# -gt 0 ]; do
	option=$1
	case $option in
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			-)
			    finished=1
			    option=
			    ;;
			n*)
			    g_noroutes=Yes
			    option=${option#n}
			    ;;
			p*)
			    [ -n "$(mywhich conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
			    g_purge=Yes
			    option=${option%p}
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    case $# in
	0)
	    ;;
	*)
	    usage 1
	    ;;
    esac

    [ -n "$g_nolock" ] || mutex_on

    if [ -x ${VARDIR}/firewall ]; then
	run_it ${VARDIR}/firewall $g_debugging restart
	rc=$?
    else
	error_message "${VARDIR}/firewall is missing or is not executable"
	logger -p kern.err "ERROR:$g_product restart failed"
	rc=2
    fi

    [ -n "$g_nolock" ] || mutex_off
    return $rc
}

#
# Give Usage Information
#
usage() # $1 = exit status
{
    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    echo "   clear"
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
    echo "   enable <interface>"
    echo "   forget [ <file name> ]"
    echo "   help"

    if [ $g_family -eq 4 ]; then
	echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
	echo "   ipdecimal { <address> | <integer> }"
	echo "   iprange <address>-<address>"
    fi

    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
    echo "   reject <address> ..."
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   show [ -f ] capabilities"
    echo "   show classifiers"
    echo "   show config"
    echo "   show connections"
    echo "   show filters"
    echo "   show ip"
    echo "   show [ -m ] log [<regex>]"
    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
    echo "   show policies"
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
    echo "   start [ -f ] [ -p ] [ <directory> ]"
    echo "   stop"
    echo "   status"
    echo "   version [ -a ]"
    echo
    exit $1
}

#
# This is the main entry point into the CLI. It directly handles all commands supported
# by both the full and lite versions. Note, however, that functions such as start_command()
# appear in both this library and it lib.cli-std. The ones in cli-std overload the ones
# here if that lib is loaded below.
#
shorewall_cli() {
    g_debugging=

    if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
	g_debugging=$1
	shift
    fi

    g_nolock=

    if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
	g_nolock=nolock
	shift
    fi

    g_noroutes=
    g_purge=
    g_ipt_options="-nv"
    g_fast=
    g_verbose_offset=0
    g_use_verbosity=
    g_debug=
    g_export=
    g_refreshchains=:none:
    g_confess=
    g_update=
    g_convert=
    g_annotate=
    g_recovering=
    g_timestamp=
    g_shorewalldir=

    VERBOSE=
    VERBOSITY=

    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std

    finished=0

    while [ $finished -eq 0 ]; do
	[ $# -eq 0 ] && usage 1
	option=$1
	case $option in
	    -)
		finished=1
		;;
	    -*)
		option=${option#-}

		while [ -n "$option" ]; do
		    case $option in
			c)
			    [ $# -eq 1 -o -n "$g_lite" ] && usage 1

			    if [ ! -d $2 ]; then
				if [ -e $2 ]; then
				    echo "$2 is not a directory" >&2 && exit 2
				else
				    echo "Directory $2 does not exist" >&2 && exit 2
				fi
			    fi

			    g_shorewalldir=$(resolve_file $2)
			    option=
			    shift
			    ;;
			e*)
			    [ -n "$g_lite" ] && usage 1
			    g_export=Yes
			    option=${option#e}
			    ;;
			x*)
			    g_ipt_options="-xnv"
			    option=${option#x}
			    ;;
			q*)
			    g_verbose_offset=$(($g_verbose_offset - 1 ))
			    option=${option#q}
			    ;;
			f*)
			    g_fast=Yes
			    option=${option#f}
			    ;;
			v*)
			    option=${option#v}
			    case $option in
				-1*)
				    g_use_verbosity=-1
				    option=${option#-1}
				    ;;
				0*)
				    g_use_verbosity=0
				    option=${option#0}
				    ;;
				1*)
				    g_use_verbosity=1
				    option=${option#1}
				    ;;
				2*)
				    g_use_verbosity=2
				    option=${option#2}
				    ;;
				*)
				    g_verbose_offset=$(($g_verbose_offset + 1 ))
				    g_use_verbosity=
				    ;;
			    esac
			    ;;
			n*)
			    g_noroutes=Yes
			    option=${option#n}
			    ;;
			t*)
			    g_timestamp=Yes
			    option=${option#t}
			    ;;
			-)
			    finished=1
			    option=
			    ;;
			*)
			    usage 1
			    ;;
		    esac
		done
		shift
		;;
	    *)
		finished=1
		;;
	esac
    done

    if [ $# -eq 0 ]; then
	usage 1
    fi

    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    MUTEX_TIMEOUT=

    [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir

    [ -n "${VARDIR:=/var/lib/$g_program}" ]

    if [ ! -f ${VARDIR}/firewall ]; then
	[ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.rstore ${VARDIR}/firewall
    fi

    g_firewall=${VARDIR}/firewall

    version_file=${g_sharedir}/version
    if [ -f $version_file ]; then
	SHOREWALL_VERSION=$(cat $version_file)
    else
	echo "   ERROR: $g_product is not properly installed" >&2
	echo "	 The file $version_file does not exist"  >&2
	exit 1
    fi

    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"

    case $(echo -e) in
	-e*)
	    g_ring_bell="echo \a"
	    g_echo_e="echo"
	    ;;
	*)
	    g_ring_bell="echo -e \a"
	    g_echo_e="echo -e"
	    ;;
    esac

    case $(echo -n "Testing") in
	-n*)
	    g_echo_n=
	    ;;
	*)
	    g_echo_n=-n
	    ;;
    esac

    COMMAND=$1

    case "$COMMAND" in
	start)
	    get_config Yes Yes
	    shift
	    start_command $@
	    ;;
	stop|clear)
	    [ $# -ne 1 ] && usage 1
	    get_config
	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
	    [ -n "$g_nolock" ] || mutex_on
	    run_it $g_firewall $g_debugging $COMMAND
	    [ -n "$g_nolock" ] || mutex_off
	    ;;
	reset)
	    get_config
	    shift
	    [ -n "$g_nolock" ] || mutex_on
	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
	    run_it $g_firewall $g_debugging reset $@
	    [ -n "$g_nolock" ] || mutex_off
	    ;;
	restart)
	    get_config Yes Yes
	    shift
	    restart_command $@
	    ;;
	disable|enable)
	    get_config Yes
	    if product_is_started; then
		run_it ${VARDIR}/firewall $g_debugging $@
	    else
		fatal_error "Shorewall is not running"
	    fi
	    ;;
	show|list)
	    get_config Yes No Yes
    	    shift
    	    show_command $@
	    ;;
	status)
	    [ $# -eq 1 ] || usage 1
	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
	    get_config
	    status_command
	    ;;
	dump)
	    get_config Yes No Yes
    	    shift
    	    dump_command $@
	    ;;
	hits)
	    [ $g_family -eq 6 ] && usage 1
	    get_config Yes No Yes
	    [ -n "$g_debugging" ] && set -x
	    shift
	    hits_command $@
	    ;;
	version)
	    shift
	    version_command $@
	    ;;
	logwatch)
	    get_config Yes Yes Yes
	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
	    logwatch_command $@
	    ;;
	drop)
	    get_config
	    [ -n "$g_debugging" ] && set -x
	    [ $# -eq 1 ] && usage 1
	    drop_command $@
	    ;;
	logdrop)
	    get_config
	    [ -n "$g_debugging" ] && set -x
	    [ $# -eq 1 ] && usage 1
	    logdrop_command $@
	    ;;
	reject|logreject)
	    get_config
	    [ -n "$g_debugging" ] && set -x
	    [ $# -eq 1 ] && usage 1
	    reject_command $@
	    ;;
	allow)
	    get_config
	    allow_command $@
	    ;;
	add)
	    get_config
	    shift
	    add_command $@
	    ;;
	delete)
	    get_config
	    shift
	    delete_command $@
	    ;;
	save)
	    get_config
	    [ -n "$g_debugging" ] && set -x
	    save_command $@
	    ;;
	forget)
	    get_config
	    forget_command $@
	    ;;
	ipcalc)
    	    [ -n "$g_debugging" ] && set -x
	    ipcalc_command $@
	    ;;
	iprange)
	    [ -n "$g_debugging" ] && set -x
	    iprange_command $@
	    ;;
	ipdecimal)
	    [ -n "$g_debugging" ] && set -x
	    ipdecimal_command $@
	    ;;
	restore)
	    get_config
	    shift
	    restore_command $@
            ;;
	call)
	    get_config
	    [ -n "$g_debugging" ] && set -x
	    #
	    # Undocumented way to call functions in the libraries directly
	    #
	    shift
	    $@
	    ;;
	help)
	    shift
	    usage
	    ;;
	iptrace)
	    get_config
	    shift
	    iptrace_command $@
	    ;;
	noiptrace)
	    get_config
	    shift
	    noiptrace_command $@
	    ;;
	*)
	    if [ -z "$g_lite" ]; then
		compiler_command $@
	    else
		usage 1
	    fi
	    ;;
    esac
}