"Fix" bashisms (at least they are bashims according to the Debian people)

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8289 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2008-03-14 02:07:28 +00:00 · 2008-03-14 02:07:28 +00:00 · bbe6dfb5fd
commit bbe6dfb5fd
parent b0a5c577f4
32 changed files with 1816 additions and 368 deletions
--- a/Shorewall-common/fallback.sh
+++ b/Shorewall-common/fallback.sh
@ -53,7 +53,8 @@ restore_directory() # $1 = directory to restore
 restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
 {
    if [ -n "$2" ]; then
-	local file=$(basename $1)
+	local file
 	file=$(basename $1)
 	if [ -f $2/$file ]; then
 	    if mv -f $2/$file $1 ; then
--- a/Shorewall-common/install.sh
+++ b/Shorewall-common/install.sh
@ -35,7 +35,8 @@ usage() # $1 = exit status
 }
 split() {
-    local ifs=$IFS
+    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
--- a/Shorewall-common/lib.base
+++ b/Shorewall-common/lib.base
@ -56,7 +56,8 @@ error_message() # $* = Error Message
 #
 progress_message() # $* = Message
 {
-    local timestamp=
+    local timestamp
    timestamp=
    if [ $VERBOSE -gt 1 ]; then
 	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
@ -66,7 +67,8 @@ progress_message() # $* = Message
 progress_message2() # $* = Message
 {
-    local timestamp=
+    local timestamp
    timestamp=
    if [ $VERBOSE -gt 0 ]; then
 	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
@ -76,7 +78,8 @@ progress_message2() # $* = Message
 progress_message3() # $* = Message
 {
-    local timestamp=
+    local timestamp
    timestamp=
    if [ $VERBOSE -ge 0 ]; then
 	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
@ -88,7 +91,8 @@ progress_message3() # $* = Message
 # Split a colon-separated list into a space-separated list
 #
 split() {
-    local ifs=$IFS
+    local ifs
    ifs=$IFS
    IFS=:
    echo $*
    IFS=$ifs
@ -100,7 +104,8 @@ split() {
 #
 list_search() # $1 = element to search for , $2-$n = list
 {
-    local e=$1
+    local e
    e=$1
    while [ $# -gt 1 ]; do
 	shift
@ -115,7 +120,9 @@ list_search() # $1 = element to search for , $2-$n = list
 #
 combine_list()
 {
-    local f o=
+    local f
    local o
    o=
    for f in $* ; do
        o="${o:+$o,}$f"
@ -152,7 +159,8 @@ my_pathname() {
 #
 run_user_exit() # $1 = file name
 {
-    local user_exit=$(find_file $1)
+    local user_exit
    user_exit=$(find_file $1)
    if [ -f $user_exit ]; then
 	progress_message "Processing $user_exit ..."
@ -208,7 +216,8 @@ deleteallchains() {
 #
 loadmodule() # $1 = module name, $2 - * arguments
 {
-    local modulename=$1
+    local modulename
    modulename=$1
    local modulefile
    local suffix
@ -240,10 +249,13 @@ loadmodule() # $1 = module name, $2 - * arguments
 #
 reload_kernel_modules() {
-    local save_modules_dir=$MODULESDIR
+    local save_modules_dir
    save_modules_dir=$MODULESDIR
    local directory
-    local moduledirectories=
+    local moduledirectories
-    local moduleloader=modprobe
+    moduledirectories=
    local moduleloader
    moduleloader=modprobe
    if ! qt mywhich modprobe; then
 	moduleloader=insmod
@ -270,11 +282,15 @@ reload_kernel_modules() {
 #
 load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 {
-    local save_modules_dir=$MODULESDIR
+    local save_modules_dir
    save_modules_dir=$MODULESDIR
    local directory
-    local moduledirectories=
+    local moduledirectories
-    local moduleloader=modprobe
+    moduledirectories=
-    local savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+    local moduleloader
    moduleloader=modprobe
    local savemoduleinfo
    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
    if ! qt mywhich modprobe; then
 	moduleloader=insmod
@ -320,8 +336,10 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 #
 mutex_on()
 {
-    local try=0
+    local try
-    local lockf=${LOCKFILE:=${VARDIR}/lock}
+    try=0
    local lockf
    lockf=${LOCKFILE:=${VARDIR}/lock}
    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
@ -360,7 +378,8 @@ mutex_off()
 #
 lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found
 {
-    local lib=${SHAREDIR}/lib.$1
+    local lib
    lib=${SHAREDIR}/lib.$1
    local loaded
    eval loaded=\$LIB_${1}_LOADED
@ -398,8 +417,10 @@ LEFTSHIFT='<<'
 # Validate an IP address
 #
 valid_address() {
-    local x y
+    local x
-    local ifs=$IFS
+    local y
    local ifs
    ifs=$IFS
    IFS=.
@ -425,8 +446,10 @@ valid_address() {
 #
 decodeaddr() {
    local x
-    local temp=0
+    local temp
-    local ifs=$IFS
+    temp=0
    local ifs
    ifs=$IFS
    IFS=.
@ -445,7 +468,8 @@ decodeaddr() {
 encodeaddr() {
    addr=$1
    local x
-    local y=$(($addr & 255))
+    local y
    y=$(($addr & 255))
    for x in 1 2 3 ; do
 	addr=$(($addr >> 8))
@ -478,7 +502,13 @@ EOF
 # ip_range_explicit() - explicitly enumerates the range.
 #
 ip_range() {
-    local first last l x y z vlsm
+    local first
    local last
    local l
    local x
    local y
    local z
    local vlsm
    case $1 in
 	!*)
@ -524,7 +554,8 @@ ip_range() {
 }
 ip_range_explicit() {
-    local first last
+    local first
    local last
    case $1 in
    [0-9]*.*.*.*-*.*.*.*)
@ -552,7 +583,8 @@ ip_range_explicit() {
 # Netmask from CIDR
 #
 ip_netmask() {
-    local vlsm=${1#*/}
+    local vlsm
    vlsm=${1#*/}
    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
 }
@ -561,8 +593,10 @@ ip_netmask() {
 # Network address from CIDR
 #
 ip_network() {
-    local decodedaddr=$(decodeaddr ${1%/*})
+    local decodedaddr
-    local netmask=$(ip_netmask $1)
+    decodedaddr=$(decodeaddr ${1%/*})
    local netmask
    netmask=$(ip_netmask $1)
    echo $(encodeaddr $(($decodedaddr & $netmask)))
 }
@ -572,7 +606,8 @@ ip_network() {
 # the popular light-weight Bourne shell derivatives don't support XOR ("^").
 #
 ip_broadcast() {
-    local x=$(( 32 - ${1#*/} ))
+    local x
    x=$(( 32 - ${1#*/} ))
    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
 }
@ -581,9 +616,12 @@ ip_broadcast() {
 # Calculate broadcast address from CIDR
 #
 broadcastaddress() {
-    local decodedaddr=$(decodeaddr ${1%/*})
+    local decodedaddr
-    local netmask=$(ip_netmask $1)
+    decodedaddr=$(decodeaddr ${1%/*})
-    local broadcast=$(ip_broadcast $1)
+    local netmask
    netmask=$(ip_netmask $1)
    local broadcast
    broadcast=$(ip_broadcast $1)
    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
 }
@ -593,7 +631,8 @@ broadcastaddress() {
 #
 in_network() # $1 = IP address, $2 = CIDR network
 {
-    local netmask=$(ip_netmask $2)
+    local netmask
    netmask=$(ip_netmask $2)
    #
    # We compare the values as strings rather than integers to work around broken BusyBox ash on OpenWRT
    #
@ -604,9 +643,12 @@ in_network() # $1 = IP address, $2 = CIDR network
 # Netmask to VLSM
 #
 ip_vlsm() {
-    local mask=$(decodeaddr $1)
+    local mask
-    local vlsm=0
+    mask=$(decodeaddr $1)
-    local x=$(( 128 << 24 )) # 0x80000000
+    local vlsm
    vlsm=0
    local x
    x=$(( 128 << 24 )) # 0x80000000
    while [ $(( $x & $mask )) -ne 0 ]; do
 	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
@ -627,7 +669,8 @@ ip_vlsm() {
 #
 chain_base() #$1 = interface
 {
-    local c=${1%%+}
+    local c
    c=${1%%+}
    while true; do
 	case $c in
@ -752,8 +795,10 @@ find_default_interface() {
 #
 find_interface_by_address() {
-    local dev="$(find_rt_interface $1)"
+    local dev
-    local first rest
+    dev="$(find_rt_interface $1)"
    local first
    local rest
    [ -z "$dev" ] && dev=$(find_default_interface)
@ -765,7 +810,8 @@ find_interface_by_address() {
 #
 find_interface_by_mac() {
-    local mac=$1 first second rest dev
+    local mac
    mac=$1 first second rest dev
    ip link list | while read first second rest; do
 	case $first in
@ -893,7 +939,8 @@ mywhich() {
 # Set default config path
 #
 ensure_config_path() {
-    local F=${SHAREDIR}/configpath
+    local F
    F=${SHAREDIR}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
@ -909,7 +956,8 @@ ensure_config_path() {
 #
 find_file()
 {
-    local saveifs= directory
+    local saveifs
    saveifs= directory
    case $1 in
 	/*)
@ -933,7 +981,8 @@ find_file()
 #
 resolve_file() # $1 = file name
 {
-    local pwd=$PWD
+    local pwd
    pwd=$PWD
    case $1 in
 	/*)
@ -1127,7 +1176,8 @@ determine_capabilities() {
 report_capabilities() {
    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
    {
-	local setting=
+	local setting
 	setting=
 	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
@ -1231,7 +1281,15 @@ del_ip_addr() # $1 = address, $2 = interface
 #
 add_ip_aliases() # $* = List of addresses
 {
-    local addresses external interface inet cidr rest val arping=$(mywhich arping)
+    local addresses
    local external
    local interface
    local inet
    local cidr
    local rest
    local val1
    local arping
    arping=$(mywhich arping)
    address_details()
    {
@ -1288,7 +1346,8 @@ add_ip_aliases() # $* = List of addresses
 detect_gateway() # $1 = interface
 {
-    local interface=$1
+    local interface
    interface=$1
    #
    # First assume that this is some sort of point-to-point interface
    #
@ -1311,7 +1370,8 @@ detect_gateway() # $1 = interface
 # Disable IPV6
 #
 disable_ipv6() {
-    local foo="$(ip -f inet6 addr list 2> /dev/null)"
+    local foo
    foo="$(ip -f inet6 addr list 2> /dev/null)"
    if [ -n "$foo" ]; then
 	if qt mywhich ip6tables; then
@ -1343,16 +1403,25 @@ truncate() # $1 = length
 #
 do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
 {
-    local level=$1
+    local level
-    local chain=$2
+    level=$1
-    local displayChain=$3
+    local chain
-    local disposition=$4
+    chain=$2
-    local rulenum=
+    local displayChain
-    local limit=
+    displayChain=$3
-    local tag=
+    local disposition
-    local command=
+    disposition=$4
    local rulenum
    rulenum=
    local limit
    limit=
    local tag
    tag=
    local command
    command=
    local prefix
-    local base=$(chain_base $displayChain)
+    local base
    base=$(chain_base $displayChain)
    local pf
    limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
@ -1405,9 +1474,12 @@ do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispos
 do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
 {
-    local level=$1
+    local level
-    local chain=$2
+    level=$1
-    local disposition=$3
+    local chain
    chain=$2
    local disposition
    disposition=$3
    shift 3
@ -1441,7 +1513,8 @@ delete_tc1()
 #
 get_device_mtu() # $1 = device
 {
-    local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local output
    output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
    if [ -n "$output" ]; then
 	echo $(find_mtu $output)
@ -1456,7 +1529,8 @@ get_device_mtu() # $1 = device
 #
 get_device_mtu1() # $1 = device
 {
-    local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local output
    output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
    local mtu
    if [ -n "$output" ]; then
@ -1495,7 +1569,9 @@ undo_routing() {
 restore_default_route() {
    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
-	local default_route= route
+	local default_route
 	default_route=
 	local route
 	while read route ; do
 	    case $route in
@ -1556,7 +1632,8 @@ find_echo() {
 #     STD  - mktemp.org mktemp
 #
 find_mktemp() {
-    local mktemp=`mywhich mktemp 2> /dev/null`
+    local mktemp
    mktemp=`mywhich mktemp 2> /dev/null`
    if [ -n "$mktemp" ]; then
 	if qt mktemp -V ; then
--- a/Shorewall-common/lib.cli
+++ b/Shorewall-common/lib.cli
@ -124,7 +124,13 @@ timed_read ()
 # Determine if 'syslog -C' is running
 #
 syslog_circular_buffer() {
-    local pid tty flags cputime path args arg
+    local pid
    local tty
    local flags
    local cputime
    local path
    local args
    local arg
    ps ax 2> /dev/null | while read pid tty flags cputime path args; do
 	case $path in
@ -160,7 +166,8 @@ packet_log() # $1 = number of messages
 show_tc() {
    show_one_tc() {
-	local device=${1%@*}
+	local device
 	device=${1%@*}
 	qdisc=$(tc qdisc list dev $device)
 	if [ -n "$qdisc" ]; then
@ -183,7 +190,8 @@ show_tc() {
 show_classifiers() {
    show_one_classifier() {
-	local device=${1%@*}
+	local device
 	device=${1%@*}
 	qdisc=$(tc qdisc list dev $device)
 	if [ -n "$qdisc" ]; then
@ -258,7 +266,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 #
 save_config() {
-    local result=1
+    local result
    result=1
    iptables_save=${IPTABLES}-save
@ -367,7 +376,12 @@ show_routing() {
 # Show Command Executor
 #
 show_command() {
-    local finished=0 local table=filter table_given=
+    local finished
    finished=0
    local table
    table=filter
    local table_given
    table_given=
    show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
@ -619,7 +633,8 @@ show_command() {
 # Dump Command Executor
 #
 dump_command() {
-    local finished=0
+    local finished
    finished=0
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@ -743,7 +758,8 @@ dump_command() {
 # Restore Comand Executor
 #
 restore_command() {
-    local finished=0
+    local finished
    finished=0
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@ -868,7 +884,10 @@ heading() {
 # Create the appropriate -q option to pass onward
 #
 make_verbose() {
-    local v=$VERBOSE_OFFSET option=-
+    local v
    v=$VERBOSE_OFFSET
    local option
    option=-
    if [ -n "$USE_VERBOSITY" ]; then
 	echo "-v$USE_VERBOSITY"
@ -894,7 +913,10 @@ make_verbose() {
 #
 block() # $1 = command, $2 = Finished, $3 - $n addresses
 {
-    local chain=$1 finished=$2
+    local chain
    chain=$1
    local finished
    finished=$2
    shift 3
@ -925,7 +947,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
 # 'hits' commmand executor
 #
 hits_command() {
-    local finished=0 today=
+    local finished
    finished=0
    local today
    today=
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
--- a/Shorewall-common/lib.config
+++ b/Shorewall-common/lib.config
@ -31,7 +31,8 @@ SHOREWALL_CONFIGVERSION=40000
 # Replace commas with spaces and echo the result
 #
 separate_list() {
-    local list="$@"
+    local list
    list="$@"
    local part
    local newlist
    local firstpart
@ -121,7 +122,10 @@ is_policy_chain() # $1 = name of chain
 #
 list_walk() # $1 = element to search for, $2-$n = list
 {
-    local e=$1 result=
+    local e
    e=$1
    local result
    result=
    while [ $# -gt 1 ]; do
 	shift
@ -165,7 +169,8 @@ expand_line() {
 #
 fix_bang()
 {
-    local result=
+    local result
    result=
    while [ $# -gt 0 ]; do
 	case $1 in
@ -186,7 +191,13 @@ fix_bang()
 # Read the zones file and find the firewall zone
 #
 get_firewall_zone() {
-    local zone type rest comment='#*' f=$(find_file zones)
+    local zone
    local type
    local rest
    local comment
    comment='#*'
    local f
    f=$(find_file zones)
    [ -f $f ] || startup_error "Unable to find zones file"
@ -212,11 +223,21 @@ get_firewall_zone() {
 #
 determine_zones()
 {
-    local zone parent parents rest new_zone_file= r
+    local zone
    local parent
    local parents
    local rest
    local new_zone_file
    new_zone_file=
    local r
    merge_zone()
    {
-	local z zones="$ZONES" merged=
+	local z
 	local zones
 	zones="$ZONES"
 	local merged
 	merged=
 	if [ -n "$parents" ]; then
 	    ZONES=
@ -323,8 +344,15 @@ determine_zones()
 #
 validate_interfaces_file() {
    local wildcard
-    local found_obsolete_option=
+    local found_obsolete_option
-    local z interface networks options r iface option
+    found_obsolete_option=
    local z
    local interface
    local networks
    local options
    local r
    local iface
    local option
    while read z interface networks options; do
 	r="$z $interface $networks $options"
@ -346,7 +374,8 @@ validate_interfaces_file() {
 		    #
 		    # Assume that this is 4.0 syntax for a bridge
 		    #
-		    local bridge=${interface%:*}
+		    local bridge
 		    bridge=${interface%:*}
 		    list_search $bridge $ALL_INTERFACES || startup_error "Unknown Interface: $bridge"  
 		    interface=${interface#*:}
 		else 
@ -423,17 +452,21 @@ validate_interfaces_file() {
 # Process the ipsec information in the zones file
 #
 setup_ipsec() {
-    local zone using_ipsec=
+    local zone
    local using_ipsec
    using_ipsec=
    #
    # Add a --set-mss rule to the passed chain
    #
    set_mss1() # $1 = chain, $2 = MSS
    {
-	eval local policy=\$${1}_policy
+	local policy
 	eval policy=\$${1}_policy
 	if [ "$policy" != NONE ]; then
 	    ensurechain $1
-	    local match=
+	    local match
 	    match=
 	    [ "$TCPMSS_MATCH" ] && match="-m tcpmss --mss $2: "
 	    run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $2
 	fi
@ -461,7 +494,10 @@ setup_ipsec() {
    do_options() # $1 = _in, _out or "" - $2 = option list
    {
-	local option newoptions= val
+	local option
 	local newoptions
 	newoptions=
 	local val
 	[ x${2} = x- ] && return
@ -547,7 +583,16 @@ setup_ipsec() {
 # Validate the zone names and options in the hosts file
 #
 validate_hosts_file() {
-   local z hosts options r interface host option zports ipsec=
+   local z
   local hosts
   local options
   local r
   local interface
   local host
   local option
   local zports
   local ipsec
   ipsec=
   check_bridge_port()
   {
@ -667,7 +712,8 @@ validate_hosts_file() {
 #
 find_interfaces() # $1 = interface zone
 {
-    local zne=$1
+    local zne
    zne=$1
    local z
    local interface
@ -742,7 +788,8 @@ dynamic_out() # $1 = interface
 dynamic_chains() #$1 = interface
 {
-   local c=$(chain_base $1)
+   local c
   c=$(chain_base $1)
   echo ${c}_dyni ${c}_dynf ${c}_dyno
 }
@ -776,7 +823,8 @@ ecn_chain() # $1 = interface
 #
 first_chains() #$1 = interface
 {
-   local c=$(chain_base $1)
+   local c
   c=$(chain_base $1)
   echo ${c}_fwd ${c}_in
 }
@ -809,7 +857,11 @@ iprange_echo()
 #
 get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
 {
-    local temp setname=$1 options=$2
+    local temp
    local setname
    setname=$1
    local options
    options=$2
    [ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1"
@ -908,7 +960,14 @@ dest_ip_range() # $1 = Address or Address Range
 both_ip_ranges() # $1 = Source address or range, $2 = dest address or range
 {
-    local rangeprefix= setprefix= rangematch= setmatch=
+    local rangeprefix
    rangeprefix=
    local setprefix
    setprefix=
    local rangematch
    rangematch=
    local setmatch
    setmatch=
    case $1 in
 	*.*.*.*-*.*.*.*)
@ -956,7 +1015,8 @@ both_ip_ranges() # $1 = Source address or range, $2 = dest address or range
 if_match() # $1 = Name in interfaces file - may end in "+"
           # $2 = Full interface name - may also end in "+"
 {
-    local pattern=${1%+}
+    local pattern
    pattern=${1%+}
    case $1 in
 	*+)
@ -1106,8 +1166,10 @@ verify_interface()
 #
 is_ipsec_host() # $1 = zone, $2 = host
 {
-    eval local is_ipsec=\$${1}_is_ipsec
+    local is_ipsec
-    eval local hosts=\"\$${1}_ipsec_hosts\"
+    eval is_ipsec=\$${1}_is_ipsec
    local hosts
    eval hosts=\"\$${1}_ipsec_hosts\"
    test -n "$is_ipsec" || list_search $2 $hosts
 }
@ -1118,7 +1180,8 @@ is_ipsec_host() # $1 = zone, $2 = host
 match_ipsec_in() # $1 = zone, $2 = host
 {
    if is_ipsec_host $1 $2 ; then
-	eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
+	local options
 	eval options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
 	echo "-m policy --pol ipsec --dir in $options"
    elif [ -n "$POLICY_MATCH" ]; then
 	echo "-m policy --pol none --dir in"
@ -1131,7 +1194,8 @@ match_ipsec_in() # $1 = zone, $2 = host
 match_ipsec_out() # $1 = zone, $2 = host
 {
    if is_ipsec_host $1 $2 ; then
-	eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
+	local options
 	eval options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
 	echo "-m policy --pol ipsec --dir out $options"
    elif [ -n "$POLICY_MATCH" ]; then
 	echo "-m policy --pol none --dir out"
@ -1156,7 +1220,10 @@ firewall_ip_range() # $1 = IP address or range
 #
 find_hosts() # $1 = host zone
 {
-    local hosts interface address addresses
+    local hosts
    local interface
    local address
    local addresses
    while read z hosts options; do
 	if [ "x$(expand $z)" = "x$1" ]; then
@ -1185,7 +1252,10 @@ find_hosts() # $1 = host zone
 #
 find_exclusions() # $1 = host zone
 {
-    local hosts interface address addresses
+    local hosts
    local interface
    local address
    local addresses
    while read z hosts options; do
 	if [ "x$z" = "x$1" ]; then
@ -1335,7 +1405,8 @@ find_interfaces_by_option() # $1 = option
 #
 find_interfaces_by_option1() # $1 = option
 {
-    local options option
+    local options
    local option
    for interface in $ALL_INTERFACES; do
 	eval options=\$$(chain_base $interface)_options
@ -1353,7 +1424,15 @@ find_interfaces_by_option1() # $1 = option
 #
 find_hosts_by_option() # $1 = option
 {
-    local ignore hosts interface address addresses options ipsec= list
+    local ignore
    local hosts
    local interface
    local address
    local addresses
    local options
    local ipsec
    ipsec=
    local list
    while read ignore hosts options; do
 	list=$(separate_list $options)
@ -1378,7 +1457,18 @@ find_hosts_by_option() # $1 = option
 #
 process_routestopped() # $1 = command
 {
-    local hosts= interface host host1 options networks source= dest= matched
+    local hosts
    hosts=
    local interface
    local host
    local host1
    local options
    local networks
    local source
    source=
    local dest
    dest=
    local matched
    while read interface host options; do
 	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
@ -1454,7 +1544,15 @@ process_routestopped() # $1 = command
 process_criticalhosts()
 {
-    local hosts= interface host h options networks criticalhosts=
+    local hosts
    hosts=
    local interface
    local host
    local h
    local options
    local networks
    local criticalhosts
    criticalhosts=
    while read interface host options; do
 	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host)
@ -1514,7 +1612,8 @@ mktempdir() {
 read_file() # $1 = file name, $2 = nest count
 {
-    local first rest
+    local first
    local rest
    if [ -f $1 ]; then
 	while read first rest; do
@ -1562,7 +1661,8 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
 #
 strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the stripped file is non-empty
 {
-    local f=$(find_file $1)
+    local f
    f=$(find_file $1)
    strip_file $1 $f
@ -1609,7 +1709,8 @@ verify_mark() # $1 = value to test
 #
 added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
 {
-    local val="$2"
+    local val
    val="$2"
    if [ -z "$val" ]; then
 	echo "Yes"
@ -1632,7 +1733,8 @@ added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
 #
 added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
 {
-    local val="$2"
+    local val
    val="$2"
    if [ -z "$val" ]; then
 	echo ""
--- a/Shorewall-common/shorewall
+++ b/Shorewall-common/shorewall
@ -289,15 +289,18 @@ get_config() {
 # Run the appropriate compiler
 #
 compiler() {
-    local sc=${SHELLSHAREDIR}/compiler
+    local sc
-    local pc=${PERLSHAREDIR}/compiler.pl
+    sc=${SHELLSHAREDIR}/compiler
    local pc
    pc=${PERLSHAREDIR}/compiler.pl
    startup_error() {
 	echo "   ERROR: $@" >&2
 	exit 1
    }
-    local command=$1
+    local command
    command=$1
    shift
@ -413,10 +416,12 @@ compiler() {
 # Start Command Executor
 #
 start_command() {
-    local finished=0
+    local finished
    finished=0
    do_it() {
-	local rc=0
+	local rc
 	rc=0
 	progress_message3 "Compiling..."
@ -546,7 +551,8 @@ start_command() {
 # Compile Command Executor
 #
 compile_command() {
-    local finished=0
+    local finished
    finished=0
    while [ $finished -eq 0 ]; do
 	[ $# -eq 0 ] && usage 1
@ -636,7 +642,8 @@ compile_command() {
 # Check Command Executor
 #
 check_command() {
-    local finished=0
+    local finished
    finished=0
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@ -714,7 +721,10 @@ check_command() {
 # Restart Command Executor
 #
 restart_command() {
-    local finished=0 rc=0
+    local finished
    finished=0
    local rc
    rc=0
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@ -801,7 +811,8 @@ restart_command() {
 # Refresh Command Executor
 #
 refresh_command() {
-    local finished=0
+    local finished
    finished=0
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@ -868,7 +879,8 @@ refresh_command() {
 # Safe-start/safe-restart Command Executor
 #
 safe_commands() {
-    local finished=0
+    local finished
    finished=0
    # test is the shell supports timed read
    read -t 0 junk 2> /dev/null
@ -1006,7 +1018,10 @@ safe_commands() {
 # 'try' Command Executor
 #
 try_command() {
-    local finished=0 timeout=
+    local finished
    finished=0
    local timeout
    timeout=
    handle_directory() {
 	[ -n "$SHOREWALL_DIR" ] && usage 2
@ -1151,7 +1166,25 @@ rcp_command() {
 #
 reload_command() # $* = original arguments less the command.
 {
-    local verbose=$(make_verbose) file= capabilities= finished=0 saveit= result directory system getcaps= root=root compiler=
+    local verbose
    verbose=$(make_verbose)
    local file
    file=
    local capabilities
    capabilities=
    local finished
    finished=0
    local saveit
    saveit=
    local result
    local directory
    local system
    local getcaps
    getcaps=
    local root
    root=root
    local compiler
    compiler=
    LITEDIR=/var/lib/shorewall-lite
@ -1266,7 +1299,8 @@ reload_command() # $* = original arguments less the command.
 #
 export_command() # $* = original arguments less the command.
 {
-    local verbose=$(make_verbose) file= finished=0 directory target compiler=
+    local verbose
    verbose=$(make_verbose) file= finished=0 directory target compiler=
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@ -1499,7 +1533,10 @@ while [ $finished -eq 0 ]; do
 done
 version_command() {
-    local finished=0 all=
+    local finished
    finished=0
    local all
    all=
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
--- a/Shorewall-common/strip
+++ b/Shorewall-common/strip
@ -38,7 +38,8 @@ expand_line() {
 read_file() # $1 = file name, $2 = nest count
 {
-    local first rest
+    local first
    local rest
    if [  -f $1 ]; then
 	while read first rest; do
@ -61,7 +62,8 @@ read_file() # $1 = file name, $2 = nest count
 # Split a colon-separated list into a space-separated list
 #
 split() {
-    local ifs=$IFS
+    local ifs
    ifs=$IFS
    IFS=:
    echo $*
    IFS=$ifs
@ -72,7 +74,9 @@ split() {
 #
 find_file()
 {
-    local saveifs= directory
+    local saveifs
    saveifs=
    local directory
    case $1 in
 	/*)
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@ -53,7 +53,8 @@ restore_directory() # $1 = directory to restore
 restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
 {
    if [ -n "$2" ]; then
-	local file=$(basename $1)
+	local file
 	file=$(basename $1)
 	if [ -f $2/$file ]; then
 	    if mv -f $2/$file $1 ; then
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@ -35,7 +35,8 @@ usage() # $1 = exit status
 }
 split() {
-    local ifs=$IFS
+    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@ -178,10 +178,12 @@ verify_firewall_script() {
 # Start Command Executor
 #
 start_command() {
-    local finished=0
+    local finished
    finished=0
    do_it() {
-	local rc=0
+	local rc
 	rc=0
 	[ -n "$nolock" ] || mutex_on
 	if [ -x ${LITEDIR}/firewall ]; then
@ -286,7 +288,10 @@ start_command() {
 # Restart Command Executor
 #
 restart_command() {
-    local finished=0 rc=0
+    local finished
    finished=0
    local rc
    rc=0
    verify_firewall_script
--- a/Shorewall-perl/install.sh
+++ b/Shorewall-perl/install.sh
@ -35,7 +35,8 @@ usage() # $1 = exit status
 }
 split() {
-    local ifs=$IFS
+    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
--- a/Shorewall-perl/prog.header
+++ b/Shorewall-perl/prog.header
@ -35,7 +35,8 @@ error_message() # $* = Error Message
 #
 progress_message() # $* = Message
 {
-    local timestamp=
+    local timestamp
    timestamp=
    if [ $VERBOSE -gt 1 ]; then
 	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
@ -50,7 +51,8 @@ progress_message() # $* = Message
 progress_message2() # $* = Message
 {
-    local timestamp=
+    local timestamp
    timestamp=
    if [ $VERBOSE -gt 0 ]; then
 	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
@ -65,7 +67,8 @@ progress_message2() # $* = Message
 progress_message3() # $* = Message
 {
-    local timestamp=
+    local timestamp
    timestamp=
    if [ $VERBOSE -ge 0 ]; then
 	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
@ -82,7 +85,8 @@ progress_message3() # $* = Message
 # Split a colon-separated list into a space-separated list
 #
 split() {
-    local ifs=$IFS
+    local ifs
    ifs=$IFS
    IFS=:
    echo $*
    IFS=$ifs
@ -94,7 +98,8 @@ split() {
 #
 list_search() # $1 = element to search for , $2-$n = list
 {
-    local e=$1
+    local e
    e=$1
    while [ $# -gt 1 ]; do
 	shift
@ -143,7 +148,8 @@ my_pathname() {
 #
 run_user_exit() # $1 = file name
 {
-    local user_exit=$(find_file $1)
+    local user_exit
    user_exit=$(find_file $1)
    if [ -f $user_exit ]; then
 	progress_message "Processing $user_exit ..."
@ -199,7 +205,8 @@ deleteallchains() {
 #
 loadmodule() # $1 = module name, $2 - * arguments
 {
-    local modulename=$1
+    local modulename
    modulename=$1
    local modulefile
    local suffix
@ -231,10 +238,13 @@ loadmodule() # $1 = module name, $2 - * arguments
 #
 reload_kernel_modules() {
-    local save_modules_dir=$MODULESDIR
+    local save_modules_dir
    save_modules_dir=$MODULESDIR
    local directory
-    local moduledirectories=
+    local moduledirectories
-    local moduleloader=modprobe
+    moduledirectories=
    local moduleloader
    moduleloader=modprobe
    if ! qt mywhich modprobe; then
 	moduleloader=insmod
@ -261,11 +271,15 @@ reload_kernel_modules() {
 #
 load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 {
-    local save_modules_dir=$MODULESDIR
+    local save_modules_dir
    save_modules_dir=$MODULESDIR
    local directory
-    local moduledirectories=
+    local moduledirectories
-    local moduleloader=modprobe
+    moduledirectories=
-    local savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+    local moduleloader
    moduleloader=modprobe
    local savemoduleinfo
    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
    if ! qt mywhich modprobe; then
 	moduleloader=insmod
@ -313,8 +327,10 @@ LEFTSHIFT='<<'
 #
 decodeaddr() {
    local x
-    local temp=0
+    local temp
-    local ifs=$IFS
+    temp=0
    local ifs
    ifs=$IFS
    IFS=.
@ -333,7 +349,8 @@ decodeaddr() {
 encodeaddr() {
    addr=$1
    local x
-    local y=$(($addr & 255))
+    local y
    y=$(($addr & 255))
    for x in 1 2 3 ; do
 	addr=$(($addr >> 8))
@ -347,7 +364,8 @@ encodeaddr() {
 # Netmask from CIDR
 #
 ip_netmask() {
-    local vlsm=${1#*/}
+    local vlsm
    vlsm=${1#*/}
    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
 }
@ -356,8 +374,10 @@ ip_netmask() {
 # Network address from CIDR
 #
 ip_network() {
-    local decodedaddr=$(decodeaddr ${1%/*})
+    local decodedaddr
-    local netmask=$(ip_netmask $1)
+    decodedaddr=$(decodeaddr ${1%/*})
    local netmask
    netmask=$(ip_netmask $1)
    echo $(encodeaddr $(($decodedaddr & $netmask)))
 }
@ -367,7 +387,8 @@ ip_network() {
 # the popular light-weight Bourne shell derivatives don't support XOR ("^").
 #
 ip_broadcast() {
-    local x=$(( 32 - ${1#*/} ))
+    local x
    x=$(( 32 - ${1#*/} ))
    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
 }
@ -376,9 +397,12 @@ ip_broadcast() {
 # Calculate broadcast address from CIDR
 #
 broadcastaddress() {
-    local decodedaddr=$(decodeaddr ${1%/*})
+    local decodedaddr
-    local netmask=$(ip_netmask $1)
+    decodedaddr=$(decodeaddr ${1%/*})
-    local broadcast=$(ip_broadcast $1)
+    local netmask
    netmask=$(ip_netmask $1)
    local broadcast
    broadcast=$(ip_broadcast $1)
    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
 }
@ -388,7 +412,8 @@ broadcastaddress() {
 #
 in_network() # $1 = IP address, $2 = CIDR network
 {
-    local netmask=$(ip_netmask $2)
+    local netmask
    netmask=$(ip_netmask $2)
    #
    # Use string comparison to work around a broken BusyBox ash in OpenWRT
    #
@ -493,8 +518,10 @@ find_default_interface() {
 #
 find_interface_by_address() {
-    local dev="$(find_rt_interface $1)"
+    local dev
-    local first rest
+    dev="$(find_rt_interface $1)"
    local first
    local rest
    [ -z "$dev" ] && dev=$(find_default_interface)
@ -506,7 +533,12 @@ find_interface_by_address() {
 #
 find_interface_by_mac() {
-    local mac=$1 first second rest dev
+    local mac
    mac=$1
    local first
    local second
    local rest
    local dev
    ip link list | while read first second rest; do
 	case $first in
@ -611,7 +643,8 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 get_interface_bcasts() # $1 = interface
 {
-    local addresses=
+    local addresses
    addresses=
    ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
@ -637,7 +670,9 @@ mywhich() {
 #
 find_file()
 {
-    local saveifs= directory
+    local saveifs
    saveifs=
    directory
    case $1 in
 	/*)
@ -691,7 +726,16 @@ del_ip_addr() # $1 = address, $2 = interface
 #
 add_ip_aliases() # $* = List of addresses
 {
-    local addresses external interface inet cidr rest val arping=$(mywhich arping)
+    local local
    local addresses
    local external
    local interface
    local inet
    local cidr
    local rest
    local val
    local arping
    arping=$(mywhich arping)
    address_details()
    {
@ -748,7 +792,8 @@ add_ip_aliases() # $* = List of addresses
 detect_gateway() # $1 = interface
 {
-    local interface=$1
+    local interface
    interface=$1
    #
    # First assume that this is some sort of point-to-point interface
    #
@ -771,7 +816,8 @@ detect_gateway() # $1 = interface
 # Disable IPV6
 #
 disable_ipv6() {
-    local foo="$(ip -f inet6 addr list 2> /dev/null)"
+    local foo
    foo="$(ip -f inet6 addr list 2> /dev/null)"
    if [ -n "$foo" ]; then
 	if qt mywhich ip6tables; then
@ -825,7 +871,8 @@ delete_tc1()
 #
 get_device_mtu() # $1 = device
 {
-    local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local output
    output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
    if [ -n "$output" ]; then
 	echo $(find_mtu $output)
@ -840,7 +887,8 @@ get_device_mtu() # $1 = device
 #
 get_device_mtu1() # $1 = device
 {
-    local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local output
    output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
    local mtu
    if [ -n "$output" ]; then
@ -879,7 +927,9 @@ undo_routing() {
 restore_default_route() {
    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
-	local default_route= route
+	local default_route
 	default_route=
 	local route
 	while read route ; do
 	    case $route in
@ -940,7 +990,8 @@ find_mac() # $1 = IP address, $2 = interface
 {
    qt ping -nc 1 -t 2 -I $2 $1
-    local result=$(arp -na |  awk "/[(]$1[)].* $2$/ {print \$4}")
+    local result
    result=$(arp -na |  awk "/[(]$1[)].* $2$/ {print \$4}")
    case $result in
 	\<*\>)
--- a/Shorewall-shell/compiler
+++ b/Shorewall-shell/compiler
@ -133,7 +133,8 @@ indent1() {
 #
 append_file() # $1 = File Name
 {
-    local user_exit=$(find_file $1)
+    local user_exit
    user_exit=$(find_file $1)
    case $user_exit in
 	$SHAREDIR/*)
@ -215,7 +216,8 @@ run_tc() {
 #
 finish_chain_section() # $1 = canonical chain $2 = state list
 {
-    local policy policychain
+    local policy
    local policychain
    [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
@ -246,7 +248,9 @@ finish_chain_section() # $1 = canonical chain $2 = state list
 finish_section() # $1 = Section(s)
 {
-    local zone zone1 chain
+    local zone
    local zone1
    local chain
    for zone in $ZONES $FW; do
 	for zone1 in $ZONES $FW; do
@ -268,7 +272,8 @@ finish_section() # $1 = Section(s)
 #
 createchain() # $1 = chain name, $2 = If "yes", do section-end processing
 {
-    local c=$(chain_base $1)
+    local c
    c=$(chain_base $1)
    run_iptables -N $1
@ -291,7 +296,8 @@ createchain() # $1 = chain name, $2 = If "yes", do section-end processing
 #
 createchain2() # $1 = chain name, $2 = If "yes", create default rules
 {
-    local c=$(chain_base $1)
+    local c
    c=$(chain_base $1)
    ensurechain $1
@ -318,7 +324,8 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
 #
 havechain() # $1 = name of chain
 {
-    local c=$(chain_base $1)
+    local c
    c=$(chain_base $1)
    eval test \"\$exists_${c}\" = Yes
 }
@ -724,16 +731,25 @@ disable_critical_hosts()
 #
 log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
 {
-    local level=$1
+    local level
-    local chain=$2
+    level=$1
-    local displayChain=$3
+    local chain
-    local disposition=$4
+    chain=$2
-    local rulenum=
+    local displayChain
-    local limit=
+    displayChain=$3
-    local tag=$6
+    local disposition
-    local command=${7:--A}
+    disposition=$4
    local rulenum
    rulenum=
    local limit
    limit=
    local tag
    tag=$6
    local command
    command=${7:--A}
    local prefix
-    local base=$(chain_base $displayChain)
+    local base
    base=$(chain_base $displayChain)
    limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
@ -744,9 +760,12 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
 log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
 {
-    local level=$1
+    local level
-    local chain=$2
+    level=$1
-    local disposition=$3
+    local chain
    chain=$2
    local disposition
    disposition=$3
    shift 3
@ -761,9 +780,12 @@ setup_syn_flood_chain ()
 	# $2 = synparams
        # $3 = loglevel
 {
-    local chain=@$1
+    local chain
-    local limit=$2
+    chain=@$1
-    local limit_burst=
+    local limit
    limit=$2
    local limit_burst
    limit_burst=
    case $limit in
 	*:*)
@ -842,8 +864,10 @@ __EOF__
 #
 setup_ecn() # $1 = file name
 {
-    local interfaces=""
+    local interfaces
-    local hosts=
+    interfaces=""
    local hosts
    hosts=
    local h
    if [ -s ${TMP_DIR}/ecn ]; then
@ -891,7 +915,8 @@ setup_ecn() # $1 = file name
 #
 build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
 {
-    local c=excl_${EXCLUSION_SEQ} net
+    local c
    c=excl_${EXCLUSION_SEQ} net
    EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
@ -921,7 +946,10 @@ build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3
 # Setup queuing and classes
 #
 setup_tc1() {
-    local mark_part= comment=
+    local mark_part
    mark_part=
    local comment
    comment=
    #
    # Create the TC mangle chains
    #
@ -1030,7 +1058,8 @@ __EOF__
 #
 refresh_tc() {
-    local comment=
+    local comment
    comment=
    if [ -n "$CLEAR_TC" ]; then
 	delete_tc
@ -1094,9 +1123,12 @@ __EOF__
 #
 compile_refresh_firewall()
 {
-    local INDENT=""
+    local INDENT
-    local DOING="Compiling Refresh of"
+    INDENT=""
-    local DONE="Compiled"
+    local DOING
    DOING="Compiling Refresh of"
    local DONE
    DONE="Compiled"
    local indent
    save_command "refresh_firewall()"
@ -1147,7 +1179,8 @@ compile_refresh_firewall()
 process_action_file() # $1 = File Name
 {
    if ! list_search $1 $BUILTIN_ACTIONS; then
-	local user_exit=$(find_file $1)
+	local user_exit
 	user_exit=$(find_file $1)
 	if [ -f $user_exit ]; then
 	    progress_message "Processing $user_exit ..."
@ -1178,7 +1211,12 @@ process_action_file() # $1 = File Name
 createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
 {
-    local actchain= action=$1 level=$2
+    local actchain
    actchain=
    local action
    action=$1
    local level
    level=$2
    eval actchain=\${${action}_actchain}
@ -1264,7 +1302,14 @@ createactionchain() # $1 = Action, including log level and tag if any
 #
 find_logactionchain() # $1 = Action, including log level and tag if any
 {
-    local fullaction=$1 action=${1%%:*} level= chains=
+    local fullaction
    fullaction=$1
    local action
    action=${1%%:*}
    local level
    level=
    local chains
    chains=
    find_simpleaction() {
 	havechain $action ||  fatal_error "Fatal error in find_logactionchain"
@ -1307,7 +1352,10 @@ find_logactionchain() # $1 = Action, including log level and tag if any
 #
 merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
 {
-    local superior=$1 subordinate=$2
+    local superior
    superior=$1
    local subordinate
    subordinate=$2
    set -- $(split $1)
@ -1384,7 +1432,9 @@ define_builtin_actions() {
 #
 map_old_action() # $1 = Potential Old Action
 {
-    local macro= aktion
+    local macro
    macro=
    local aktion
    if [ -n "$MAPOLDACTIONS" ]; then
 	case $1 in
@ -1437,7 +1487,8 @@ map_old_action() # $1 = Potential Old Action
 #
 substitute_action() # $1 = parameter, $2 = action
 {
-    local logpart=${2#*:}
+    local logpart
    logpart=${2#*:}
    case $2 in
 	*:*)
@ -1635,7 +1686,8 @@ __EOF__
 #	 policy		= Applicable Policy
 #
 add_a_rule() {
-    local natrule=
+    local natrule
    natrule=
    do_ports() {
 	if [ -n "$port" ]; then
@ -2123,19 +2175,32 @@ process_rule() # $1 = target
               # $9 = userspec
               # $10= mark
 {
-    local target="$1"
+    local target
-    local clients="$2"
+    target="$1"
-    local servers="$3"
+    local clients
-    local protocol="$4"
+    clients="$2"
-    local ports="$5"
+    local servers
-    local cports="$6"
+    servers="$3"
-    local address="$7"
+    local protocol
-    local ratelimit="$8"
+    protocol="$4"
-    local userspec="$9"
+    local ports
-    local mark="${10}"
+    ports="$5"
-    local userandgroup=
+    local cports
-    local logtag=
+    cports="$6"
-    local nonat=
+    local address
    address="$7"
    local ratelimit
    ratelimit="$8"
    local userspec
    userspec="$9"
    local mark
    mark="${10}"
    local userandgroup
    userandgroup=
    local logtag
    logtag=
    local nonat
    nonat=
    # # # # # F u n c t i o n   B o d y # # # # #
@ -2488,17 +2553,28 @@ process_macro() # $1 = target
               # $9 = userspec
               # $10= mark
 {
-    local itarget="$1"
+    local itarget
-    local param="$2"
+    itarget="$1"
-    local iclients="$3"
+    local param
-    local iservers="$4"
+    param="$2"
-    local iprotocol="$5"
+    local iclients
-    local iports="$6"
+    iclients="$3"
-    local icports="$7"
+    local iservers
-    local iaddress="$8"
+    iservers="$4"
-    local iratelimit="$9"
+    local iprotocol
-    local iuserspec="${10}"
+    iprotocol="$5"
-    local imark="${11}"
+    local iports
    iports="$6"
    local icports
    icports="$7"
    local iaddress
    iaddress="$8"
    local iratelimit
    iratelimit="$9"
    local iuserspec
    iuserspec="${10}"
    local imark
    imark="${11}"
    progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
@ -2583,13 +2659,19 @@ process_macro() # $1 = target
 #
 process_rules()
 {
-    local comment= optimize
+    local comment
    comment=
    local optimize
    #
    # Process a rule where the source or destination is "all"
    #
    process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic
    {
-	local yclients yservers ysourcezone ydestzone ypolicy
+	local yclients
 	local yservers
 	local ysourcezone
 	local ydestzone
 	local ypolicy
 	for yclients in $xclients; do
 	    for yservers in $xservers; do
@ -2622,7 +2704,8 @@ process_rules()
    do_it() # $1 = "Yes" if the target is a macro.
    {
-	local intrazone=
+	local intrazone
 	intrazone=
 	if [ -z "$SECTIONS" ]; then
 	    finish_section ESTABLISHED,RELATED
@ -2802,17 +2885,35 @@ process_rules()
 #
 process_default_macro() # $1 = macro name
 {
-    local macro=$1
+    local macro
-    local address=
+    macro=$1
-    local multioption=
+    local address
-    local servport=
+    address=
-    local chain=$1
+    local multioption
-    local logchain=$1
+    multioption=
-    local userandgroup=
+    local servport
-    local logtag=
+    servport=
-    local excludesource=
+    local chain
-    local target client server protocol port cport ratelimit userspec rule
+    chain=$1
-    local f=$(find_file macro.${macro})
+    local logchain
    logchain=$1
    local userandgroup
    userandgroup=
    local logtag
    logtag=
    local excludesource
    excludesource=
    local target
    local client
    local server
    local protocol
    local port
    local cport
    local ratelimit
    local userspec
    local rule
    local f
    f=$(find_file macro.${macro})
    havechain $macro && fatal_error "Illegal duplicate default macro name: $macro"
@ -3070,7 +3171,10 @@ process_tos_rule() {
 #
 process_tos() # $1 = name of tos file
 {
-    local chain=pretos stdchain=PREROUTING
+    local chain
    chain=pretos
    local stdchain
    stdchain=PREROUTING
    if [ -n "$MANGLE_FORWARD" ]; then
 	chain=fortos
@ -3101,8 +3205,10 @@ policy_rules() # $1 = chain to add rules to
 	       # $3 = loglevel
               # $4 = Default Action/Macro
 {
-    local target="$2"
+    local target
-    local default="$4"
+    target="$2"
    local default
    default="$4"
    if [ -n "$default" ]; then
 	[ "$default" = none ] || run_iptables -A $1 -j $default
@ -3139,9 +3245,12 @@ policy_rules() # $1 = chain to add rules to
 #
 default_policy() # $1 = client $2 = server
 {
-    local chain="${1}2${2}"
+    local chain
-    local policy=
+    chain="${1}2${2}"
-    local loglevel=
+    local policy
    policy=
    local loglevel
    loglevel=
    local chain1
    jump_to_policy_chain() {
@ -3243,10 +3352,14 @@ default_policy() # $1 = client $2 = server
 #
 complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
 {
-    local policy=
+    local policy
-    local loglevel=
+    policy=
-    local policychain=
+    local loglevel
-    local default=
+    loglevel=
    local policychain
    policychain=
    local default
    default=
    run_user_exit $1
@ -3275,7 +3388,8 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
 #
 rules_chain() # $1 = source zone, $2 = destination zone
 {
-    local chain=${1}2${2} local policy
+    local chain
    chain=${1}2${2} local policy
    havechain $chain && { echo $chain; return; }
@ -3384,8 +3498,10 @@ process_blacklist_rec() {
 process_blacklist()
 {
-    local disposition=$BLACKLIST_DISPOSITION
+    local disposition
-    local f=$(find_file blacklist)
+    disposition=$BLACKLIST_DISPOSITION
    local f
    f=$(find_file blacklist)
    local target
    if [ -s $TMP_DIR/blacklist ]; then
@ -3419,8 +3535,10 @@ __EOF__
 # Setup the Black List
 #
 setup_blacklist() {
-    local hosts="$(find_hosts_by_option blacklist)"
+    local hosts
-    local ipsec policy
+    hosts="$(find_hosts_by_option blacklist)"
    local ipsec
    local policy
    if [ -n "$hosts" -a -s ${TMP_DIR}/blacklist ]; then
 	progress_message2 "$DOING Blacklisting..."
@ -3465,8 +3583,10 @@ setup_blacklist() {
 # Construct zone-independent rules
 #
 add_common_rules() {
-    local savelogparms="$LOGPARMS"
+    local savelogparms
-    local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
+    savelogparms="$LOGPARMS"
    local broadcasts
    broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
    #
    # Populate the smurf chain
    #
@ -3997,14 +4117,19 @@ apply_policy_rules() {
 #
 activate_rules()
 {
-    local PREROUTING_rule=1
+    local PREROUTING_rule
-    local POSTROUTING_rule=1
+    PREROUTING_rule=1
    local POSTROUTING_rule
    POSTROUTING_rule=1
    #
    # Jump to a NAT chain from one of the builtin nat chains
    #
    addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
    {
-	local sourcechain=$1 destchain=$2
+	local sourcechain
 	sourcechain=$1
        local destchain
        destchain=$2
 	shift
 	shift
@ -4022,7 +4147,10 @@ activate_rules()
    #
    addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
    {
-	local sourcechain=$1 destchain=$2
+	local sourcechain
 	sourcechain=$1
 	local destchain
 	destchain=$2
 	shift
 	shift
@ -4050,7 +4178,15 @@ activate_rules()
    #
    insert_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
    {
-	local t=$1 c=$2 num=0 host1 interface1 networks1
+	local t
 	t=$1
 	local c
 	c=$2
 	local num
 	num=0
 	local host1
 	local interface1
 	local networks1
 	shift 2
@ -4066,7 +4202,13 @@ activate_rules()
    #
    add_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
    {
-	local t=$1 c=$2 host1 interface1 networks1
+	local t
 	t=$1
 	local c
 	c=$2
 	local host1
 	local interface1
 	local networks1
 	shift 2
@ -4114,7 +4256,8 @@ activate_rules()
 	    eval exclusions=\"\$${zone}_exclusions\"
 	    if [ -n "$exclusions" ]; then
-		local num=1
+		local num
 		num=1
 		in_chain=${zone}_input
 		out_chain=${zone}_output
 		createchain $in_chain No
@ -4562,8 +4705,10 @@ activate_rules()
 # from that script are available here
 #
 compile_stop_firewall() {
-    local IPTABLES_COMMAND="\$IPTABLES"
+    local IPTABLES_COMMAND
-    local INDENT="    "
+    IPTABLES_COMMAND="\$IPTABLES"
    local INDENT
    INDENT="    "
    cat >&3 << __EOF__
@ -4907,10 +5052,18 @@ mycat()
 #
 compile_firewall() # $1 = File Name
 {
-    local IPTABLES_COMMAND=run_iptables
+    local IPTABLES_COMMAND
-    local INDENT=""
+    IPTABLES_COMMAND=run_iptables
-    local checking= outfile=$1 dir=
+    local INDENT
-    local match=
+    INDENT=""
    local checking
    checking=
    local outfile
    outfile=$1
    local dir
    dir=
    local match
    match=
    setup_mss()
    {
@ -5158,7 +5311,8 @@ __EOF__
 	fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget "-e" when you compiled?)"
    fi
-    local version=\$(cat \${SHAREDIR}/version)
+    local version
    version=\$(cat \${SHAREDIR}/version)
    if [ \${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then
 	fatal_error "This script requires Shorewall version 3.3.3 or later; current version is \$version"
@ -5298,7 +5452,8 @@ __EOF__
 # Start/Restart/Reload the firewall
 #
 define_firewall() {
-    local restore_file=\$1
+    local restore_file
    restore_file=\$1
 __EOF__
    INDENT="    "
--- a/Shorewall-shell/diff-3.4-compiler
+++ b/Shorewall-shell/diff-3.4-compiler
@ -1,6 +1,14 @@
--- /home/teastep/shorewall/branches/3.4/Shorewall/compiler	2007-07-04 08:07:46.000000000 -0700
+--- ../../3.4/Shorewall/compiler	2007-10-26 19:10:45.000000000 -0400
-+++ compiler	2007-07-08 07:18:45.000000000 -0700
+++ compiler	2008-03-09 16:00:16.000000000 -0400
-@@ -35,6 +35,12 @@
+@@ -1,6 +1,6 @@
 #!/bin/sh
 #
 -#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V3.4
 +#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V4.0
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -35,6 +35,11 @@
 #	    SHOREWALL_DIR                       A directory name was passed to /sbin/shorewall
 #	    VERBOSE                             Standard Shorewall verbosity control.
@ -8,12 +16,72 @@
 +BASE_VERSION_PRINTABLE=4.0.0
 +CONFIG_VERSION=40000
 +CONFIG_VERSION_PRINTABLE=4.0.0
 +
 +
 #
 # Fatal error -- stops the compiler after issuing the error message
 #
-@@ -673,11 +679,11 @@
+@@ -128,7 +133,8 @@
 #
 append_file() # $1 = File Name
 {
 -    local user_exit=$(find_file $1)
 +    local user_exit
 +    user_exit=$(find_file $1)
     case $user_exit in
 	$SHAREDIR/*)
@@ -210,7 +216,8 @@
 #
 finish_chain_section() # $1 = canonical chain $2 = state list
 {
 -    local policy policychain
 +    local policy
 +    local policychain
     [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
@@ -241,7 +248,9 @@
 finish_section() # $1 = Section(s)
 {
 -    local zone zone1 chain
 +    local zone
 +    local zone1
 +    local chain
     for zone in $ZONES $FW; do
 	for zone1 in $ZONES $FW; do
@@ -263,7 +272,8 @@
 #
 createchain() # $1 = chain name, $2 = If "yes", do section-end processing
 {
 -    local c=$(chain_base $1)
 +    local c
 +    c=$(chain_base $1)
     run_iptables -N $1
@@ -286,7 +296,8 @@
 #
 createchain2() # $1 = chain name, $2 = If "yes", create default rules
 {
 -    local c=$(chain_base $1)
 +    local c
 +    c=$(chain_base $1)
     ensurechain $1
@@ -313,7 +324,8 @@
 #
 havechain() # $1 = name of chain
 {
 -    local c=$(chain_base $1)
 +    local c
 +    c=$(chain_base $1)
     eval test \"\$exists_${c}\" = Yes
 }
@@ -675,11 +687,11 @@
     progress_message2 "Compiling IP Forwarding..."
     case "$IP_FORWARDING" in
@ -27,7 +95,504 @@
 	    save_progress_message "IP Forwarding Disabled!"
 	    save_command "echo 0 > /proc/sys/net/ipv4/ip_forward"
 	    ;;
-@@ -3767,7 +3773,7 @@
+@@ -719,16 +731,25 @@
 #
 log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
 {
 -    local level=$1
 -    local chain=$2
 -    local displayChain=$3
 -    local disposition=$4
 -    local rulenum=
 -    local limit=
 -    local tag=$6
 -    local command=${7:--A}
 +    local level
 +    level=$1
 +    local chain
 +    chain=$2
 +    local displayChain
 +    displayChain=$3
 +    local disposition
 +    disposition=$4
 +    local rulenum
 +    rulenum=
 +    local limit
 +    limit=
 +    local tag
 +    tag=$6
 +    local command
 +    command=${7:--A}
     local prefix
 -    local base=$(chain_base $displayChain)
 +    local base
 +    base=$(chain_base $displayChain)
     limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
@@ -739,9 +760,12 @@
 log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
 {
 -    local level=$1
 -    local chain=$2
 -    local disposition=$3
 +    local level
 +    level=$1
 +    local chain
 +    chain=$2
 +    local disposition
 +    disposition=$3
     shift 3
@@ -756,9 +780,12 @@
 	# $2 = synparams
         # $3 = loglevel
 {
 -    local chain=@$1
 -    local limit=$2
 -    local limit_burst=
 +    local chain
 +    chain=@$1
 +    local limit
 +    limit=$2
 +    local limit_burst
 +    limit_burst=
     case $limit in
 	*:*)
@@ -837,8 +864,10 @@
 #
 setup_ecn() # $1 = file name
 {
 -    local interfaces=""
 -    local hosts=
 +    local interfaces
 +    interfaces=""
 +    local hosts
 +    hosts=
     local h
     if [ -s ${TMP_DIR}/ecn ]; then
@@ -886,7 +915,8 @@
 #
 build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
 {
 -    local c=excl_${EXCLUSION_SEQ} net
 +    local c
 +    c=excl_${EXCLUSION_SEQ} net
     EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
@@ -916,7 +946,10 @@
 # Setup queuing and classes
 #
 setup_tc1() {
 -    local mark_part= comment=
 +    local mark_part
 +    mark_part=
 +    local comment
 +    comment=
     #
     # Create the TC mangle chains
     #
@@ -1025,7 +1058,8 @@
 #
 refresh_tc() {
 -    local comment=
 +    local comment
 +    comment=
     if [ -n "$CLEAR_TC" ]; then
 	delete_tc
@@ -1089,9 +1123,12 @@
 #
 compile_refresh_firewall()
 {
 -    local INDENT=""
 -    local DOING="Compiling Refresh of"
 -    local DONE="Compiled"
 +    local INDENT
 +    INDENT=""
 +    local DOING
 +    DOING="Compiling Refresh of"
 +    local DONE
 +    DONE="Compiled"
     local indent
     save_command "refresh_firewall()"
@@ -1142,7 +1179,8 @@
 process_action_file() # $1 = File Name
 {
     if ! list_search $1 $BUILTIN_ACTIONS; then
 -	local user_exit=$(find_file $1)
 +	local user_exit
 +	user_exit=$(find_file $1)
 	if [ -f $user_exit ]; then
 	    progress_message "Processing $user_exit ..."
@@ -1173,7 +1211,12 @@
 createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
 {
 -    local actchain= action=$1 level=$2
 +    local actchain
 +    actchain=
 +    local action
 +    action=$1
 +    local level
 +    level=$2
     eval actchain=\${${action}_actchain}
@@ -1259,7 +1302,14 @@
 #
 find_logactionchain() # $1 = Action, including log level and tag if any
 {
 -    local fullaction=$1 action=${1%%:*} level= chains=
 +    local fullaction
 +    fullaction=$1
 +    local action
 +    action=${1%%:*}
 +    local level
 +    level=
 +    local chains
 +    chains=
     find_simpleaction() {
 	havechain $action ||  fatal_error "Fatal error in find_logactionchain"
@@ -1302,7 +1352,10 @@
 #
 merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
 {
 -    local superior=$1 subordinate=$2
 +    local superior
 +    superior=$1
 +    local subordinate
 +    subordinate=$2
     set -- $(split $1)
@@ -1379,7 +1432,9 @@
 #
 map_old_action() # $1 = Potential Old Action
 {
 -    local macro= aktion
 +    local macro
 +    macro=
 +    local aktion
     if [ -n "$MAPOLDACTIONS" ]; then
 	case $1 in
@@ -1432,7 +1487,8 @@
 #
 substitute_action() # $1 = parameter, $2 = action
 {
 -    local logpart=${2#*:}
 +    local logpart
 +    logpart=${2#*:}
     case $2 in
 	*:*)
@@ -1630,7 +1686,8 @@
 #	 policy		= Applicable Policy
 #
 add_a_rule() {
 -    local natrule=
 +    local natrule
 +    natrule=
     do_ports() {
 	if [ -n "$port" ]; then
@@ -2118,19 +2175,32 @@
                # $9 = userspec
                # $10= mark
 {
 -    local target="$1"
 -    local clients="$2"
 -    local servers="$3"
 -    local protocol="$4"
 -    local ports="$5"
 -    local cports="$6"
 -    local address="$7"
 -    local ratelimit="$8"
 -    local userspec="$9"
 -    local mark="${10}"
 -    local userandgroup=
 -    local logtag=
 -    local nonat=
 +    local target
 +    target="$1"
 +    local clients
 +    clients="$2"
 +    local servers
 +    servers="$3"
 +    local protocol
 +    protocol="$4"
 +    local ports
 +    ports="$5"
 +    local cports
 +    cports="$6"
 +    local address
 +    address="$7"
 +    local ratelimit
 +    ratelimit="$8"
 +    local userspec
 +    userspec="$9"
 +    local mark
 +    mark="${10}"
 +    local userandgroup
 +    userandgroup=
 +    local logtag
 +    logtag=
 +    local nonat
 +    nonat=
     # # # # # F u n c t i o n   B o d y # # # # #
@@ -2483,21 +2553,35 @@
                # $9 = userspec
                # $10= mark
 {
 -    local itarget="$1"
 -    local param="$2"
 -    local iclients="$3"
 -    local iservers="$4"
 -    local iprotocol="$5"
 -    local iports="$6"
 -    local icports="$7"
 -    local iaddress="$8"
 -    local iratelimit="$9"
 -    local iuserspec="${10}"
 -    local imark="${11}"
 +    local itarget
 +    itarget="$1"
 +    local param
 +    param="$2"
 +    local iclients
 +    iclients="$3"
 +    local iservers
 +    iservers="$4"
 +    local iprotocol
 +    iprotocol="$5"
 +    local iports
 +    iports="$6"
 +    local icports
 +    icports="$7"
 +    local iaddress
 +    iaddress="$8"
 +    local iratelimit
 +    iratelimit="$9"
 +    local iuserspec
 +    iuserspec="${10}"
 +    local imark
 +    imark="${11}"
     progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
     while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
 +
 +	[ $mtarget = COMMENT ] && continue
 +
 	mtarget=$(merge_levels $itarget $mtarget)
 	case $mtarget in
@@ -2575,13 +2659,19 @@
 #
 process_rules()
 {
 -    local comment= optimize
 +    local comment
 +    comment=
 +    local optimize
     #
     # Process a rule where the source or destination is "all"
     #
     process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic
     {
 -	local yclients yservers ysourcezone ydestzone ypolicy
 +	local yclients
 +	local yservers
 +	local ysourcezone
 +	local ydestzone
 +	local ypolicy
 	for yclients in $xclients; do
 	    for yservers in $xservers; do
@@ -2614,7 +2704,8 @@
     do_it() # $1 = "Yes" if the target is a macro.
     {
 -	local intrazone=
 +	local intrazone
 +	intrazone=
 	if [ -z "$SECTIONS" ]; then
 	    finish_section ESTABLISHED,RELATED
@@ -2794,17 +2885,35 @@
 #
 process_default_macro() # $1 = macro name
 {
 -    local macro=$1
 -    local address=
 -    local multioption=
 -    local servport=
 -    local chain=$1
 -    local logchain=$1
 -    local userandgroup=
 -    local logtag=
 -    local excludesource=
 -    local target client server protocol port cport ratelimit userspec rule
 -    local f=$(find_file macro.${macro})
 +    local macro
 +    macro=$1
 +    local address
 +    address=
 +    local multioption
 +    multioption=
 +    local servport
 +    servport=
 +    local chain
 +    chain=$1
 +    local logchain
 +    logchain=$1
 +    local userandgroup
 +    userandgroup=
 +    local logtag
 +    logtag=
 +    local excludesource
 +    excludesource=
 +    local target
 +    local client
 +    local server
 +    local protocol
 +    local port
 +    local cport
 +    local ratelimit
 +    local userspec
 +    local rule
 +    local f
 +    f=$(find_file macro.${macro})
     havechain $macro && fatal_error "Illegal duplicate default macro name: $macro"
@@ -3062,7 +3171,10 @@
 #
 process_tos() # $1 = name of tos file
 {
 -    local chain=pretos stdchain=PREROUTING
 +    local chain
 +    chain=pretos
 +    local stdchain
 +    stdchain=PREROUTING
     if [ -n "$MANGLE_FORWARD" ]; then
 	chain=fortos
@@ -3093,8 +3205,10 @@
 	       # $3 = loglevel
                # $4 = Default Action/Macro
 {
 -    local target="$2"
 -    local default="$4"
 +    local target
 +    target="$2"
 +    local default
 +    default="$4"
     if [ -n "$default" ]; then
 	[ "$default" = none ] || run_iptables -A $1 -j $default
@@ -3131,9 +3245,12 @@
 #
 default_policy() # $1 = client $2 = server
 {
 -    local chain="${1}2${2}"
 -    local policy=
 -    local loglevel=
 +    local chain
 +    chain="${1}2${2}"
 +    local policy
 +    policy=
 +    local loglevel
 +    loglevel=
     local chain1
     jump_to_policy_chain() {
@@ -3235,14 +3352,18 @@
 #
 complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
 {
 -    local policy=
 -    local loglevel=
 -    local policychain=
 -    local default=
 +    local policy
 +    policy=
 +    local loglevel
 +    loglevel=
 +    local policychain
 +    policychain=
 +    local default
 +    default=
     run_user_exit $1
 -    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 +    [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
     eval policychain=\$${2}2${3}_policychain
@@ -3267,7 +3388,8 @@
 #
 rules_chain() # $1 = source zone, $2 = destination zone
 {
 -    local chain=${1}2${2} local policy
 +    local chain
 +    chain=${1}2${2} local policy
     havechain $chain && { echo $chain; return; }
@@ -3376,8 +3498,10 @@
 process_blacklist()
 {
 -    local disposition=$BLACKLIST_DISPOSITION
 -    local f=$(find_file blacklist)
 +    local disposition
 +    disposition=$BLACKLIST_DISPOSITION
 +    local f
 +    f=$(find_file blacklist)
     local target
     if [ -s $TMP_DIR/blacklist ]; then
@@ -3411,8 +3535,10 @@
 # Setup the Black List
 #
 setup_blacklist() {
 -    local hosts="$(find_hosts_by_option blacklist)"
 -    local ipsec policy
 +    local hosts
 +    hosts="$(find_hosts_by_option blacklist)"
 +    local ipsec
 +    local policy
     if [ -n "$hosts" -a -s ${TMP_DIR}/blacklist ]; then
 	progress_message2 "$DOING Blacklisting..."
@@ -3457,8 +3583,10 @@
 # Construct zone-independent rules
 #
 add_common_rules() {
 -    local savelogparms="$LOGPARMS"
 -    local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
 +    local savelogparms
 +    savelogparms="$LOGPARMS"
 +    local broadcasts
 +    broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
     #
     # Populate the smurf chain
     #
@@ -3788,7 +3916,7 @@
 	save_progress_message "Setting up Route Filtering..."
@ -36,7 +601,7 @@
 	    indent >&3 << __EOF__
 for f in /proc/sys/net/ipv4/conf/*; do
-@@ -3791,8 +3797,10 @@
+@@ -3812,8 +3940,10 @@
 	save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter"
@ -48,7 +613,7 @@
 	fi
 	save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache"
-@@ -3808,7 +3816,7 @@
+@@ -3829,7 +3959,7 @@
 	save_progress_message "Setting up Martian Logging..."
@ -57,7 +622,7 @@
 	    indent >&3 << __EOF__
 for f in /proc/sys/net/ipv4/conf/*; do
-@@ -3831,9 +3839,12 @@
+@@ -3852,9 +3982,12 @@
 __EOF__
 	    done
@ -71,16 +636,120 @@
 	fi
     fi
-@@ -4890,7 +4901,7 @@
+@@ -3984,14 +4117,19 @@
- 		;;
+ #
- 	esac
+ activate_rules()
 {
 -    local PREROUTING_rule=1
 -    local POSTROUTING_rule=1
 +    local PREROUTING_rule
 +    PREROUTING_rule=1
 +    local POSTROUTING_rule
 +    POSTROUTING_rule=1
     #
     # Jump to a NAT chain from one of the builtin nat chains
     #
     addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
     {
 -	local sourcechain=$1 destchain=$2
 +	local sourcechain
 +	sourcechain=$1
 +        local destchain
 +        destchain=$2
 	shift
 	shift
-	run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option
+@@ -4009,7 +4147,10 @@
-+	run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
+     #
-     }
+     addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
     {
 -	local sourcechain=$1 destchain=$2
 +	local sourcechain
 +	sourcechain=$1
 +	local destchain
 +	destchain=$2
 	shift
 	shift
-     progress_message2 "Initializing..."
+@@ -4037,7 +4178,15 @@
-@@ -4930,7 +4941,7 @@
+     #
     insert_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
     {
 -	local t=$1 c=$2 num=0 host1 interface1 networks1
 +	local t
 +	t=$1
 +	local c
 +	c=$2
 +	local num
 +	num=0
 +	local host1
 +	local interface1
 +	local networks1
 	shift 2
@@ -4053,7 +4202,13 @@
     #
     add_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions
     {
 -	local t=$1 c=$2 host1 interface1 networks1
 +	local t
 +	t=$1
 +	local c
 +	c=$2
 +	local host1
 +	local interface1
 +	local networks1
 	shift 2
@@ -4101,7 +4256,8 @@
 	    eval exclusions=\"\$${zone}_exclusions\"
 	    if [ -n "$exclusions" ]; then
 -		local num=1
 +		local num
 +		num=1
 		in_chain=${zone}_input
 		out_chain=${zone}_output
 		createchain $in_chain No
@@ -4549,8 +4705,10 @@
 # from that script are available here
 #
 compile_stop_firewall() {
 -    local IPTABLES_COMMAND="\$IPTABLES"
 -    local INDENT="    "
 +    local IPTABLES_COMMAND
 +    IPTABLES_COMMAND="\$IPTABLES"
 +    local INDENT
 +    INDENT="    "
     cat >&3 << __EOF__
@@ -4894,10 +5052,18 @@
 #
 compile_firewall() # $1 = File Name
 {
 -    local IPTABLES_COMMAND=run_iptables
 -    local INDENT=""
 -    local checking= outfile=$1 dir=
 -    local match=
 +    local IPTABLES_COMMAND
 +    IPTABLES_COMMAND=run_iptables
 +    local INDENT
 +    INDENT=""
 +    local checking
 +    checking=
 +    local outfile
 +    outfile=$1
 +    local dir
 +    dir=
 +    local match
 +    match=
     setup_mss()
     {
@@ -4951,7 +5117,7 @@
     cat >&3 << __EOF__
 #
@ -89,7 +758,71 @@
 #
 __EOF__
-@@ -5732,6 +5743,11 @@
+@@ -4959,7 +5125,10 @@
 	cat >&3 << __EOF__
 SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
 -VARDIR=/var/lib/shorewall-lite
 +
 +[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir
 +
 +[ -n "\${VARDIR:=/var/lib/shorewall-lite}" ]
 __EOF__
@@ -4976,7 +5145,10 @@
 	cat >&3 << __EOF__
 SHAREDIR=/usr/share/shorewall
 CONFDIR=/etc/shorewall
 -VARDIR=/var/lib/shorewall
 +
 +[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir
 +
 +[ -n "\${VARDIR:=/var/lib/shorewall}" ]
 . \${SHAREDIR}/lib.base
 __EOF__
@@ -5139,7 +5311,8 @@
 	fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget "-e" when you compiled?)"
     fi
 -    local version=\$(cat \${SHAREDIR}/version)
 +    local version
 +    version=\$(cat \${SHAREDIR}/version)
     if [ \${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then
 	fatal_error "This script requires Shorewall version 3.3.3 or later; current version is \$version"
@@ -5178,6 +5351,7 @@
     LOCKFILE="$LOCKFILE"
     PATH="$PATH"
     TERMINATOR=fatal_error
 +    DONT_LOAD="$DONT_LOAD"
 __EOF__
     if [ -n "$IPTABLES" ]; then
@@ -5278,7 +5452,8 @@
 # Start/Restart/Reload the firewall
 #
 define_firewall() {
 -    local restore_file=\$1
 +    local restore_file
 +    restore_file=\$1
 __EOF__
     INDENT="    "
@@ -5727,9 +5902,9 @@
 # E X E C U T I O N    B E G I N S   H E R E
 #
 #
 -# Start trace if first arg is "debug"
 +# Start trace if first arg is "debug" or "trace"
 #
 -[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
 +[ $# -gt 1 ] && [ "x$1" = xdebug -o "x$1" = xtrace ] && { set -x ; shift ; } 
 NOLOCK=
@@ -5754,6 +5929,11 @@
     fi
 done
--- a/Shorewall-shell/diff-3.4-lib.tunnels
+++ b/Shorewall-shell/diff-3.4-lib.tunnels
@ -1,11 +1,22 @@
--- /home/teastep/shorewall/branches/3.4/Shorewall/lib.tunnels	2007-03-22 15:27:26.000000000 -0700
+--- ../../3.4/Shorewall/lib.tunnels	2007-10-26 19:10:45.000000000 -0400
-+++ lib.tunnels	2007-07-03 07:57:16.000000000 -0700
+++ lib.tunnels	2008-03-09 15:55:46.000000000 -0400
-@@ -37,19 +37,28 @@
+@@ -1,6 +1,6 @@
 #!/bin/sh
 #
 -# Shorewall 3.4 -- /usr/share/shorewall/lib.tunnels
 +# Shorewall 4.1 -- /usr/share/shorewall/lib.tunnels
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -37,19 +37,31 @@
     setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
     {
 -    	local kind=$1 noah=
-+    	local kind=$1 noah=noah
+    	local kind
 +    	kind=$1
 +    	local noah
 +    	noah=noah
 	case $kind in
 	    *:*)
@ -32,3 +43,52 @@
 	options="-m state --state NEW -j ACCEPT"
 	addrule2 $inchain	  -p 50	 $source -j ACCEPT
@@ -125,8 +137,10 @@
     setup_one_openvpn() # $1 = kind[:port]
     {
 -	local protocol=udp
 -	local p=1194
 +	local protocol
 +	protocol=udp
 +	local p
 +	p=1194
 	case $1 in
 	    *:*:*)
@@ -150,8 +164,10 @@
     setup_one_openvpn_server() # $1 = kind[:port]
     {
 -	local protocol=udp
 -	local p=1194
 +	local protocol
 +	protocol=udp
 +	local p
 +	p=1194
 	case $1 in
 	    *:*:*)
@@ -175,8 +191,10 @@
     setup_one_openvpn_client() # $1 = kind[:port]
     {
 -	local protocol=udp
 -	local p=1194
 +	local protocol
 +	protocol=udp
 +	local p
 +	p=1194
 	case $1 in
 	    *:*:*)
@@ -201,7 +219,8 @@
     setup_one_generic() # $1 = kind:protocol[:port]
     {
 	local protocol
 -	local p=
 +	local p
 +	p=
 	case $1 in
 	    *:*:*)
--- a/Shorewall-shell/install.sh
+++ b/Shorewall-shell/install.sh
@ -35,7 +35,8 @@ usage() # $1 = exit status
 }
 split() {
-    local ifs=$IFS
+    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
--- a/Shorewall-shell/lib.actions
+++ b/Shorewall-shell/lib.actions
@ -252,19 +252,32 @@ process_action() # $1 = chain    (Chain to add the rules to)
                 # $10 = userspec
                 # $11 = mark
 {
-    local chain="$1"
+    local chain
-    local action="$2"
+    chain="$1"
-    local target="$3"
+    local action
-    local clients="$4"
+    action="$2"
-    local servers="$5"
+    local target
-    local protocol="$6"
+    target="$3"
-    local ports="$7"
+    local clients
-    local cports="$8"
+    clients="$4"
-    local ratelimit="$9"
+    local servers
-    local userspec="${10}"
+    servers="$5"
-    local mark="${11}"
+    local protocol
-    local userandgroup=
+    protocol="$6"
-    local logtag=
+    local ports
    ports="$7"
    local cports
    cports="$8"
    local ratelimit
    ratelimit="$9"
    local userspec
    userspec="${10}"
    local mark
    mark="${11}"
    local userandgroup
    userandgroup=
    local logtag
    logtag=
    if [ -n "$ratelimit" ]; then
 	case $ratelimit in
@ -483,7 +496,10 @@ process_action() # $1 = chain    (Chain to add the rules to)
 #
 merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
 {
-    local superior=$1 subordinate=$2
+    local superior
    superior=$1
    local subordinate
    subordinate=$2
    set -- $(split $1)
@ -690,7 +706,8 @@ process_actions1() {
 process_actions2() {
-    local interfaces="$(find_interfaces_by_option upnp)"
+    local interfaces
    interfaces="$(find_interfaces_by_option upnp)"
    if [ -n "$interfaces" ]; then
 	if ! list_search forwardUPnP $USEDACTIONS; then
@ -735,7 +752,10 @@ process_actions2() {
 process_action3() {
-    local f=action.$xaction1 comment=
+    local f
    f=action.$xaction1
    local comment
    comment=
    progress_message2 "$DOING $(find_file $f) for Chain $xchain..."
--- a/Shorewall-shell/lib.maclist
+++ b/Shorewall-shell/lib.maclist
@ -40,7 +40,8 @@ setup_mac_lists() # $1 = Phase Number
    local blob
    local hosts
    local ipsec
-    local policy=
+    local policy
    policy=
    create_mac_chain()
    {
--- a/Shorewall-shell/lib.nat
+++ b/Shorewall-shell/lib.nat
@ -31,10 +31,13 @@
 #
 setup_masq()
 {
-    local comment=
+    local comment
    comment=
    do_ipsec_options() {
-	local options="$(separate_list $ipsec)" option
+	local options
 	options="$(separate_list $ipsec)"
 	local option
 	[ -n "$ORIGINAL_POLICY_MATCH" ] || \
 	    fatal_error "IPSEC options require policy match support in your kernel and iptables"
 	policy="-m policy --pol ipsec --dir out"
@ -62,7 +65,14 @@ setup_masq()
    }
    setup_one() {
-	local add_snat_aliases=$ADD_SNAT_ALIASES pre_nat= policy= destnets=
+	local add_snat_aliases
 	add_snat_aliases=$ADD_SNAT_ALIASES
 	local pre_nat
 	pre_nat=
 	local policy
 	policy=
 	local destnets
 	destnets=
 	[ "x$ipsec" = x- ] && ipsec=
@ -475,7 +485,22 @@ __EOF__
 # Setup Static Network Address Translation (NAT)
 #
 setup_nat() {
-    local external= interface= internal= allints= localnat= policyin= policyout= comment=
+    local external
    external=
    local interface
    interface=
    local internal
    internal=
    local allints
    allints=
    local localnat
    localnat=
    local policyin
    policyin=
    local policyout
    policyout=
    local comment
    comment=
    validate_one() #1 = Variable Name, $2 = Column name, $3 = value
    {
@ -493,7 +518,10 @@ setup_nat() {
    }
    do_one_nat() {
-	local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*}
+	local add_ip_aliases
 	add_ip_aliases=$ADD_IP_ALIASES
 	local iface
 	iface=${interface%:*}
 	if [ -n "$add_ip_aliases" ]; then
 	    case $interface in
@ -613,7 +641,8 @@ setup_netmap() {
 #
 add_nat_rule() {
    local chain
-    local excludedests=
+    local excludedests
    excludedests=
    # Be sure we can NAT
--- a/Shorewall-shell/lib.providers
+++ b/Shorewall-shell/lib.providers
@ -30,7 +30,30 @@
 #
 setup_providers()
 {
-    local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum rulebase balance save_indent="$INDENT" mask= first=Yes save_indent1=
+    local table
    local number
    local mark
    local duplicate
    local interface
    local gateway
    local options
    local provider
    local address
    local copy
    local route
    local loose
    local addresses
    local rulenum
    local rulebase
    local balance
    local save_indent
    save_indent="$INDENT"
    local mask
    mask=
    local first
    first=Yes
    local save_indent1
    save_indent1=
    copy_table() {
 	    indent >&3 << __EOF__
@ -88,7 +111,12 @@ __EOF__
    }
    add_a_provider() {
-	local t n iface option optional=
+	local t
 	local n
 	local iface
 	local option
 	local optional
 	optional=
 	[ -n "$MANGLE_ENABLED" ] || fatal_error "Providers require mangle support in your kernel and iptables"
@ -269,7 +297,8 @@ __EOF__
    verify_provider()
    {
-	local p n
+	local p
 	local n
 	for p in $PROVIDERS main; do
 	    [ "$p" = "$1" ] && return 0
@ -434,7 +463,10 @@ __EOF__
 #
 setup_route_marking()
 {
-    local mask=0xFF save_indent="$INDENT"
+    local mask
    mask=0xFF
    local save_indent
    save_indent="$INDENT"
    [ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00
--- a/Shorewall-shell/lib.proxyarp
+++ b/Shorewall-shell/lib.proxyarp
@ -30,7 +30,10 @@
 #
 setup_proxy_arp() {
-    local setlist= resetlist=
+    local setlist
    setlist=
    local resetlist
    resetlist=
    print_error() {
 	error_message "Invalid value for HAVEROUTE - ($haveroute)"
--- a/Shorewall-shell/lib.tc
+++ b/Shorewall-shell/lib.tc
@ -37,11 +37,30 @@
 #
 setup_traffic_shaping()
 {
-    local mtu r2q tc_all_devices device mark rate ceil prio options devfile=$(find_file tcdevices) classfile=$(find_file tcclasses) devnum=1 last_device=
+    local mtu
-    r2q=10 indent= prefix=1
+    local r2q
    local tc_all_devices
    local device
    local mark
    local rate
    local ceil
    local prio
    local options
    local devfile
    devfile=$(find_file tcdevices)
    local classfile
    classfile=$(find_file tcclasses)
    local devnum
    devnum=1
    local last_device
    last_device=
    r2q=10
    indent=
    prefix=1
    rate_to_kbit() {
-	local rateunit rate
+	local rateunit
 	local rate
 	rate=$1
 	rateunit=$( echo $rate | sed -e 's/[0-9]*//')
 	rate=$( echo $rate | sed -e 's/[a-zA-Z]*//g')
@ -68,13 +87,16 @@ setup_traffic_shaping()
    }
    calculate_quantum() {
-	local rate=$(rate_to_kbit $1)
+	local rate
 	rate=$(rate_to_kbit $1)
 	echo $(( $rate * ( 128 / $r2q ) ))
    }
    # get given outbandwidth for device
    get_outband_for_dev() {
-	local device inband outband
+	local device
 	local inband
 	local outband
 	while read device inband outband; do
 	    tcdev="$device $inband $outband"
 	    if [ "$1" = "$device" ] ; then
@ -102,7 +124,12 @@ setup_traffic_shaping()
    }
    get_defmark_for_dev() {
-	local searchdev searchmark device ceil prio options
+	local searchdev
 	local searchmark
 	local device
 	local ceil
 	local prio
 	local options
 	searchdev=$1
 	while read device mark rate ceil prio options; do
@ -122,7 +149,9 @@ setup_traffic_shaping()
    validate_tcdevices_file() {
 	progress_message2 "Validating $devfile..."
-	local device inband outband
+	local device
 	local inband
 	local outband
 	while read device inband outband; do
 	    tcdev="$device $inband $outband"
 	    check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device"
@ -140,7 +169,16 @@ setup_traffic_shaping()
    validate_tcclasses_file() {
 	progress_message2 "Validating $classfile..."
-	local classlist device mark rate ceil prio bandw wrongopt allopts opt
+	local classlist
 	local device
 	local mark
 	local rate
 	local ceil
 	local prio
 	local bandw
 	local wrongopt
 	local allopts
 	local opt
 	allopts=""
 	while read device mark rate ceil prio options; do
 	    tcdev="$device $mark $rate $ceil $prio $options"
@ -171,7 +209,8 @@ setup_traffic_shaping()
    }
    add_root_tc() {
-	local defmark dev
+	local defmark
 	local dev
 	dev=$(chain_base $device)
@ -211,7 +250,11 @@ setup_traffic_shaping()
    }
    add_tc_class() {
-	local full classid tospair tosmask quantum
+	local full
 	local classid
 	local tospair
 	local tosmask
 	local quantum
 	full=$(get_outband_for_dev $device)
 	full=$(rate_to_kbit $full)
--- a/Shorewall-shell/lib.tunnels
+++ b/Shorewall-shell/lib.tunnels
@ -37,7 +37,10 @@ setup_tunnels() # $1 = name of tunnels file
    setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
    {
-    	local kind=$1 noah=noah
+    	local kind
    	kind=$1
    	local noah
    	noah=noah
 	case $kind in
 	    *:*)
@ -134,8 +137,10 @@ setup_tunnels() # $1 = name of tunnels file
    setup_one_openvpn() # $1 = kind[:port]
    {
-	local protocol=udp
+	local protocol
-	local p=1194
+	protocol=udp
 	local p
 	p=1194
 	case $1 in
 	    *:*:*)
@ -159,8 +164,10 @@ setup_tunnels() # $1 = name of tunnels file
    setup_one_openvpn_server() # $1 = kind[:port]
    {
-	local protocol=udp
+	local protocol
-	local p=1194
+	protocol=udp
 	local p
 	p=1194
 	case $1 in
 	    *:*:*)
@ -184,8 +191,10 @@ setup_tunnels() # $1 = name of tunnels file
    setup_one_openvpn_client() # $1 = kind[:port]
    {
-	local protocol=udp
+	local protocol
-	local p=1194
+	protocol=udp
 	local p
 	p=1194
 	case $1 in
 	    *:*:*)
@ -210,7 +219,8 @@ setup_tunnels() # $1 = name of tunnels file
    setup_one_generic() # $1 = kind:protocol[:port]
    {
 	local protocol
-	local p=
+	local p
 	p=
 	case $1 in
 	    *:*:*)
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@ -247,7 +247,8 @@ compiler() {
 	exit 1
    }
-    local command=$1
+    local command
    command=$1
    shift
@ -293,10 +294,12 @@ compiler() {
 # Start Command Executor
 #
 start_command() {
-    local finished=0
+    local finished
    finished=0
    do_it() {
-	local rc=0
+	local rc
 	rc=0
 	progress_message3 "Compiling..."
@ -405,7 +408,8 @@ start_command() {
 # Compile Command Executor
 #
 compile_command() {
-    local finished=0
+    local finished
    finished=0
    while [ $finished -eq 0 ]; do
 	[ $# -eq 0 ] && usage 1
@ -485,7 +489,8 @@ compile_command() {
 # Check Command Executor
 #
 check_command() {
-    local finished=0
+    local finished
    finished=0
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@ -557,7 +562,10 @@ check_command() {
 # Restart Command Executor
 #
 restart_command() {
-    local finished=0 rc=0
+    local finished
    finished=0
    local rc
    rc=0
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@ -634,7 +642,8 @@ restart_command() {
 # Refresh Command Executor
 #
 refresh_command() {
-    local finished=0
+    local finished
    finished=0
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@ -695,7 +704,8 @@ refresh_command() {
 # Safe-start/safe-restart Command Executor
 #
 safe_commands() {
-    local finished=0
+    local finished
    finished=0
    # test is the shell supports timed read
    read -t 0 junk 2> /dev/null
@ -827,7 +837,10 @@ safe_commands() {
 # 'try' Command Executor
 #
 try_command() {
-    local finished=0 timeout=
+    local finished
    finished=0
    local timeout
    timeout=
    handle_directory() {
 	[ -n "$SHOREWALL_DIR" ] && usage 2
@ -966,7 +979,25 @@ rcp_command() {
 #
 reload_command() # $* = original arguments less the command.
 {
-    local verbose=$(make_verbose) file= capabilities= finished=0 saveit= result directory system getcaps= root=root compiler=
+    local verbose
    verbose=$(make_verbose)
    local file
    file=
    local capabilities
    capabilities=
    local finished
    finished=0
    local saveit
    saveit=
    local result
    local directory
    local system
    local getcaps
    getcaps=
    local root
    root=root
    local compiler
    compiler=
    LITEDIR=/var/lib/shorewall-lite
@ -1073,7 +1104,8 @@ reload_command() # $* = original arguments less the command.
 #
 export_command() # $* = original arguments less the command.
 {
-    local verbose=$(make_verbose) file= finished=0 directory target compiler=
+    local verbose
    verbose=$(make_verbose) file= finished=0 directory target compiler=
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@ -1272,7 +1304,10 @@ while [ $finished -eq 0 ]; do
 done
 version_command() {
-    local finished=0 all=
+    local finished
    finished=0
    local all
    all=
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
--- a/docs/XenMyWay-Routed.xml
+++ b/docs/XenMyWay-Routed.xml
@ -995,7 +995,12 @@ usage() {
 # Find the interface with the passed MAC address
 #################################################################################
 find_interface_by_mac() {
-    local mac=$1 first second rest dev
+    local mac
    mac=$1
    local first
    local second
    local rest
    local dev
    /sbin/ip link ls | while read first second rest; do
        case $first in
@ -1014,7 +1019,9 @@ find_interface_by_mac() {
 # Convert MAC addresses to interface names
 ################################################################################
 get_interfaces() {
-    local interfaces= interface
+    local interfaces
    interfaces=
    local interface
    for interface in $INTERFACES; do
        case $interface in
--- a/docs/XenMyWay.xml
+++ b/docs/XenMyWay.xml
@ -915,7 +915,12 @@ usage() {
 # Find the interface with the passed MAC address
 #################################################################################
 find_interface_by_mac() {
-    local mac=$1 first second rest dev
+    local mac
    mac=$1
    local first
    local second
    local rest
    local dev
    /sbin/ip link ls | while read first second rest; do
        case $first in
@ -934,7 +939,9 @@ find_interface_by_mac() {
 # Convert MAC addresses to interface names
 ################################################################################
 get_interfaces() {
-    local interfaces= interface
+    local interfaces
    interfaces=
    local interface
    for interface in $INTERFACES; do
        case $interface in
--- a/tools/build/buildshorewall
+++ b/tools/build/buildshorewall
@ -142,7 +142,8 @@ fatal_error() {
 list_search() # $1 = element to search for , $2-$n = list
 {
-    local e=$1
+    local e
    e=$1
    while [ $# -gt 1 ]; do
 	shift
--- a/tools/build/makeshorewall
+++ b/tools/build/makeshorewall
@ -128,7 +128,8 @@ fatal_error() {
 list_search() # $1 = element to search for , $2-$n = list
 {
-    local e=$1
+    local e
    e=$1
    while [ $# -gt 1 ]; do
 	shift
--- a/tools/web/publish
+++ b/tools/web/publish
@ -61,7 +61,8 @@ NOTOC="
 list_search() # $1 = element to search for , $2-$n = list
 {
-    local e=$1
+    local e
    e=$1
    while [ $# -gt 1 ]; do
 	shift
--- a/tools/web/publish-3.0
+++ b/tools/web/publish-3.0
@ -61,7 +61,8 @@ NOTOC="
 list_search() # $1 = element to search for , $2-$n = list
 {
-    local e=$1
+    local e
    e=$1
    while [ $# -gt 1 ]; do
 	shift
--- a/tools/web/publish-manpage
+++ b/tools/web/publish-manpage
@ -6,7 +6,8 @@ WEBSITE=/home/teastep/Shorewall/Website
 list_search() # $1 = element to search for , $2-$n = list
 {
-    local e=$1
+    local e
    e=$1
    while [ $# -gt 1 ]; do
 	shift
--- a/tools/web/publish-manpage-3.0
+++ b/tools/web/publish-manpage-3.0
@ -6,7 +6,8 @@ WEBSITE=/home/teastep/Shorewall/Website
 list_search() # $1 = element to search for , $2-$n = list
 {
-    local e=$1
+    local e
    e=$1
    while [ $# -gt 1 ]; do
 	shift